> ## Documentation Index
> Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Splunk (TCP)
Ent+
This feature is available as an add-on for the [Honeycomb Enterprise plan](https://www.honeycomb.io/pricing/).
Please contact your Honeycomb account team for details.
## Supported Platforms
| Platform | Metrics | Logs | Traces |
| :----------------- | :------ | :--- | :----- |
| Linux | | ✓ | |
| Windows | | ✓ | |
| macOS | | ✓ | |
| Kubernetes Gateway | | ✓ | |
## Configuration Table
| Parameter | Type | Default | Description |
| :------------------------------ | :--------- | :----------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| listen\_ip | `string` | "0.0.0.0" | IP Address to listen on. |
| listen\_port\* | `int` | | Port to listen on. |
| log\_type | `string` | splunk\_tcp | Arbitrary for attribute 'log\_type'. Useful for filtering between many log sources. |
| parse\_format | `enum` | none | Method to use when parsing. Valid values are `none`, `json`, and `regex`. When regex is selected, 'Regex Pattern' must be set. |
| regex\_pattern | `string` | | The regex pattern used when parsing log entries. |
| multiline\_line\_start\_pattern | `string` | | Regex pattern that matches the beginning of a log entry, for handling multiline logs. |
| multiline\_line\_end\_pattern | `string` | | Regex pattern that matches the end of a log entry, useful for terminating parsing of multiline logs. |
| parse\_timestamp | `bool` | false | Whether to parse the timestamp from the log entry. |
| timestamp\_field | `string` | timestamp | The field containing the timestamp in the log entry. |
| parse\_timestamp\_format | `enum` | ISO8601 | The format of the timestamp in the log entry. Choose a common format, or specify a custom format. Options include "ISO8601", "RFC3339", "Epoch", and "Manual". |
| epoch\_timestamp\_format | `enum` | s | The layout of the epoch-based timestamp. Required when parse\_timestamp\_format is set to "Epoch".. Options include "s", "ms", "us", "ns", "s.ms", "s.us", "s.ns". |
| manual\_timestamp\_format | `string` | '%Y-%m-%dT%H:%M:%S.%f%z' | The strptime layout of the timestamp. Used when parse\_timestamp\_format is set to "Manual". |
| timezone | `timezone` | UTC | The timezone to use if the Timestamp Format doesn't include a timezone. Otherwise, the timezone in the Timestamp Format will be respected. **NOTE: This is also required to parse timezone abbreviations, due to their ambiguity.** |
| parse\_severity | `bool` | false | Whether to parse severity from the log entry. |
| severity\_field | `string` | severity | The field containing the severity in the log entry. |
| parse\_to | `string` | body | The [field](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/stanza/docs/types/field.md) that the log will be parsed to. Some exporters handle logs favorably when parsed to `attributes` over `body` and vice versa. |
| enable\_tls | `bool` | false | Whether or not to use TLS. |
| tls\_certificate\_path | `string` | | Path to the TLS cert to use for TLS-required connections. |
| tls\_private\_key\_path | `string` | | Path to the TLS key to use for TLS-required connections. |
| tls\_min\_version | `enum` | "1.2" | The minimum TLS version to support. 1.0 and 1.1 should not be considered secure. Valid values include: `1.3`, `1.2`, `1.1`, `1.0`. |
## Kubernetes
The Splunk TCP source type supports Kubernetes Gateway agents. Splunk forwarders can send logs to
the agents using the clusterIP services.
### Prerequisites
* Honeycomb Telemetry Pipeline v1.46.0 or newer
### Configuration
Add the Splunk TCP source to your Gateway agent configuration. Set "Listen Address" to `0.0.0.0` and
Listen Port to `9997`.
The Splunk forwarders should be configured to forward telemetry to `bindplane-gateway-agent.bindplane-agent.svc.cluster.local`
on port `9997`. If the Splunk forwarders live outside of the cluster, you must make the `bindplane-gateway-agent`
service in the `bindplane-agent` namespace available using TCP ingress or by defining your own service
that can receive traffic from outside of the cluster. See the Kubernetes [service documentation](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/) for more information.
Below is an example Splunk forwarder outputs configuration.
```ini theme={}
[tcpout]
defaultGroup = bindplane-gateway-agent
[tcpout:bindplane-gateway-agent]
server = bindplane-gateway-agent.bindplane-agent.svc.cluster.local:9997
compressed = false
useACK = false
sendCookedData = false
```