Plugin
Arg | Description | Type |
---|---|---|
query | Source for rows to upload. | StoredQuery (required) |
threads | How many threads to use. | int64 |
url | The Splunk Event Collector URL. | string (required) |
token | Splunk HEC Token. | string |
index | The name of the index to upload to. If not specified, ensure a column is named _splunk_index. | string (required) |
source | The source field for splunk. If not specified ensure a column is named _splunk_source or this will be ‘velociraptor’. | string |
sourcetype | The sourcetype field for splunk. If not specified ensure a column is named _splunk_source_type or this will ‘vql’ | string |
chunk_size | The number of rows to send at the time. | int64 |
skip_verify | Skip SSL verification(default: False). | bool |
root_ca | As a better alternative to skip_verify, allows root ca certs to be added here. | string |
wait_time | Batch splunk upload this long (2 sec). | int64 |
hostname | Hostname for Splunk Events. Defaults to server hostname. | string |
timestamp_field | Field to use as event timestamp. | string |
hostname_field | Field to use as event hostname. Overrides hostname parameter. | string |
secret | Alternatively use a secret from the secrets service. Secret must be of type ‘AWS S3 Creds’ | string |
Upload rows to splunk.