-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Splunk HTTP Event Collector #85
Add support for Splunk HTTP Event Collector #85
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #85 +/- ##
==========================================
+ Coverage 80.20% 81.25% +1.05%
==========================================
Files 33 33
Lines 3132 3239 +107
==========================================
+ Hits 2512 2632 +120
+ Misses 620 607 -13
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
* Implement code review suggestions * Add some comments and whitespaces for readability * Move buffering into seperate method of SplunkWriter * Write the record descriptor `_name` as a type for json sourcetype * Update tests to account for the above
While working on the HTTP adapter it came to mind that there seems to be undesired behavior in the current Splunk adapter whenever a record has a field with the name
This will currently yield the following input for Splunk:
As you can see, the
This however might break existing Splunk dashboards that build on top of disssect. In my experience records from dissect rarely have a 'type' field, which might explain why things haven't broken down in the past. Having said that, I would still consider the above (current) behavior to be a bug, and the introduction of the HTTP collector support of this PR requires me to either also implement the behavior in this PR, or fix it now. Do you think the record descriptor name should be sent as And if so, should it be implemented in a separate PR first, or should I implement it within this PR? |
Yes. |
I would say
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #85 +/- ##
==========================================
+ Coverage 80.54% 81.64% +1.10%
==========================================
Files 34 34
Lines 3197 3307 +110
==========================================
+ Hits 2575 2700 +125
+ Misses 622 607 -15
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Shows how `_source` and `source` are handled differently
ff33136
to
b5724c3
Compare
This pull request adds support for the Splunk HTTP Event Collector (HEC) to the Splunk adapter. This is especially useful in scenarios where the already supported TCP Input is not available, for example in Splunk Cloud environments.
Sending data over HTTP Event Collector supports both sending the data in
key=value
format (like the TCP Data Input already uses) and ajson
format.Something I'm still unsure of is whether to include the 'builtin' Record Fields such as
_generated
,_source
,_classification
and_version
. Currently, the keyvalue format does not send these fields, but thejson
format does. This difference is caused by the usage of theJsonRecordPacker
which includes these fields. I don't think it should be inconsistent between the two formats, but what is desired: including or omitting these builtin fields?