Splunk HEC Integration
Accept Splunk HTTP Event Collector format for seamless migration from Splunk to TigerOps. Zero client-side changes — just update the endpoint URL and gain AI anomaly detection.
How It Works
Point HEC Forwarders to TigerOps
Update your Splunk Universal Forwarders or HEC clients to send to the TigerOps HEC endpoint. The endpoint accepts the identical payload format — no client-side changes required.
Map Sourcetypes to Parsers
TigerOps auto-maps common Splunk sourcetypes (syslog, json, access_combined) to built-in parsers. Add custom sourcetype mappings for proprietary log formats via the UI.
Validate Event Fidelity
Use TigerOps live tail to confirm that timestamps, host, source, sourcetype, and index fields from HEC payloads are preserved correctly. Compare with Splunk search output during migration.
Migrate SPL Searches
TigerOps provides an SPL-to-TigerQL migration guide and auto-conversion tool. Convert your most-used saved searches and dashboards to TigerOps queries systematically.
What You Get Out of the Box
Full HEC Payload Compatibility
TigerOps accepts Splunk HEC payloads with event, time, host, source, sourcetype, index, and fields objects. Both single-event and batch (newline-delimited) payloads are supported.
Sourcetype-Aware Parsing
Built-in parsers for 50+ common Splunk sourcetypes including syslog, access_combined, json, xml, aws:cloudtrail, pan:traffic, and cisco:asa. Custom sourcetype definitions are supported.
HEC Token Authentication
TigerOps uses your TigerOps API key as the HEC token in the Authorization: Splunk <token> header. No Splunk-specific token management — your existing secrets management works.
Index and Metadata Preservation
Splunk index, host, source, and sourcetype fields are stored as labels in TigerOps. Use them for filtering and access control policies, preserving your Splunk data organization.
SPL Query Compatibility Layer
TigerOps translates common SPL patterns (stats, timechart, eval, rex) to native TigerQL. The migration assistant identifies your top queries and generates equivalent TigerOps searches.
Cost Comparison Dashboard
TigerOps tracks your daily ingest volume and projects cost vs. your Splunk license tier. The migration dashboard shows exactly how much you save by switching to TigerOps.
Splunk Universal Forwarder outputs.conf
Update your Splunk Universal Forwarder to send HEC traffic to TigerOps.
# Splunk Universal Forwarder — outputs.conf
# Update server to point to TigerOps HEC endpoint
[httpout]
httpEventCollectorToken = ${TIGEROPS_API_KEY}
server = ingest.atatus.net:443
useSSL = true
sslVerifyServerCert = true
# Or send directly via curl to test:
# curl -k https://ingest.atatus.net/services/collector/event \
# -H "Authorization: Splunk ${TIGEROPS_API_KEY}" \
# -H "Content-Type: application/json" \
# -d '{"event": "Hello TigerOps", "sourcetype": "manual", "host": "web-01"}'
# HEC batch payload example:
# {"time": 1700000000, "host": "web-01", "source": "/var/log/app.log",
# "sourcetype": "json", "index": "main",
# "event": {"level": "error", "message": "connection refused", "service": "api"}}
# {"time": 1700000001, "host": "web-01", "sourcetype": "json",
# "event": {"level": "info", "message": "request completed", "latency_ms": 42}}Common Questions
Is the TigerOps HEC endpoint fully compatible with Splunk Universal Forwarder?
Yes. The TigerOps HEC endpoint accepts the same JSON payload structure and Authorization: Splunk <token> header format as Splunk Enterprise and Splunk Cloud HEC endpoints. Update the outputs.conf server URL and you are done.
Can I run TigerOps in parallel with Splunk during migration?
Yes. Use a Splunk HEC load balancer (such as Cribl Stream or a simple Nginx proxy) to fan out HEC traffic to both Splunk and TigerOps simultaneously. Validate parity before cutting over.
Does TigerOps support Splunk metric indexes?
Yes. Splunk metric index payloads (with _value, _metric_name, and dimension fields) are accepted at the TigerOps HEC endpoint and stored as time series metrics, queryable alongside your logs.
How does TigerOps handle Splunk field extractions (props.conf/transforms.conf)?
TigerOps has its own field extraction layer. Import your existing props.conf regex patterns into TigerOps parsing rules. The migration tool parses props.conf and generates equivalent TigerOps extraction configs.
What is the maximum HEC payload size TigerOps accepts?
TigerOps accepts individual HEC events up to 1 MB and batch payloads up to 10 MB per request — matching Splunk's default HEC limits. Configure max_content_length in your HEC client to stay within these bounds.
Migrate from Splunk Without Touching Your Forwarders
Change one URL. Keep your HEC tokens. Gain AI anomaly detection, modern dashboards, and a fraction of the cost.