Splunk TCP integration configuration fields

  • Release version: Washingtondc
  • Updated April 7, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk TCP Integration Configuration Fields

    This guide provides the necessary configuration fields for setting up Splunk TCP integration within Health Log Analytics. It outlines how to configure the integration to ensure efficient log data transmission from Splunk to your ServiceNow instance.

    Show full answer Show less

    Key Features

    • Integration Name: A unique identifier for the integration, automatically adjusted on the form.
    • MID Server Name: Required selection of a MID Server that supports basic authentication for log data pulling.
    • Port: Essential port configuration; ensure it is opened by your security team.
    • Description: Optional field for noting details about the integration.
    • Transport: TCP is the protocol used for streaming log messages.
    • Use Cooked Data: Allows ingestion of preprocessed log data from Splunk, retaining contextual information.
    • Advanced Settings: Options for enhanced security (SSL/TLS), DNS lookups, time zone management, compression, log handling ratios, and timeout settings.

    Key Outcomes

    By accurately configuring these fields, you can ensure secure and efficient log data streaming from Splunk into Health Log Analytics. This setup minimizes data loss and optimizes performance while maintaining the integrity of the log data transmitted.

    Description of the fields on the Splunk TCP integration configuration forms for Health Log Analytics.

    Table 1. Provide details
    Field Description
    Integration Name Unique name of this integration. For example: My Splunk TCP integration. This field is required.
    Note:
    When you fill in this field, the generic name displayed on the form adjusts automatically to match the name you entered.
    MID server name MID Server to which log data from Splunk is pulled. This field is required.
    Note:
    • You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed.
    • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
    • If log ingestion is not enabled for the selected MID Server, Health Log Analytics enables it automatically.
    Port The port for the MID Server. This field is required.

    Make sure that your organization’s security team opens the selected port on the MID Server.
    Description Option to add a brief description of the integration to help identify it.
    Transport The protocol used for streaming log messages to your ServiceNow instance: TCP. This field is read-only.
    Use Cooked Data Option to ingest log data from Splunk in the preprocessed ("cooked") format that Splunk uses on the forwarder.

    Ingesting data into HLA in this format ensures that each log line retains the relevant contextual information that Splunk embeds into it.
    Table 2. Advanced settings
    Field Description
    Use SSL/TLS Option for selecting to use SSL/TLS, for enhanced data security and protection.
    Note:
    SSL/TLS must be enabled if you want to send logs in a compressed format.
    Lookup hostnames Option for selecting to perform DNS lookup to resolve IPs to hostnames. The default value is false.
    Use Forwarder TimeZone Option to pass information about the time zone in which the forwarder is located.

    The MID Server uses this information to adjust for the time zone from which the logs arrive.

    This option is displayed when Use Cooked Data is selected. It is relevant when using Splunk Universal Forwarders.
    Enable Compression Option to send logs in compressed format.

    Sending logs in a compressed format minimizes the size of the data being transferred, which is important when dealing with large volumes of log data.

    This option is displayed when Use Cooked Data and Use SSL/TLS are selected. It is relevant when using Splunk Universal Forwarders.
    Sub sample drop ratio The ratio of logs to drop. The default value is -1: no logs are dropped.

    For example: If you want one out of every five logs to be dropped, change the value to 5.
    Sub sample receive ratio The ratio of logs to receive. The default value is -1: no logs are received.

    For example: If you want one out of every five logs to be received, change the value to 5.
    Max length in bytes The maximum length of log messages in bytes. The default value is 32766.
    Character encoding The character encoding for this data input. Default is UTF-8.
    Boss thread count The number of threads that manage connections.
    Worker thread count The number of threads that handle incoming data.
    Read timeout seconds The timeout in seconds since the last read. When the timeout expires, the system closes the channel.
    Default timezone The time zone of events that the system will use if a log does not specify the time zone.

    By default, the system uses GMT in such cases, but you can specify a different time zone.
    Drop if queue is full Option for selecting to discard logs if there is a load on the MID Server.