Compute@Edge log streaming: Splunk

Fastly's Real-Time Log Streaming feature for Compute@Edge services can send log files to Splunk. Splunk is a web-based log analytics platform used by developers and IT teams.


Fastly does not provide direct support for third-party services. Read Fastly's Terms of Service for more information.


To use Splunk as a logging endpoint, you'll need to enable the HTTP Event Collector (HEC), create a token, and enable it. Follow the instructions on Splunk's website:

  1. Enable HEC.
  2. Create an HEC token.
  3. Enable the HEC token.
  4. Disable indexer acknowledgment for tokens used by Fastly to stream logs.

You'll need to remember the HEC token and find the URL for your collector. The URL structure depends on the type of Splunk instance you're using. Use the table below to find the URL structure for your Splunk instance.

Self hostedhttps://<hostname>:8088/services/collector/event
Self-service Splunk Cloud planshttps://input-<hostname>:8088/services/collector/event
All other Splunk Cloud planshttps://http-inputs-<hostname>:8088/services/collector/event

While logged in to Splunk, you can find the hostname for the URL in your web browser's address bar.

Adding Splunk as a logging endpoint

After you've created a Splunk account and obtained your customer token, follow these instructions to add Splunk as a logging endpoint for Fastly Compute@Edge services:

  1. Review the information in our guide to setting up remote log streaming for Compute@Edge. Additionally, our developer documentation provides more information about logging with Compute@Edge code written in Rust, AssemblyScript, and JavaScript.
  2. Click the Splunk Create endpoint button. The Create a Splunk endpoint page appears.
  3. Fill out the Create a Splunk endpoint fields as follows:
    • In the Name field, enter the endpoint name you specified in your Compute@Edge code. For example, in our Rust code example, the name is my_endpoint_name.
    • In the URL field, enter the URL to send data to (e.g., https://<splunk_host>:8088/services/collector/event/1.0).
    • In the Token field, enter the token for the HEC.
    • From the Use TLS controls, optionally select whether or not to enable TLS. When you select Yes, additional TLS fields appear.
    • In the TLS hostname field, optionally enter a hostname to verify the logging destination server's certificate. This should be one of the Subject Alternative Name (SAN) fields for the certificate. Common Names (CN) are not supported. If you are using Splunk Enterprise see the Splunk Enterprise section below for more information.
    • In the TLS CA certificate field, enter the CA certificate used to verify that the Splunk server's certificate is valid. It must be in PEM format. This is not required if your Splunk-side TLS certificate is signed by a well-known CA. See the using TLS CA certificates section for more information.
    • In the TLS client certificate field, optionally copy and paste the TLS client certificate used to authenticate Fastly to the Splunk server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client key. A TLS client certificate allows your Splunk server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
    • In the TLS client key field, optionally copy and paste the TLS client key used to authenticate Fastly to the Splunk server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your Splunk server to authenticate that Fastly is performing the connection.
    • In the Maximum logs field, optionally enter the maximum number of logs to append to a batch, if non-zero.
    • In the Maximum bytes field, optionally enter the maximum size of the log batch, if non-zero.
  4. Click the Create button to create the new logging endpoint.
  5. Click the Activate button to deploy your configuration changes.

Data sent to Splunk HEC must be serialized in a way conforming to Splunk's expectations.

If your logs are not formatted properly, attempts at processing your logs by your Splunk endpoint may fail. Here's an example format string for sending data to Splunk:

2 "time": 1652331824.730,
3 "source": "fastly",
4 "index": "main",
5 "event": {
6 "message": "Something happened",
7 "severity": "INFO"
8 }

You can follow the general JSON structure above regardless of the chosen language for your Compute@Edge service and include the specific details inside the nested event structure. Refer to the Splunk documentation for other available options for Splunk HEC log messages. The emitted logs must be formatted as valid JSON.

Using TLS CA certificates

If you've installed your own TLS certificate in Splunk Enterprise or Splunk Cloud, you'll need to provide the corresponding CA certificate.

Splunk Cloud

For Splunk Cloud, the default set up has the following CA certificate:


Splunk Enterprise

Splunk Enterprise provides a set of default certificates, but we strongly recommend you configure your own certificates for your Fastly logging endpoint rather than relying on the default certificates. The certificates provided by Splunk Enterprise only specify a Common Name (CN), which cannot be used to properly verify the identity of the Splunk host presenting the certificate. Additionally, these certificates are less secure because the same root certificate is available in every Splunk Enterprise download. We encourage you to maintain the best possible security posture by configuring your own certificates rather than relying on the default certificates. The Splunk documentation provides a guide for configuring your own certificates.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support.