---
title: "otelcol.receiver.splunkhec | Grafana Alloy documentation"
description: "Learn about otelcol.receiver.splunkhec"
---

# `otelcol.receiver.splunkhec`

> **Public preview**: This is a [public preview](/docs/release-life-cycle/) component. Public preview components are subject to breaking changes, and may be replaced with equivalent functionality that cover the same use case. To enable and use a public preview component, you must set the `stability.level` [flag](/docs/alloy/latest/reference/cli/run/) to `public-preview` or below.

`otelcol.receiver.splunkhec` accepts events in the [Splunk HEC format](https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/FormateventsforHTTPEventCollector) and forwards them to other `otelcol.*` components. The receiver accepts data formatted as JSON HEC events under any path or as EOL separated log raw data if sent to the `raw_path` path.

> Note
> 
> `otelcol.receiver.splunkhec` is a wrapper over the upstream OpenTelemetry Collector [`splunkhec`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.147.0/receiver/splunkhecreceiver) receiver. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple `otelcol.receiver.splunkhec` components by giving them different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.receiver.splunkhec "<LABEL>" {
  output {
    metrics = [...]
    logs    = [...]
  }
}
```

## Arguments

You can use the following arguments with `otelcol.receiver.splunkhec`:

Expand table

| Name                       | Type                       | Description                                                                                                    | Default                                                    | Required |
|----------------------------|----------------------------|----------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|----------|
| `access_token_passthrough` | `bool`                     | If enabled preserves incoming access token as a attribute `com.splunk.hec.access_token`                        | `false`                                                    | no       |
| `auth`                     | `capsule(otelcol.Handler)` | Handler from an `otelcol.auth` component to use for authenticating requests.                                   |                                                            | no       |
| `compression_algorithms`   | `list(string)`             | A list of compression algorithms the server can accept.                                                        | `["", "gzip", "zstd", "zlib", "snappy", "deflate", "lz4"]` | no       |
| `endpoint`                 | `string`                   | `host:port` to listen for traffic on.                                                                          | `"localhost:8088"`                                         | no       |
| `health_path`              | `string`                   | The path reporting health checks.                                                                              | `"/services/collector/health"`                             | no       |
| `include_metadata`         | `bool`                     | Propagate incoming connection metadata to downstream consumers.                                                | `false`                                                    | no       |
| `keep_alives_enabled`      | `boolean`                  | Whether or not HTTP keep-alives are enabled                                                                    | `true`                                                     | no       |
| `max_request_body_size`    | `string`                   | Maximum request body size the server will allow.                                                               | `"20MiB"`                                                  | no       |
| `raw_path`                 | `string`                   | The path accepting raw HEC events. Only applies when the receiver is used for logs.                            | `"/services/collector/raw"`                                | no       |
| `splitting`                | `string`                   | Defines the splitting strategy used by the receiver when ingesting raw events. Can be set to “line” or “none”. | `"line"`                                                   | no       |

By default, `otelcol.receiver.splunkhec` listens for HTTP connections on `localhost:8088`. To expose the HTTP server to other machines on your network, configure `endpoint` with the IP address to listen on, or `0.0.0.0:8088` to listen on all network interfaces.

If `access_token_passthrough` is enabled it will be preserved as a attribute `com.splunk.hec.access_token`. If logs or metrics are exported with `otelcol.exporter.splunkhec` it will check for this attribute and if present forward it with outgoing request.

## Blocks

You can use the following blocks with `otelcol.receiver.splunkhec`:

No valid configuration blocks found.

### `output`

Required

The `output` block configures a set of components to forward resulting telemetry data to.

The following arguments are supported:

Expand table

| Name      | Type                     | Description                           | Default | Required |
|-----------|--------------------------|---------------------------------------|---------|----------|
| `logs`    | `list(otelcol.Consumer)` | List of consumers to send logs to.    | `[]`    | no       |
| `metrics` | `list(otelcol.Consumer)` | List of consumers to send metrics to. | `[]`    | no       |

You must specify the `output` block, but all its arguments are optional. By default, telemetry data is dropped. Configure the `metrics` and `logs` arguments accordingly to send telemetry data to other components.

### `cors`

The `cors` block configures CORS settings for an HTTP server.

The following arguments are supported:

Expand table

| Name              | Type           | Description                                              | Default                | Required |
|-------------------|----------------|----------------------------------------------------------|------------------------|----------|
| `allowed_headers` | `list(string)` | Accepted headers from CORS requests.                     | `["X-Requested-With"]` | no       |
| `allowed_origins` | `list(string)` | Allowed values for the `Origin` header.                  |                        | no       |
| `max_age`         | `number`       | Configures the `Access-Control-Max-Age` response header. |                        | no       |

The `allowed_headers` specifies which headers are acceptable from a CORS request. The following headers are always implicitly allowed:

- `Accept`
- `Accept-Language`
- `Content-Type`
- `Content-Language`

If `allowed_headers` includes `"*"`, all headers are permitted.

### `debug_metrics`

The `debug_metrics` block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

Expand table

| Name                               | Type      | Description                                          | Default | Required |
|------------------------------------|-----------|------------------------------------------------------|---------|----------|
| `disable_high_cardinality_metrics` | `boolean` | Whether to disable certain high cardinality metrics. | `true`  | no       |

`disable_high_cardinality_metrics` is the Alloy equivalent to the `telemetry.disableHighCardinalityMetrics` feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

> Note
> 
> If configured, `disable_high_cardinality_metrics` only applies to `otelcol.exporter.*` and `otelcol.receiver.*` components.

### `hec_metadata_to_otel_attrs`

The `hec_metadata_to_otel_attrs` block configures OpenTelemetry attributes from HEC metadata.

Expand table

| Name         | Type     | Description                                                   | Default                 | Required |
|--------------|----------|---------------------------------------------------------------|-------------------------|----------|
| `host`       | `string` | Specifies the mapping of the host field to a attribute.       | `host.name`             | no       |
| `index`      | `string` | Specifies the mapping of the index field to a attribute.      | `com.splunk.index`      | no       |
| `source`     | `string` | Specifies the mapping of the source field to a attribute.     | `com.splunk.source`     | no       |
| `sourcetype` | `string` | Specifies the mapping of the sourcetype field to a attribute. | `com.splunk.sourcetype` | no       |

### `tls`

The `tls` block configures TLS settings used for a server. If the `tls` block isn’t provided, TLS isn’t used for connections to the server.

The following arguments are supported:

Expand table

| Name                           | Type           | Description                                                                                  | Default     | Required |
|--------------------------------|----------------|----------------------------------------------------------------------------------------------|-------------|----------|
| `ca_file`                      | `string`       | Path to the CA file.                                                                         |             | no       |
| `ca_pem`                       | `string`       | CA PEM-encoded text to validate the server with.                                             |             | no       |
| `cert_file`                    | `string`       | Path to the TLS certificate.                                                                 |             | no       |
| `cert_pem`                     | `string`       | Certificate PEM-encoded text for client authentication.                                      |             | no       |
| `cipher_suites`                | `list(string)` | A list of TLS cipher suites that the TLS transport can use.                                  | `[]`        | no       |
| `client_ca_file`               | `string`       | Path to the TLS cert to use by the server to verify a client certificate.                    |             | no       |
| `curve_preferences`            | `list(string)` | Set of elliptic curves to use in a handshake.                                                | `[]`        | no       |
| `include_system_ca_certs_pool` | `boolean`      | Whether to load the system certificate authorities pool alongside the certificate authority. | `false`     | no       |
| `key_file`                     | `string`       | Path to the TLS certificate key.                                                             |             | no       |
| `key_pem`                      | `secret`       | Key PEM-encoded text for client authentication.                                              |             | no       |
| `max_version`                  | `string`       | Maximum acceptable TLS version for connections.                                              | `"TLS 1.3"` | no       |
| `min_version`                  | `string`       | Minimum acceptable TLS version for connections.                                              | `"TLS 1.2"` | no       |
| `reload_interval`              | `duration`     | The duration after which the certificate is reloaded.                                        | `"0s"`      | no       |

If `reload_interval` is set to `"0s"`, the certificate never reloaded.

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

If `cipher_suites` is left blank, a safe default list is used. Refer to the [Go Cipher Suites documentation](https://go.dev/src/crypto/tls/cipher_suites.go) for a list of supported cipher suites.

`client_ca_file` sets the `ClientCA` and `ClientAuth` to `RequireAndVerifyClientCert` in the `TLSConfig`. Refer to the [Go TLS documentation](https://godoc.org/crypto/tls#Config) for more information.

The `curve_preferences` argument determines the set of elliptic curves to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves available are `X25519`, `P521`, `P256`, and `P384`.

### `tpm`

The `tpm` block configures retrieving the TLS `key_file` from a trusted device.

The following arguments are supported:

Expand table

| Name         | Type     | Description                                                        | Default | Required |
|--------------|----------|--------------------------------------------------------------------|---------|----------|
| `auth`       | `string` | The authorization value used to authenticate the TPM device.       | `""`    | no       |
| `enabled`    | `bool`   | Load the `tls.key_file` from TPM.                                  | `false` | no       |
| `owner_auth` | `string` | The owner authorization value used to authenticate the TPM device. | `""`    | no       |
| `path`       | `string` | Path to the TPM device or Unix domain socket.                      | `""`    | no       |

The [trusted platform module](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/) (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.

The `path` attribute is not supported on Windows.

In the following example, the private key `my-tss2-key.key` in TSS2 format is loaded from the TPM device `/dev/tmprm0`:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.example.component "<LABEL>" {
    ...
    tls {
        ...
        key_file = "my-tss2-key.key"
        tpm {
            enabled = true
            path = "/dev/tpmrm0"
        }
    }
}
```

## Exported fields

`otelcol.receiver.splunkhec` doesn’t export any fields.

## Component health

`otelcol.receiver.splunkhec` is only reported as unhealthy if given an invalid configuration.

## Debug information

`otelcol.receiver.splunkhec` doesn’t expose any component-specific debug information.

## Example

This example forwards received telemetry through a batch processor before finally sending it to an OTLP-capable endpoint:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.receiver.splunkhec "default" {
  output {
    logs    = [otelcol.processor.batch.default.input]
    metrics = [otelcol.processor.batch.default.input]
  }
}

otelcol.processor.batch "default" {
  output {
    metrics = [otelcol.exporter.otlphttp.default.input]
    traces  = [otelcol.exporter.otlphttp.default.input]
  }
}

otelcol.exporter.otlphttp "default" {
  client {
    endpoint = sys.env("<OTLP_ENDPOINT>")
  }
}
```

## Enable authentication

You can create a `otelcol.receiver.splunkhec` component that requires authentication for requests. This is useful for limiting who can push data to the server.

> Note
> 
> Not all OpenTelemetry Collector authentication plugins support receiver authentication. Refer to the [documentation](/docs/alloy/latest/reference/components/otelcol/) for each `otelcol.auth.*` component to determine its compatibility.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.receiver.splunkhec "default" {
  output {
    logs    = [otelcol.processor.batch.default.input]
    metrics = [otelcol.processor.batch.default.input]
  }
  auth = otelcol.auth.basic.creds.handler
}

otelcol.auth.basic "creds" {
    username = sys.env("<USERNAME>")
    password = sys.env("<PASSWORD>")
}
```

## Compatible components

`otelcol.receiver.splunkhec` can accept arguments from the following components:

- Components that export [OpenTelemetry `otelcol.Consumer`](../../../compatibility/#opentelemetry-otelcolconsumer-exporters)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.