Splunk connector
Class: splunk — integrates with Splunk. Sources pull or receive via Splunk-oriented endpoints and publish to a stream; sinks subscribe to a stream and deliver toward Splunk, commonly HTTP Event Collector (HEC).
Create and edit under Sources and Sinks. Advanced Settings may expose more runtime options depending on deployment and permissions.
Source and sink behavior
| Role | Behavior |
|---|---|
| Source | Ingest path into PADAS using endpoint and token (HEC-style); events land on the connector stream. |
| Sink | Stream subscription → HEC POST to endpoint authenticated with the HEC token; respect Splunk size and rate limits via batching when configured. |
| Streams | Same stream wiring model as other classes (Streams). |
Required fields
Every connector row
| Field | Required | Notes |
|---|---|---|
name | Yes | Display name; id derived from it. |
class | Yes | Must be splunk. |
stream | Yes | Resolved stream id. |
type | Yes | source or sink from the screen used at create time. |
config | Yes | Class-specific object; see below. |
Class splunk — required configuration
| Setting | Required | Notes |
|---|---|---|
endpoint | Yes | Splunk HEC URL. |
token | Yes | HEC token (UI: HEC Token). |
Create connector
- Open Sources or Sinks → Create.
- Set Class to Splunk, set name, stream behavior, and Enabled.
- Enter Endpoint and HEC Token.
- Add TLS, headers, or batch limits from Common configuration when available.
- Save, then wire the stream into tasks / pipelines.
Source (UI)
| UI field | Connector setting |
|---|---|
| Endpoint (required) | endpoint |
| HEC Token (required) | token (exact nested key may vary by build—confirm via Registry export if needed) |
Sink (UI)
Same Endpoint + HEC Token layout on Create New Sink (titles differ).
Configuration
Beyond the required pair, exports often include:
tls— Verify Splunk server certificates in production.authentication— Extra headers or schemes when HEC is wrapped.batch— Keep posts under Splunk size and rate limits (common on sinks).
Runtime behavior
- Connectors run after deployment; Disabled connectors do not call HEC.
- Sinks should respect Splunk indexer health and 429 / throttle behavior via retries and batch caps where implemented.
Performance and operational notes
- Tune
batchto HECmax_content_lengthand licensing throughput. - Rotate HEC tokens on compromise; treat tokens as secrets.
Related pages
- HTTP connector — shared Endpoint URL patterns
- Sources · Sinks
- splunk-sink-connector-example.json — external JSON shape comparison (not identical to PADAS registry schema)
- Admin guide — Splunk — operational patterns