Replies: 1 comment 1 reply
-
|
the Splunk HEC logs sink has fields you can use to define. the metadata so if you had an event in vector that is {
"message":"this is a tomato",
"index":"veggies",
"sourcetype":"tomato"
"timestamp": "2024-05-05T12:12:12Z"
}and the splunk hec sink was sinks:
my_sink_id:
type: splunk_hec_logs
encoding:
codec: text
inputs:
- my-source-or-transform-id
compression: none
endpoint: https://http-inputs-hec.splunkcloud.com
endpoint_target: event
index: "{{ index }}"
sourcetype: "{{ sourcetype }}"
timestamp_key: timestampit would send the value of |
Beta Was this translation helpful? Give feedback.
-
|
None of the works, curious if you've tried yourself to see how it looks in Splunk? I had pretty much an entirely the same configuration as that already. From my perspective the splunk sink just doesn't work properly at all, maybe I'm missing something but genuinely curious if anyone has gotten it to work correctly. It continually just sends the entire incoming json and does zero effort to massage away any attached metadata from the event. To resolve I just ended up using an http sink, works plenty fine and does exactly what I want, and not hard at all to use it with the splunk HEC. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
What I mean is, if I have an input that sends something like:
{
"event":"bunch of log data here",
"index":"index here",
"sourcetype":"sourcetype here"
}
How do I get it so the index and sourcetype and only sent as metadata, and not part of the event itself that makes it into the splunk event? For example, using one of splunk docs examples:
curl "https://mysplunkserver.example.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C"
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67"
-d '{"event": "Hello, world!", "sourcetype": "manual"}'
Beta Was this translation helpful? Give feedback.
All reactions