Splunk docs6/17/2023 Each attempt has a 10 second timeout, and a maximum of 100 async I/O operations can happen concurrently across all indexers. When async is enabled, the DSP HEC client attempts to write a HEC JSON payload to the Splunk HEC endpoint a maximum of three times. Defaults to false.īest practices are to enable this for performance optimization. See Performance expectations for sending data from DSP pipelines to Splunk Enterprise. In async mode, send operations from DSP do not wait for a response to return therefore increasing performance. Set to true to compress HEC JSON data and increase throughput at the expense of increasing pipeline CPU utilization. Set to false if acknowledgments in your Splunk platform are disabled or to increase throughput. Set to true for the function to wait for an acknowledgement for every single event. Set to true to enable HEC token validation. See the following table for a description of each parameter. Example: "main" Optional arguments parameters Syntax: map Description: The optional parameters you can enter in this function. If you do not want to specify a default index, set this field to empty string "". Example: cast(map_get(attributes, "index"), "string") default_index Syntax: expression Description: If your record doesn't contain a Splunk Index field, then this function sends your data to the index specified in this argument. If your data does not contain an index, set this field to empty string "". Example: "576205b3-f6f5-4ab7-8ffc-a4089a95d0c4" index Syntax: expression Description: An expression to get the Splunk Index, if it exists, in your record. Required arguments connection_id Syntax: string Description: The ID of the Splunk Enterprise Connection. See Connecting Splunk indexes to your DSP pipeline. When configuring this sink function, set the connection_id argument to the ID of that connection. See Create a DSP connection to a Splunk index in the Connect to Data Sources and Destinations with the manual. Additionally, you can specify how often batches are emitted by one of two optional arguments: batch_size, which specifies a max payload size in bytes or batch_millis which specifies a max time to wait before emitting the batch.īefore you can use this function, you must create a connection. If you want to send data from DSP to multiple Splunk Enterprise indexes, you can use this function to specify the target index on a per-record basis. This function adds out-of-the-box support for index-based routing with batched data. This function combines the actions of three underlying DSP functions into one for convenience: Use the Send data to Splunk HTTP Event Collector sink function to send data to an external Splunk Enterprise system.
0 Comments
Leave a Reply. |