Observability Pipelines: Add indexed fields description to Splunk HEC docs#35214
Draft
Observability Pipelines: Add indexed fields description to Splunk HEC docs#35214
Conversation
maycmlee
reviewed
Mar 11, 2026
| 1. Enter the name of the Splunk index you want your data in. This has to be an allowed index for your HEC. See [template syntax][3] if you want to route logs to different indexes based on specific fields in your logs. | ||
| 1. Select whether the timestamp should be auto-extracted. If set to `true`, Splunk extracts the timestamp from the message with the expected format of `yyyy-mm-dd hh:mm:ss`. | ||
| 1. Select whether the timestamp should be auto-extracted. If set to `true`, Splunk extracts the timestamp from the message with the expected format of `yyyy-mm-dd hh:mm:ss`. | ||
| 1. When using JSON encoding, you may populate the indexed fields list with keys of the fields you want extracted as [indexed fields](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.0/get-data-with-http-event-collector/automate-indexed-field-extractions-with-http-event-collector). This indexes the specified fields at ingest-time in your Splunk HTTP event collector. |
Contributor
There was a problem hiding this comment.
I think this needs to go after the sourcetype step, based on the location of the new fields in the UI.
Also, could you add the link to the link list at the bottom of the page?
[4]: https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.0/get-data-with-http-event-collector/automate-indexed-field-extractions-with-http-event-collector
Suggested change
| 1. When using JSON encoding, you may populate the indexed fields list with keys of the fields you want extracted as [indexed fields](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.0/get-data-with-http-event-collector/automate-indexed-field-extractions-with-http-event-collector). This indexes the specified fields at ingest-time in your Splunk HTTP event collector. | |
| 1. Select the **Encoding** in the dropdown menu (**JSON** or **Raw**). | |
| - If you selected **JSON**, optionally click **Add Field** to add keys of fields you want extracted as [indexed fields][4]. This indexes the specified fields when the Splunk HTTP Event Collector ingests the logs. |
Contributor
Preview links (active after the
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Adds a description for the new optional
indexed_fieldsarray added to the Splunk HEC destinationMerge instructions
Merge readiness:
AI assistance
No AI used.