AgentSkillsCN

splunk-hec

通过 HTTP 事件收集器(HEC)将事件发送至 Splunk,以实现索引与搜索。适用于将事件摄入 Splunk、将日志数据发送至 HEC、转发应用事件,或批量提交事件数据时使用。当用户提及 Splunk HEC、Splunk 事件收集器、将事件发送至 Splunk、Splunk 事件摄入,或通过 HTTP 向 Splunk 记录日志时触发。

SKILL.md
--- frontmatter
name: splunk-hec
description: >
  Send events to Splunk via the HTTP Event Collector (HEC) for indexing and searching.
  Use this skill when ingesting events into Splunk, sending log data to HEC, forwarding
  application events, or batch-submitting event data. Trigger when the user mentions
  Splunk HEC, Splunk event collector, sending events to Splunk, Splunk event ingestion,
  or logging to Splunk via HTTP.

Splunk HTTP Event Collector (HEC)

Send events to Splunk via the HTTP Event Collector for indexing and searching.

When to Use

  • Sending application events or logs to Splunk
  • Ingesting structured or unstructured event data
  • Batch-submitting multiple events in a single request
  • Forwarding metrics or log data to Splunk indexes

Authentication

Use a Splunk HEC token in the Authorization header:

code
Authorization: Splunk <hec_token>

Alternatively, use Basic Auth with the token as password (username is ignored):

code
curl -u x:<hec_token> ...

Key Endpoint

POST /collector on port 8088 (default HEC port).

Event Formats

Single event with metadata:

json
{
  "time": 1643234829,
  "host": "webserver01",
  "source": "/var/log/app.log",
  "sourcetype": "application",
  "index": "main",
  "event": {"level": "ERROR", "message": "Something failed"}
}

Multiple events — newline-delimited JSON (no comma separation):

code
{"event": "First event"}
{"event": "Second event", "sourcetype": "custom"}

Event Fields

FieldRequiredDescription
eventYesEvent payload (string or JSON object)
timeNoEpoch timestamp (seconds or milliseconds)
hostNoHostname override
sourceNoEvent source identifier
sourcetypeNoEvent source type
indexNoTarget Splunk index
fieldsNoAdditional indexed metadata fields

Query Parameters

Override defaults for all events via query params: host, index, source, sourcetype, time, channel.

Acknowledgement

When useAck is enabled, include a channel GUID (query param or x-splunk-request-channel header). The response includes an ackId.

API Reference

For complete schema details including all error codes, response format, and multi-event handling, read references/openapi.yml.