Splunk Setup #

VictoriaLogs accpets logs via Splunk HEC API at /insert/splunk/services/collector/event or /insert/splunk/services/collector/event/1.0 HTTP paths. Additionally paths without /insert/splunk/ prefix are supported to simplify integration.

Collect docker logs using Splunk driver #

Docker Splunk driver can be configured to send data to VictoriaLogs without any additional agent:

      services:
  nginx:
    image: nginx:1.27
    logging:
      driver: splunk
      options:
        splunk-url: http://victorialogs:9428
        splunk-token: any-token
    

Time field #

VictoriaLogs uses the time field as _time field for the logs ingested via Splunk endpoint. Other field can be used instead by setting -splunk.timeField command-line flag.

See also HTTP query string parameters .

Message field #

By default VictoriaLogs uses the first non-empty field from the following list as _msg field : for the logs ingested via Splunk endpoint:

• event
• event.log
• event.line
• event.message

Other fields can be used instead by passing a comma-separated list to -splunk.msgField command-line flag.

See also HTTP query string parameters .

Stream fields #

VictoriaLogs uses host, source and sourcetype fields as stream fields for logs ingested via Splunk protocol. The list of log stream fields can be changed via -splunk.streamFields command-line flag by providing comma-separated list of fields.

See also HTTP query string parameters .

Dropping fields #

VictoriaLogs can be configured for skipping the given log fields for logs ingested via Splunk protocol, by using -splunk.ignoreFields command-line flag. This flag accepts comma-separated list of log fields to ignore. This list can contain log field prefixes ending with * such as some-prefix*. In this case all the fields starting from some-prefix are ignored.

See also HTTP query string parameters .

Multitenancy #

By default VictoriaLogs stores logs ingested via Splunk protocol into (AccountID=0, ProjectID=0) tenant . This can be changed by passing the needed tenant in the format AccountID:ProjectID at the -splunk.tenantID command-line flag. For example, -splunk.tenantID=123:456 would store logs into (AccountID=123, ProjectID=456) tenant.

See also:

• Data ingestion troubleshooting .
• HTTP query string parameters .
• How to query VictoriaLogs .
• Docker-compose demo for Splunk integration with VictoriaLogs .