Connect the Collector to Splunk

Collector Output Configuration

Add a splunk entry under the output section of your config.yaml:

output:
  splunk:
    enabled: true
    splunk_hec_url: "https://<splunk-host>:8088/services/collector"
    splunk_hec_token: "<hec-token>"
    splunk_ssl_check: false

Parameters

Parameter	Required	Description
enabled	Yes	Set to true to activate the Splunk output
splunk_hec_url	Yes	Full URL of the Splunk HEC endpoint
splunk_hec_token	Yes	HEC token created in Splunk
splunk_ssl_check	No	Set to false to disable TLS verification (not recommended for production)

Caution

splunk_ssl_check: false matches the baseline collector template. For production, prefer trusted TLS certificates and set this to true.

Validate the Connection

After editing the configuration, run one first cycle:

./ms-teams-agent.bin --config ./conf/config.yaml --ignore_state

Verify Data Arrival

After the first successful collection cycle:

1. In Splunk, run a search against the ms_teams index: index=ms_teams | head 10
2. Confirm events are present with the expected source values (MSTeams_CallRecords_CallMetadata, etc.).
3. Open the MS Teams Observability Splunk app and verify dashboards show data.

If data is not arriving, see Troubleshooting.