// Module included in the following assemblies: // // * logging/log_collection_forwarding/configuring-log-forwarding.adoc :_mod-docs-content-type: PROCEDURE [id="logging-forward-splunk_{context}"] = Forwarding logs to Splunk You can forward logs to the link:https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/UsetheHTTPEventCollector[Splunk HTTP Event Collector (HEC)] in addition to, or instead of, the internal default {product-title} log store. [NOTE] ==== Using this feature with Fluentd is not supported. ==== .Prerequisites * {clo} 5.6 or later * A `ClusterLogging` instance with `vector` specified as the collector * Base64 encoded Splunk HEC token .Procedure . Create a secret using your Base64 encoded Splunk HEC token. + [source,terminal] ---- $ oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken= ---- + . Create or edit the `ClusterLogForwarder` Custom Resource (CR) using the template below: + [source,yaml] ---- apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: <1> namespace: <2> spec: serviceAccountName: <3> outputs: - name: splunk-receiver <4> secret: name: vector-splunk-secret <5> type: splunk <6> url: <7> pipelines: <8> - inputRefs: - application - infrastructure name: <9> outputRefs: - splunk-receiver <10> ---- <1> In legacy implementations, the CR name must be `instance`. In multi log forwarder implementations, you can use any name. <2> In legacy implementations, the CR namespace must be `openshift-logging`. In multi log forwarder implementations, you can use any namespace. <3> The name of your service account. The service account is only required in multi log forwarder implementations if the log forwarder is not deployed in the `openshift-logging` namespace. <4> Specify a name for the output. <5> Specify the name of the secret that contains your HEC token. <6> Specify the output type as `splunk`. <7> Specify the URL (including port) of your Splunk HEC. <8> Specify which log types to forward by using the pipeline: `application`, `infrastructure`, or `audit`. <9> Optional: Specify a name for the pipeline. <10> Specify the name of the output to use when forwarding logs with this pipeline.