Connect the Collector to Splunk
Checklist Before You Start
Section titled “Checklist Before You Start”- Splunk Search Head with admin access
- Splunk app MS Teams Observability installed
- HEC token created with default index
ms_teams - Collector host can reach the HEC endpoint
Collector Output Configuration
Section titled “Collector Output Configuration”Add a splunk entry under the output section of your config.yaml:
output: splunk: enabled: true splunk_hec_url: "https://<splunk-host>:8088/services/collector" splunk_hec_token: "<hec-token>" splunk_ssl_check: falseParameters
Section titled “Parameters”| Parameter | Required | Default | Description |
|---|---|---|---|
enabled | Yes | — | Set to true to activate the Splunk output |
splunk_hec_url | Yes | — | Full URL of the Splunk HEC endpoint |
splunk_hec_token | Yes | — | HEC token created in Splunk |
splunk_ssl_check | No | true | Set to false to disable TLS verification (not recommended for production) |
Validate the Connection
Section titled “Validate the Connection”After editing the configuration, run one first cycle:
ms-teams-agent run --config ./config.yaml --ignore-stateVerify Data Arrival
Section titled “Verify Data Arrival”After the first successful collection cycle:
- In Splunk, run a search against the
ms_teamsindex:index=ms_teams | head 10 - Confirm events are present with the expected
sourcevalues (MSTeams_CallRecords_CallMetadata, etc.). - Open the MS Teams Observability Splunk app and verify dashboards show data.
✅ Success criteria:
- Collector logs show successful Splunk HEC export
- Splunk search
index=ms_teams | head 10returns events - Splunk app dashboards display data
❌ If this fails:
- Splunk Troubleshooting
- Verify HEC token and endpoint URL in collector config