Skip to main content

Splunk Sink Configuration

The Splunk decision log sink allows publishing decision log entries as events to a Splunk HTTP Endpoint Collector.

Example Configuration

decision_logs:
plugin: eopa_dl
plugins:
eopa_dl:
output:
- type: splunk
url: https://YOUR-TENANT.splunkcloud.com:8088/services/collector/event
token: $SPLUNK_TOKEN
batching:
at_period: "10s" # flush batch every 10 seconds
at_count: 10 # flush batch every 10 log entries
at_bytes: 10240 # flush batch whenever 10240 bytes are exceeded
compress: true # use gzip on payloads (default: false)
tls:
cert: path/to/cert.pem
private_key: path/to/key.pem
ca_cert: path/to/ca.pem
skip_cert_verify: false # default false

Decision logs will be batched according to your configuration, and sent to Splunk in its desired format, i.e. wrapped in an event envelope:

{
"event": {
"decision_id": "955ee45b-8624-4e23-af67-e3513d69c997",
"input": {
"method": "GET",
"path": "/data/fruits"
},
"labels": {
"id": "6067027a-caf0-4601-8691-6a1ba0906b4b",
"type": "enterprise-opa",
"version": "0.52.0"
},
"metrics": {
"counter_regovm_eval_instructions": 42,
"counter_server_query_cache_hit": 1,
"timer_rego_input_parse_ns": 17637,
"timer_regovm_eval_ns": 73731,
"timer_server_handler_ns": 110230
},
"nd_builtin_cache": {},
"path": "authz",
"req_id": 4,
"requested_by": "127.0.0.1:61318",
"result": {
"allow": true
},
"timestamp": "2023-05-12T13:36:37.496602+02:00"
},
"time": 1683891397
}
tip

You can use the Enterprise OPA Enterprise Key Management feature to avoid putting your Splunk token secret into the configuration file. Learn more.

FieldTypeRequiredDefaultDescription
output.urlstringYesAddress to connect to Splunk.
output.tokenstringYesSplunk event collector token.
output.tlsObjectNoSee TLS configuration
output.batchingObjectNoSee Batching configuration
output.mask_decisionstringNoSee Mask and Drop decisions configuration
output.drop_decisionstringNoSee Mask and Drop decisions configuration