Skip to content

output splunk plugin: add possibility to set source with record key #10109

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

output splunk plugin: add possibility to set source with record key #10109

wants to merge 1 commit into from

Conversation

rfloyrac
Copy link

@rfloyrac rfloyrac commented Mar 20, 2025
edited
Loading

Similarly to event_sourcetype_key, add the possibility to set the splunk source from a specific key of the record.
The key is set via the config property event_source_key and takes precedence if both event_source and event_source_key are set.

The code is a pure adaptation of what was done for the event_sourcetype_key ==> aaecf64

Documentation: PR to fluent-bit-docs PR 1591

Testing
fluent-bit.config.conf: |-

[SERVICE]
  Flush        1
  Daemon       Off
  Log_Level    info

@INCLUDE fluent-bit.test-log.conf

fluent-bit.test-log.conf: |-

[INPUT]
  Name        tail
  DB           /logs/.fluentbit.test-log.db
  DB.locking   true
  Refresh_Interval 5
  read_from_head   true
  Path_Key filepath
  Static_Batch_Size 1M
  Path        /logs/test.log
  tag         test
  Threaded    true

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source source_from_output
  event_host My_pod
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source source_from_event_source
  event_source_key $source_from_record_key
  event_host My_pod_1
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source_key $source_from_record_key_2
  event_host My_pod_2
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[FILTER]
  Name record_modifier
  Match *
  Record source_from_record_key source_from_record_key
  Record source_from_record_key_2 source_from_record_key_2

image

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@superjo007
output splunk plugin: add possibility to set source with record key s…
ec6a4fc 
…imilarly to sourcetype

Signed-off-by: Romain FLOYRAC <romain.floyrac@amadeus.com>
@rfloyrac rfloyrac force-pushed the feature/splunk_source_as_key branch from 19b849f to ec6a4fc Compare March 20, 2025 14:23
@rfloyrac rfloyrac marked this pull request as ready for review March 20, 2025 14:45
@rfloyrac rfloyrac mentioned this pull request Mar 20, 2025
Open
@rfloyrac
Copy link
Author

filter_rewrite_tag.c:354: Check heavy_loop > got... failed
expect: 100000 got: 100000

hmm not sure what to say :D

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rfloyrac @superjo007