This repository contains a technical addon that exposes a OTLP endpoint for consumption of logs, traces and metrics.
Add the .tgz file to your Splunk apps by following these instructions: Install an add-on in a single-instance Splunk Enterprise deployment
Create a new OTLP input in the data inputs.
Configure the OTLP input ports and network interface.
The input is configured as a data input in the Splunk Data Input settings.
You can set:
- The gRPC port and HTTP ports the OTLP receiver will listen on
- The network interface address on which the OTLP input will listen.
The OTLP addon inherits authentication and authorization associated with the HEC tokens defined on the Splunk instance.
Please define a HEC token as documented in Splunk docs.
Please make sure to allow indexes as needed ; any payload sending to indexes that are not allowed will be refused in its entirety.
The OTLP endpoint is secured by a bearer token authentication, checking the Authorization header for a token authentication under the Splunk scheme.
Example of setup of the otlp_http exporter:
exporters:
otlp_http:
endpoint: "http://splunk:4318"
headers:
authorization: "Splunk <TOKEN>"When sending OTLP data, this input interprets resource attributes to create HEC equivalents.
This table shows the resource attributes mapping:
| Resource attribute | HEC event field |
|---|---|
| com.splunk.index | index |
| com.splunk.sourcetype | sourcetype |
| com.splunk.source | source |
| host.name | host |
OpenTelemetry protocol representation of a log record contains additional fields. The table below shows the mapping of those fields to HEC event indexed fields:
| Log record field | HEC event indexed field |
|---|---|
| Severity text | otel.log.severity.text |
| Severity number | otel.log.severity.number |
All other resource and individual log record attributes are mapped to indexed fields.
This mapping follows the OpenTelemetry specification.
Here is a collector configuration, reading logs from a file, sending OTLP data to a specific index mylogs:
receivers:
filelog/output:
include: [ /output/file.log ]
exporters:
otlphttp:
endpoint: "http://splunk:4318"
headers:
authorization: "Splunk 00000000-0000-0000-0000-0000000000000"
processors:
resource:
attributes:
- key: com.splunk.index
value: "mylogs"
action: insert
service:
pipelines:
logs:
receivers: [filelog/output]
processors: [resource]
exporters: [otlphttp]Prerequisites:
- Go 1.24
- Make
Run:
$> make tgzThis will build the binaries, and assemble the TA tar.gz archive.
The archive is created as splunk-connect-for-otlp.tgz.
You can run a local Splunk instance with:
make splunkLog in with admin/changeme.
Install the application by going to Apps > Manage Apps > Install application from file.
See the example folder for a collector configuration.
You can generate a payload using telemetrygen.
Install telemetrygen with:
go install github.com/open-telemetry/opentelemetry-collector-contrib/cmd/telemetrygen@latestTry running telemetrygen with:
$> telemetrygen metrics --otlp-insecure --otlp-endpoint 0.0.0.0:4317 --metrics 100 --workers 10
$> telemetrygen logs --otlp-insecure --otlp-endpoint 0.0.0.0:4317 --logs 100 --workers 10
$> telemetrygen traces --otlp-insecure --otlp-endpoint 0.0.0.0:4317 --traces 100 --workers 10To try sending data to different indexes, add a resource attribute with the --otlp-attributes parameter.
Example to send to the foo metric index:
$> telemetrygen metrics --otlp-insecure --otlp-endpoint 0.0.0.0:4317 --metrics 100 --workers 10 --otlp-attributes com.splunk.index=\"foo\"The following binaries are written in Go present in the source repository:
- linux_x86_64/bin/splunk-connect-for-otlp
- windows_x86_64/bin/splunk-connect-for-otlp