In the Splunk section for the ClusterLogForwarder, we list a command for creating a secret with a HEC token to forward to a Splunk log store:

oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken=<HEC_Token>

This does not include a certificate authority and requires that Splunk uses a cert that is already trusted, or to use insecureSkipVerify which is not recommended.

Can we update the command (or add an alternate command) for creating a secret with hecToken as well as ca-bundle? I think it would look like:

oc -n openshift-logging create secret generic vector-splunk-secret --from-literal hecToken=<HEC_Token> ca-bundle.crt=<CA_Bundle>

https://docs.openshift.com/container-platform/4.14/logging/log_collection_forwarding/configuring-log-forwarding.html#logging-forward-splunk_configuring-log-forwarding