Splunk Global Log Receiver -- Configurable HEC Logs Endpoint

Global Log Receiver for Splunk. Currently the Splunk GLR appends "/services/collector/event" behind the scenes to what is configured in the "Splunk HEC Logs Endpoint" configuration. This prevents additional HEC parameters from being passed to the Splunk cloud.

One example is the parameter "?auto_extract_timestamp=true" which allows Splunk cloud to use the value in the json payload @timestamp to be what is used for indexing. Without this parameter Splunk cloud uses the time the message arrives at Splunk Cloud instead of the time the event actually happened.

Request is to make the "Splunk HEC Logs Endpoint" fully visible and configurable so that you can pass parameters. Making the full URI visible would also help with many current configuration issues where people are entering in the URI Path " /services/collector/event" which prevents logs to Splunk from working because XC appends that path behind the scenes.

So, ideally be allowed to put this as the HEC Logs Endpoint:

https://http-inputs.customer.splunkcloud.com/services/collector/event?auto_extract_timestamp=true


  • Guest
  • Oct 18 2023
  • Will not implement
  • Attach files
  • Admin
    Nicolas Cartron commented
    28 Jun 02:26pm

    We won't implement that feature as the components we're using for GLR don't allow that

  • matt stovall commented
    18 Oct, 2023 06:43pm

    This would be great to have, splunk is very popular with my customers.