--- title: 'Log streaming: Splunk' summary: null url: >- https://www.fastly.com/documentation/guides/integrations/logging-endpoints/log-management-and-observability/log-streaming-splunk --- Fastly's [Real-Time Log Streaming](https://www.fastly.com/documentation/guides/integrations/streaming-logs/about-fastlys-realtime-log-streaming-features) feature can send log files to [Splunk](https://www.splunk.com/). Splunk is a web-based log analytics platform used by developers and IT teams. > **NOTE:** > > Fastly does not provide direct support for third-party services. Read [Fastly's Terms of Service](https://www.fastly.com/terms) for more information. > > ## Prerequisites To use Splunk as a logging endpoint, you'll need to enable the HTTP Event Collector (HEC), create a token, and enable it. Follow the instructions on Splunk's website: 1. [Enable HEC](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Enable_HTTP_Event_Collector_on_Splunk_Cloud_Platform). 2. [Create an HEC token](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Create_an_Event_Collector_token_on_Splunk_Cloud_Platform). 3. [Enable the HEC token](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Enable_and_disable_Event_Collector_tokens_in_Splunk_Cloud_Platform). 4. [Disable indexer acknowledgment](https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/AboutHECIDXAck) for tokens used by Fastly to stream logs. You'll need to remember the HEC token and find the URL for your collector. The URL structure depends on the type of Splunk instance you're using. Use the table below to find the URL structure for your Splunk instance. | Type | URL | | ------------------------------- | -------------------------------------------------------------- | | Self hosted | `https://:8088/services/collector/event` | | Self-service Splunk Cloud plans | `https://input-:8088/services/collector/event` | | All other Splunk Cloud plans | `https://http-inputs-:8088/services/collector/event` | While logged in to Splunk, you can find the hostname for the URL in your web browser's address bar. ## Adding Splunk as a logging endpoint After you've created a Splunk account and obtained your customer token, follow these instructions to add Splunk as a logging endpoint for Fastly services: ### Cdn Services 1. Review the information in our guide to [setting up remote log streaming](/guides/integrations/streaming-logs/setting-up-remote-log-streaming). 2. In the Splunk area, click **Create endpoint**. 3. Fill out the **Create a Splunk endpoint** fields as follows: - In the **Name** field, enter a human-readable name for the endpoint. - In the **Placement** area, select where the logging call should be placed in the generated VCL. Valid values are **Format Version Default** and **None**. Read our guide on [changing log placement](/guides/integrations/streaming-logs/changing-log-placement) for more information. - In the **Log format** field, enter an Apache-style string or VCL variables to use for log formatting. You can use our [recommended log format](https://www.fastly.com/documentation/guides/integrations/logging-endpoints/log-management-and-observability/log-streaming-splunk#recommended-log-format). - In the **URL** field, enter the URL to send data to (e.g., `https://:8088/services/collector/event/1.0`). - In the **Token** field, enter the token for the HEC. - _(Optional)_ From the **Use TLS** controls, select whether or not to enable TLS. When you select Yes, additional TLS fields appear. - In the **TLS hostname** field, optionally enter a hostname to verify the logging destination server's certificate. This should be one of the Subject Alternative Name (SAN) fields for the certificate. Common Names (CN) are not supported. - In the **TLS CA certificate** field, enter the CA certificate used to verify that the origin's certificate is valid. It must be in PEM format. This is not required if your origin-side TLS certificate is signed by a well-known CA. See the [using TLS CA certificates](https://www.fastly.com/documentation/guides/integrations/logging-endpoints/log-management-and-observability/log-streaming-splunk#using-tls-ca-certificates) section for more information. - _(Optional)_ In the **TLS client certificate** field, copy and paste the TLS client certificate used to authenticate to the origin server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client certificate. A TLS client certificate allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu. - _(Optional)_ In the **TLS client key** field, copy and paste the TLS client key used to authenticate to the backend server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your server to authenticate that Fastly is performing the connection. - _(Optional)_ In the **Maximum logs** field, enter the maximum number of logs to append to a batch, if non-zero. - _(Optional)_ In the **Maximum bytes** field, enter the maximum size of the log batch, if non-zero. - *(Optional)* In the **Period** field, enter an interval (in seconds) to control how frequently your log files are rotated. Rotation entails the finalization of one file object and the start of a new one, never removing any previously created file object. This value defaults to `3600` seconds. 4. Click **Create** to create the new logging endpoint. 5. From the **Activate** menu, select **Activate on Production** to deploy your configuration changes. ### Recommended log format We recommend using the following log format to send data to Splunk. > **HINT:** All JSON sent to the Splunk HEC must have an event field. The event field can be text or nested JSON. There can also be other meta data in the payload. See the [Splunk documentation](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) for more information. ```plain { "time":%{time.start.sec}V, "host":"%{Fastly-Orig-Host}i", "event": { "service_id":"%{req.service_id}V", "time_start":"%{begin:%Y-%m-%dT%H:%M:%S%Z}t", "time_end":"%{end:%Y-%m-%dT%H:%M:%S%Z}t", "time_elapsed":%D, "client_ip":"%h", "client_as_name":"%{client.as.name}V", "client_as_number":"%{client.as.number}V", "client_connection_speed":"%{client.geo.conn_speed}V", "request":"%m", "protocol":"%H", "origin_host":"%v", "url":"%{json.escape(req.url)}V", "is_ipv6":%{if(req.is_ipv6, "true", "false")}V, "is_tls":%{if(req.is_ssl, "true", "false")}V, "tls_client_protocol":"%{json.escape(tls.client.protocol)}V", "tls_client_servername":"%{json.escape(tls.client.servername)}V", "tls_client_cipher":"%{json.escape(tls.client.cipher)}V", "tls_client_cipher_sha":"%{json.escape(tls.client.ciphers_sha )}V", "tls_client_tlsexts_sha":"%{json.escape(tls.client.tlsexts_sha)}V", "is_h2":%{if(fastly_info.is_h2, "true", "false")}V, "is_h2_push":%{if(fastly_info.h2.is_push, "true", "false")}V, "h2_stream_id":"%{fastly_info.h2.stream_id}V", "request_referer":"%{Referer}i", "request_user_agent":"%{User-Agent}i", "request_accept_content":"%{Accept}i", "request_accept_language":"%{Accept-Language}i", "request_accept_encoding":"%{Accept-Encoding}i", "request_accept_charset":"%{Accept-Charset}i", "request_connection":"%{Connection}i", "request_dnt":"%{DNT}i", "request_forwarded":"%{Forwarded}i", "request_via":"%{Via}i", "request_cache_control":"%{Cache-Control}i", "request_x_requested_with":"%{X-Requested-With}i", "request_x_att_device_id":"%{X-ATT-Device-Id}i", "request_x_forwarded_for":"%{X-Forwarded-For}i", "status":"%s", "content_type":"%{Content-Type}o", "response_state":"%{fastly_info.state}V", "response_age":"%{Age}o", "response_cache_control":"%{Cache-Control}o", "response_expires":"%{Expires}o", "response_last_modified":"%{Last-Modified}o", "response_tsv":"%{TSV}o", "server_datacenter":"%{server.datacenter}V", "server_ip":"%A", "geo_city":"%{client.geo.city.utf8}V", "geo_country_code":"%{client.geo.country_code}V", "geo_continent_code":"%{client.geo.continent_code}V", "geo_region":"%{client.geo.region}V", "req_header_size":%{req.header_bytes_read}V, "req_body_size":%{req.body_bytes_read}V, "resp_header_size":%{resp.header_bytes_written}V, "resp_body_size":%B, "socket_cwnd":%{client.socket.cwnd}V, "socket_nexthop":"%{client.socket.nexthop}V", "socket_tcpi_rcv_mss":%{client.socket.tcpi_rcv_mss}V, "socket_tcpi_snd_mss":%{client.socket.tcpi_snd_mss}V, "socket_tcpi_rtt":%{client.socket.tcpi_rtt}V, "socket_tcpi_rttvar":%{client.socket.tcpi_rttvar}V, "socket_tcpi_rcv_rtt":%{client.socket.tcpi_rcv_rtt}V, "socket_tcpi_rcv_space":%{client.socket.tcpi_rcv_space}V, "socket_tcpi_last_data_sent":%{client.socket.tcpi_last_data_sent}V, "socket_tcpi_total_retrans":%{client.socket.tcpi_total_retrans}V, "socket_tcpi_delta_retrans":%{client.socket.tcpi_delta_retrans}V, "socket_ploss":%{client.socket.ploss}V } } ``` ### Compute Services 1. Review the information in our guide to [setting up remote log streaming for Compute](/guides/integrations/streaming-logs/setting-up-remote-log-streaming-for-compute). Additionally, our developer documentation provides more [information about logging](/guides/integrations/non-fastly-services/developer-guide-logging/) with Compute code written in our [supported languages](/reference/compute/sdks/). 2. In the Splunk area, click **Create endpoint**. 3. Fill out the **Create a Splunk endpoint** fields as follows: - In the **Name** field, enter the endpoint name you specified in your Compute code. For example, in our [Rust code example](/guides/compute/developer-guides/rust/#logging), the name is `my_endpoint_name`. - In the **URL** field, enter the URL to send data to (e.g., `https://:8088/services/collector/event/1.0`). - In the **Token** field, enter the token for the HEC. - _(Optional)_ From the **Use TLS** controls, select whether or not to enable TLS. When you select Yes, additional TLS fields appear. - In the **TLS hostname** field, optionally enter a hostname to verify the logging destination server's certificate. This should be one of the Subject Alternative Name (SAN) fields for the certificate. Common Names (CN) are not supported. - In the **TLS CA certificate** field, enter the CA certificate used to verify that the Splunk server's certificate is valid. It must be in PEM format. This is not required if your Splunk-side TLS certificate is signed by a well-known CA. Check out the [using TLS CA certificates](https://www.fastly.com/documentation/guides/integrations/logging-endpoints/log-management-and-observability/log-streaming-splunk#using-tls-ca-certificates) section for more information. - _(Optional)_ In the **TLS client certificate** field, copy and paste the TLS client certificate used to authenticate Fastly to the Splunk server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client key. A TLS client certificate allows your Splunk server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu. - _(Optional)_ In the **TLS client key** field, copy and paste the TLS client key used to authenticate Fastly to the Splunk server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your Splunk server to authenticate that Fastly is performing the connection. - _(Optional)_ In the **Maximum logs** field, enter the maximum number of logs to append to a batch. - _(Optional)_ In the **Maximum bytes** field, enter the maximum size of the log batch. 4. Click **Create** to create the new logging endpoint. 5. From the **Activate** menu, select **Activate on Production** to deploy your configuration changes. ### Recommended log format Data sent to Splunk HEC must be serialized in a way [conforming to Splunk's expectations](https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector). If your logs are not formatted properly, attempts at processing your logs by your Splunk endpoint may fail. Here's an example format string for sending data to Splunk: ```json { "time": 1652331824.730, "source": "fastly", "index": "main", "event": { "message": "Something happened", "severity": "INFO" } } ``` ## Using TLS CA certificates If you've installed your own TLS certificate in Splunk Enterprise or Splunk Cloud, you'll need to provide the corresponding CA certificate. ### Splunk Cloud For Splunk Cloud, the default set up has the following CA certificate: ```plain -----BEGIN CERTIFICATE----- MIIB/DCCAaGgAwIBAgIBADAKBggqhkjOPQQDAjB+MSswKQYDVQQDEyJTcGx1bmsg Q2xvdWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNp c2NvMRMwEQYDVQQKEwpTcGx1bmsgSW5jMQswCQYDVQQIEwJDQTEVMBMGA1UECxMM U3BsdW5rIENsb3VkMB4XDTE0MTExMDA3MDAxOFoXDTM0MTEwNTA3MDAxOFowfjEr MCkGA1UEAxMiU3BsdW5rIENsb3VkIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQG A1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UEChMKU3BsdW5rIEluYzELMAkGA1UE CBMCQ0ExFTATBgNVBAsTDFNwbHVuayBDbG91ZDBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABPRRy9i3yQcxgMpvCSsI7Qe6YZMimUHOecPZWaGz5jEfB4+p5wT7dF3e QrgjDWshVJZvK6KGO7nDh97GnbVXrTCjEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZI zj0EAwIDSQAwRgIhALMUgLYPtICN9ci/ZOoXeZxUhn3i4wIo2mPKEWX0IcfpAiEA 8Jid6bzwUqAdDZPSOtaEBXV9uRIrNua0Qxl1S55TlWY= -----END CERTIFICATE----- ``` ### Splunk Enterprise Splunk Enterprise provides a set of default certificates, but we strongly recommend you configure your own certificates for your Fastly logging endpoint rather than relying on the default certificates. The certificates provided by Splunk Enterprise only specify a Common Name (CN), which cannot be used to properly verify the identity of the Splunk host presenting the certificate. Additionally, these certificates are less secure because the same root certificate is available in every Splunk Enterprise download. We encourage you to maintain the best possible security posture by configuring your own certificates rather than relying on the default certificates. The [Splunk documentation](https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates) provides a guide for configuring your own certificates. ## Related content - [API reference: Splunk log streaming](https://www.fastly.com/documentation/reference/api/logging/splunk/) - [CLI reference: Splunk log streaming](https://www.fastly.com/documentation/reference/cli/logging/splunk/)