A note for the community
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Problem
For the Splunk HEC Log Sink, the documentation for indexed_fields references a (quite old) Splunk documentation page that says if you're pushing a JSON event, everything gets indexed automatically. But, if you want to add extra data outside of the event to be indexed, outside of the main data, you can send a JSON object (map/dictionary, really) indicating the key/value pairs.
The original intent for this feature seems to be that the fields specified in the indexed_fields list would get popped off the data and moved to the fields property, but the whole idea with the fields HEC property is so that you can hard-code specific values that don't occur naturally in the raw data. Also, the removal of the fields from the raw data seems to be broken anyway.
Also, the documentation page link should be updated to reference the current documentation.
Configuration
---
sinks:
my_splunk_sink:
type: splunk_hec_logs
inputs: [my_input]
endpoint: https://my.splunk.com
default_token: MYREALLYSPECIALSECRETTOKEN
sourcetype: _json
acknowledgements:
enabled: false
indexed_fields:
location: MYLOCATION
favoritecolor: green
Version
0.54.0
Debug Output
Example Data
No response
Additional Context
We capture JSON data in vector, apply some transforms, and then intend to send it off to splunk, from multiple disparate sites. We'd like to use the fields property to decorate the event payload with metadata such as location, which we can then use to differentiation in dashboards.
References
A note for the community
Problem
For the Splunk HEC Log Sink, the documentation for
indexed_fieldsreferences a (quite old) Splunk documentation page that says if you're pushing a JSON event, everything gets indexed automatically. But, if you want to add extra data outside of the event to be indexed, outside of the main data, you can send a JSON object (map/dictionary, really) indicating the key/value pairs.The original intent for this feature seems to be that the fields specified in the
indexed_fieldslist would get popped off the data and moved to thefieldsproperty, but the whole idea with thefieldsHEC property is so that you can hard-code specific values that don't occur naturally in the raw data. Also, the removal of the fields from the raw data seems to be broken anyway.Also, the documentation page link should be updated to reference the current documentation.
Configuration
Version
0.54.0
Debug Output
Example Data
No response
Additional Context
We capture JSON data in vector, apply some transforms, and then intend to send it off to splunk, from multiple disparate sites. We'd like to use the
fieldsproperty to decorate the event payload with metadata such as location, which we can then use to differentiation in dashboards.References
splunk_hecsink #1534