Splunk Connector Setup Guide
This article describes how to set up the Splunk connector.
Configuration
Go to the Connector Marketplace and add a new connector. For general instructions on how to add a connector, see About Connectors.
After adding the connector, configure the following settings:
- Splunk token
- The HTTP Event Collector token. Create a token at Settings > Data Inputs > HTTP Event Collector.
- Host
- The Splunk instance that runs HTTP Event Collector. For example,
https://hec.example.com.
- The Splunk instance that runs HTTP Event Collector. For example,
- Port
- (Optional) The HTTP Event Collector port number.
Actions
| Action Name | AudienceStream | EventStream |
|---|---|---|
| Send Entire Event Data | ✗ | ✓ |
| Send Entire Event Data (Batch) | ✗ | ✓ |
| Send Custom Event Data | ✗ | ✓ |
| Send Custom Event Data (Batch) | ✗ | ✓ |
| Send Log Event | ✗ | ✓ |
| Send Entire Visitor Data | ✓ | ✗ |
| Send Entire Visitor Data (Batch) | ✓ | ✗ |
| Send Custom Visitor Data | ✓ | ✗ |
| Send Custom Visitor Data (Batch) | ✓ | ✗ |
Enter a name for the action and select the Action Type.
The following section describes how to set up parameters and options for each action.
Send Entire Event Data
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
| Print Attribute Names | If attribute names get updated, the names in the payload will reflect the update. |
Send Entire Event Data (Batch)
Batch Limits
This action uses batched requests to support high-volume data transfers to the vendor. Requests are queued until one of the following thresholds is met:
- Max number of requests: 100,000
- Max time since oldest request: 60 minutes
- Max size of requests: 10 MB
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
| Print Attribute Names | If attribute names get updated, the names in the payload will reflect the update. |
| Batch Time To Live | Time To Live (Minute) should be between 1 and 60 minutes. Default is 15 minutes. |
Send Custom Event Data
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
Message Data
| Parameter | Description |
|---|---|
| Custom Message Definition | Provide values to construct message data. For template support, reference the template name to generate message data from the template. If using a template, map it to Custom Message Definition. Any other key-value pairs will be ignored if the template is used. |
| Template Variables | Provide template variables as data input for templates. For more information, see Connector template variables. Name nested template variables with the dot notation. For example, items.name. Nested template variables are typically built from data layer list attributes. |
| Templates | Provide templates to be referenced in message data. For more information, see Templates Guide. Templates are injected by name with double curly braces into supported fields. For example: {{SomeTemplateName}}. |
Send Custom Event Data (Batch)
Batch Limits
This action uses batched requests to support high-volume data transfers to the vendor. Requests are queued until one of the following thresholds is met:
- Max number of requests: 100,000
- Max time since oldest request: 60 minutes
- Max size of requests: 10 MB
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
Message Data
| Parameter | Description |
|---|---|
| Custom Message Definition | Provide values to construct message data. For template support, reference the template name to generate message data from the template. If using a template, map it to Custom Message Definition. Any other key-value pairs will be ignored if the template is used. |
| Template Variables | Provide template variables as data input for templates. For more information, see Connector template variables. Name nested template variables with the dot notation. For example, items.name. Nested template variables are typically built from data layer list attributes. |
| Templates | Provide templates to be referenced in message data. For more information, see Templates Guide. Templates are injected by name with double curly braces into supported fields. For example: {{SomeTemplateName}}. |
| Batch Time To Live | Time To Live (Minute) should be between 1 and 60 minutes. Default is 15 minutes. |
Send Log Event
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
Send Entire Visitor Data
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
| Include Current Visit Data With Visitor Data | Add the current visit data to the payload. This includes event visit data, unless Exclude Current Visit Event Data is checked. |
| Exclude Current Visit Event Data | Exclude event data from the current visit data. |
| Print Attribute Names | If attribute names get updated, the names in the payload will reflect the update. |
Send Entire Visitor Data (Batch)
Batch Limits
This action uses batched requests to support high-volume data transfers to the vendor. Requests are queued until one of the following thresholds is met:
- Max number of requests: 100,000
- Max time since oldest request: 60 minutes
- Max size of requests: 10 MB
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
| Exclude Current Visit Event Data | Exclude event data from the current visit data. |
| Print Attribute Names | If attribute names get updated, the names in the payload will reflect the update. |
| Batch Time To Live | Time To Live (Minute) should be between 1 and 60 minutes. Default is 15 minutes. |
Send Custom Visitor Data
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
Message Data
| Parameter | Description |
|---|---|
| Custom Message Definition | Provide values to construct message data. For template support, reference the template name to generate message data from the template. If using a template, map it to Custom Message Definition. Any other key-value pairs will be ignored if the template is used. |
| Template Variables | Provide template variables as data input for templates. For more information, see Connector template variables. Name nested template variables with the dot notation. For example, items.name. Nested template variables are typically built from data layer list attributes. |
| Templates | Provide templates to be referenced in message data. For more information, see Templates Guide. Templates are injected by name with double curly braces into supported fields. For example: {{SomeTemplateName}}. |
Send Custom Visitor Data (Batch)
Batch Limits
This action uses batched requests to support high-volume data transfers to the vendor. Requests are queued until one of the following thresholds is met:
- Max number of requests: 100,000
- Max time since oldest request: 60 minutes
- Max size of requests: 10 MB
Metadata
| Parameter | Description |
|---|---|
| Splunk request channel | Channel identifier when the indexer acknowledgment is enabled. |
| Time | The event time. |
| Host | The host value to assign to the event data. |
| Source | The source value to assign to the event data. For example, if you’re sending data from an app you’re developing, set this key to the name of the app. |
| Source type | The source type value to assign to the event data. |
| Index | The name of the index used to index the event data. The index you specify here must be in the list of allowed indexes if the token has the indexes parameter set. |
| Custom Fields | The fields key isn’t applicable to raw data. This key specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time. Requests containing the fields property must be sent to the /collector/event endpoint, or else they aren’t indexed. For more information, see Splunk Enterprise: Automate indexed field extractions with HTTP Event Collector. |
Message Data
| Parameter | Description |
|---|---|
| Custom Message Definition | Provide values to construct message data. For template support, reference the template name to generate message data from the template. If using a template, map it to Custom Message Definition. Any other key-value pairs will be ignored if the template is used. |
| Template Variables | Provide template variables as data input for templates. For more information, see Connector template variables. Name nested template variables with the dot notation. For example, items.name. Nested template variables are typically built from data layer list attributes. |
| Templates | Provide templates to be referenced in message data. For more information, see Templates Guide. Templates are injected by name with double curly braces into supported fields. For example: {{SomeTemplateName}}. |
| Batch Time To Live | Time To Live (Minute) should be between 1 and 60 minutes. Default is 15 minutes. |
This page was last updated: September 16, 2025