Has anyone had success sinking data from Flume to Splunk?
I've tried the Thrift and Avro flume sinks, but they have issues. Not great formats for Splunk, and Flume keeps trying events over and over again after they've been sunk.
I'm looking into the flume HTTP sink to Splunk's HEC, but I can't see how to set the HEC token in the header. Has anyone configured the HEC token in the header for the Flume http sink?
Considering just doing a file sink that is forwarded to Splunk, but would like to avoid this temporary file if possible.
Advice?
Ended up just making a rolling file sink, and copying those files over to a directory monitored by Splunk forwarder. Not ideal or performant but good enough for our use case.