Splunk Sink Connector

Type

sink

Class

com.splunk.kafka.connect.SplunkSinkConnector

Target System

Search & Analytics (Splunk)

Maintainer

Splunk

License

Apache License 2.0

Project

github.com/splunk/kafka-connect-splunk

Download

GitHub Releases

This page documents version v2.2.5. Newer versions should be compatible unless there are breaking changes, but field names or default values may differ. If you notice discrepancies, please contact Axual Support.

Description

The Splunk Sink Connector consumes records from Kafka topics and forwards them to Splunk via the HTTP Event Collector (HEC) API.

It is maintained by Splunk as part of the open-source github.com/splunk/kafka-connect-splunk project.

The connector sends events to Splunk’s HTTP Event Collector (HEC) — an HTTPS endpoint that accepts structured JSON with token-based authentication. HEC must be enabled on your Splunk instance before the connector can start.

Features

  • Forward Kafka records to Splunk via HTTP Event Collector (HEC)

  • Configurable HEC endpoint, token, and SSL settings

  • Supports batch event delivery

When to Use

  • You need to send Kafka records into Splunk for indexing, search, and monitoring.

  • You are building an observability or security pipeline with Splunk as the destination.

When NOT to Use

  • Your Splunk instance does not have the HTTP Event Collector enabled.

  • You need bidirectional data flow — this connector is sink only.

Installation

The connector is available from the Splunk GitHub releases page.

  1. Navigate to the releases page and download the connector JAR for version 2.2.5.

For installation steps, see Installing Connector Plugins.

Configuration

For the complete configuration reference, see the official sink connector documentation.

To configure a connector in Axual Self-Service, see Starting Connectors. TIP: For Infrastructure-as-Code deployment, see the Axual Kafka Connect Boilerplates for Terraform and Management API boilerplates.

Getting Started

This section walks through forwarding Kafka records to a Splunk Cloud instance.

Prerequisites

Splunk instance with HEC enabled

You need a Splunk instance with the HTTP Event Collector (HEC) enabled and a token created.

  1. Sign up for a Splunk Cloud trial account.

  2. Follow the official documentation to Create an event Collector token on Splunk Cloud platform.

    • Use mcollect_stash as the source type and select the main index.

  3. Note down the HEC token — you will use it as the value for splunk.hec.token.

  4. Test your HEC token before configuring the connector:

    curl -kv "https://YOUR-STACK-ID.splunkcloud.com:8088/services/collector/event" \
    -H "Authorization: Splunk YOUR-TOKEN" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

    Expected response: {"text": "Success", "code": 0}

Axual stream with records

The stream this connector consumes must already exist in Axual Self-Service and contain records. See Creating streams if you need to create a stream, and Produce some data to produce test events.

Steps

Step 1 — Create a connector application

  1. Follow the Configure and install a connector documentation to set up a new Connector-Application.
    Let’s call it {application-name}.
    The plugin name is {plugin-name}.
    If a plugin isn’t available, ask a platform operator to install plugins.

Step 2 — Configure the connector

  1. Provide the following minimal configuration:

    connector.class

    com.splunk.kafka.connect.SplunkSinkConnector

    topics

    Your Axual stream name

    splunk.hec.uri

    https://YOUR-STACK-ID.splunkcloud.com:8088
    Replace YOUR-STACK-ID with your Splunk stack ID (e.g. prd-p-abc12).

    splunk.hec.token

    Your HEC token

    splunk.hec.ssl.trust.store.path

    /docker-java-home/lib/security/cacerts

    splunk.hec.ssl.trust.store.password

    changeit

    splunk.hec.ssl.validate.certs

    false

    For advanced options, see the official sink connector documentation.

Step 3 — Start the connector

Start the connector application from Axual Self-Service. Once running, records from the stream will be forwarded to Splunk via HEC.

Step 4 — Verify

Verify events are arriving in Splunk:

  • HEC dashboard: YOUR-STACK-ID.splunkcloud.com/en-US/app/splunk_instance_monitoring/http_event_collector

  • Search: YOUR-STACK-ID.splunkcloud.com/en-US/app/search/search?q=search%20index%3D%22main%22

Cleanup

  1. Stop the connector application in Axual Self-Service.

  2. Remove stream access for the application if no longer needed.

  3. Splunk Cloud trial instances expire automatically after 14 days — no manual cleanup needed.

Known limitations

  • SSL certificate validation is disabled in the example configuration — enable it for production by providing a valid truststore.

  • The HEC URI must not include the /services/collector path — the connector appends it automatically.

Examples

Minimal configuration

{
  "name": "my-splunk-sink",
  "config": {
    "connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
    "topics": "<your-axual-stream-name>",
    "splunk.hec.uri": "https://YOUR-STACK-ID.splunkcloud.com:8088",
    "splunk.hec.token": "<your-hec-token>",
    "splunk.hec.ssl.trust.store.path": "/docker-java-home/lib/security/cacerts",
    "splunk.hec.ssl.trust.store.password": "changeit",
    "splunk.hec.ssl.validate.certs": "false"
  }
}

License

Splunk sink-Connector is licensed under the Apache License, Version 2.0.