Howto forward to Splunk HEC

Configuration

secrets:
  shared_key: '?{vaultkv:${cluster:tenant}/${cluster:name}/fluentd-forwarder/${_instance}/sharedkey}'
  hec_token: '?{vaultkv:${cluster:tenant}/${cluster:name}/fluentd-forwarder/${_instance}/hectoken}'

Using config_vars helps reducing recurring configuration values, for example if you want to filter different namespaces. In this example each namespace will be stored in a different directory.

config: |
  <system>
    log_level "info"
  </system>
  <source>
    @type forward
    port 24224
    <security>
      shared_key "#{ENV['SHARED_KEY']}"
      self_hostname "#{ENV['HOSTNAME']}"
    </security>
  </source>

  <match **>
    @type splunk_hec
    hec_token "#{ENV['HEC_TOKEN'] }"
    hec_host <URL_TO_SPLUNK_HEC>
    insecure_ssl "true"
    <buffer>
      @type memory
      chunk_limit_records 100000
      chunk_limit_size 200m
      flush_interval 5s
      flush_thread_count 1
      overflow_action block
      retry_max_times 3
      total_limit_size 600m
    </buffer>
  </match>