support splunk data ingestion

Author: AndrewChubatiuk

app/vlinsert/datadog/datadog.go

@@ -32,10 +32,10 @@ var parserPool fastjson.ParserPool
 // RequestHandler processes Datadog insert requests
 func RequestHandler(path string, w http.ResponseWriter, r *http.Request) bool {
 	switch path {
-	case "/insert/datadog/api/v1/validate":
+	case "/api/v1/validate":
 		fmt.Fprintf(w, `{}`)
 		return true
-	case "/insert/datadog/api/v2/logs":
+	case "/api/v2/logs":
 		return datadogLogsIngestion(w, r)
 	default:
 		return false

app/vlinsert/main.go

@@ -16,6 +16,7 @@ import (
 	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/loki"
 	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/nativeinsert"
 	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/opentelemetry"
+	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/splunk"
 	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/syslog"
 )
 
@@ -56,6 +57,11 @@ func RequestHandler(w http.ResponseWriter, r *http.Request) bool {
 		return true
 	}
 
+	switch {
+	case strings.HasPrefix(path, "/services/collector"):
+		return splunk.RequestHandler(path, w, r)
+	}
+
 	return false
 }
 
@@ -78,15 +84,18 @@ func insertHandler(w http.ResponseWriter, r *http.Request, path string) bool {
 	// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8353
 	case strings.HasPrefix(path, "/insert/elasticsearch"):
 		return elasticsearch.RequestHandler(path, w, r)
-
+	case strings.HasPrefix(path, "/insert/splunk"):
+		idx := len("/insert/splunk")
+		return splunk.RequestHandler(path[idx:], w, r)
 	case strings.HasPrefix(path, "/insert/loki/"):
 		return loki.RequestHandler(path, w, r)
 	case strings.HasPrefix(path, "/insert/opentelemetry/"):
 		return opentelemetry.RequestHandler(path, w, r)
 	case strings.HasPrefix(path, "/insert/journald/"):
 		return journald.RequestHandler(path, w, r)
 	case strings.HasPrefix(path, "/insert/datadog/"):
-		return datadog.RequestHandler(path, w, r)
+		idx := len("/insert/datadog")
+		return datadog.RequestHandler(path[idx:], w, r)
 	}
 
 	return false

app/vlinsert/splunk/splunk.go

@@ -0,0 +1,202 @@
+package splunk
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/protoparser/protoparserutil"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/writeconcurrencylimiter"
+	"github.com/VictoriaMetrics/metrics"
+
+	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/insertutil"
+	"github.com/VictoriaMetrics/VictoriaLogs/lib/logstorage"
+)
+
+var (
+	splunkStreamFields = flagutil.NewArrayString("splunk.streamFields", "Comma-separated list of fields to use as log stream fields for logs ingested over splunk protocol. "+
+		"See https://docs.victoriametrics.com/victorialogs/data-ingestion/splunk/#stream-fields")
+	splunkIgnoreFields = flagutil.NewArrayString("splunk.ignoreFields", "Comma-separated list of fields to ignore for logs ingested over splunk protocol. "+
+		"See https://docs.victoriametrics.com/victorialogs/data-ingestion/splunk/#dropping-fields")
+	splunkTimeField = flag.String("splunk.timeField", "time", "Field to use as a log timestamp for logs ingested via splunk protocol. "+
+		"See https://docs.victoriametrics.com/victorialogs/data-ingestion/splunk/#time-field")
+	splunkMsgField = flagutil.NewArrayString("splunk.msgField", "Field to use as a log message for logs ingested via splunk protocol. "+
+		"See https://docs.victoriametrics.com/victorialogs/data-ingestion/splunk/#message-field")
+	splunkTenantID = flag.String("splunk.tenantID", "0:0", "TenantID for logs ingested via the Journald endpoint. "+
+		"See https://docs.victoriametrics.com/victorialogs/data-ingestion/splunk/#multitenancy")
+)
+
+func getCommonParams(r *http.Request) (*insertutil.CommonParams, error) {
+	cp, err := insertutil.GetCommonParams(r)
+	if err != nil {
+		return nil, err
+	}
+	if cp.TenantID.AccountID == 0 && cp.TenantID.ProjectID == 0 {
+		tenantID, err := logstorage.ParseTenantID(*splunkTenantID)
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse -splunk.tenantID=%q for splunk: %w", *splunkTenantID, err)
+		}
+		cp.TenantID = tenantID
+	}
+
+	if !cp.IsTimeFieldSet {
+		cp.TimeFields = []string{*splunkTimeField}
+	}
+	if len(cp.StreamFields) == 0 {
+		cp.StreamFields = getStreamFields()
+	}
+	if len(cp.IgnoreFields) == 0 {
+		cp.IgnoreFields = *splunkIgnoreFields
+	}
+	if len(cp.MsgFields) == 0 {
+		cp.MsgFields = getMsgFields()
+	}
+	return cp, nil
+}
+
+func getMsgFields() []string {
+	if len(*splunkMsgField) > 0 {
+		return *splunkMsgField
+	}
+	return []string{"event"}
+}
+
+func getStreamFields() []string {
+	if len(*splunkStreamFields) > 0 {
+		return *splunkStreamFields
+	}
+	return defaultStreamFields
+}
+
+var defaultStreamFields = []string{
+	"sourcetype",
+	"host",
+	"source",
+}
+
+// RequestHandler processes splunk insert requests
+func RequestHandler(path string, w http.ResponseWriter, r *http.Request) bool {
+	if !strings.HasPrefix(path, "/services/collector/event") {
+		return false
+	}
+	switch r.Method {
+	case http.MethodOptions:
+		w.WriteHeader(http.StatusOK)
+		return true
+	case http.MethodPost:
+		w.Header().Add("Content-Type", "application/json")
+	default:
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return true
+	}
+
+	startTime := time.Now()
+	requestsTotal.Inc()
+
+	cp, err := getCommonParams(r)
+	if err != nil {
+		httpserver.Errorf(w, r, "%s", err)
+		return true
+	}
+	if err := insertutil.CanWriteData(); err != nil {
+		httpserver.Errorf(w, r, "%s", err)
+		return true
+	}
+
+	encoding := r.Header.Get("Content-Encoding")
+	reader, err := protoparserutil.GetUncompressedReader(r.Body, encoding)
+	if err != nil {
+		logger.Errorf("cannot decode splunk request: %s", err)
+		return true
+	}
+	defer protoparserutil.PutUncompressedReader(reader)
+
+	lmp := cp.NewLogMessageProcessor("splunk", true)
+	streamName := fmt.Sprintf("remoteAddr=%s, requestURI=%q", httpserver.GetQuotedRemoteAddr(r), r.RequestURI)
+	err = processStreamInternal(streamName, reader, cp.TimeFields, cp.MsgFields, lmp)
+	lmp.MustClose()
+	if err != nil {
+		httpserver.Errorf(w, r, "cannot process splunk request; error: %s", err)
+		return true
+	}
+
+	requestDuration.UpdateDuration(startTime)
+	return true
+}
+
+func processStreamInternal(streamName string, r io.Reader, timeFields, msgFields []string, lmp insertutil.LogMessageProcessor) error {
+	wcr := writeconcurrencylimiter.GetReader(r)
+	defer writeconcurrencylimiter.PutReader(wcr)
+
+	lr := insertutil.NewLineReader(streamName, wcr)
+
+	n := 0
+	errors := 0
+	var lastError error
+	for {
+		ok, err := readLine(lr, timeFields, msgFields, lmp)
+		wcr.DecConcurrency()
+		if err != nil {
+			lastError = err
+			errors++
+			logger.Warnf("splunk: cannot read line #%d in /splunk request: %s", n, err)
+		}
+		if !ok {
+			break
+		}
+		n++
+	}
+	if errors > 0 {
+		errorsTotal.Add(errors)
+		if n == errors {
+			// Return an error if no logs were processed and there were errors
+			return lastError
+		}
+	}
+
+	return nil
+}
+
+func readLine(lr *insertutil.LineReader, timeFields, msgFields []string, lmp insertutil.LogMessageProcessor) (bool, error) {
+	var line []byte
+	for len(line) == 0 {
+		if !lr.NextLine() {
+			err := lr.Err()
+			return false, err
+		}
+		line = lr.Line
+	}
+
+	p := logstorage.GetJSONParser()
+	defer logstorage.PutJSONParser(p)
+
+	p.Init(line)
+	for p.NextMessage() {
+		if err := p.Error(); err != nil {
+			return true, err
+		}
+		ts, err := insertutil.ExtractTimestampFromFields(timeFields, p.Fields)
+		if err != nil {
+			return true, err
+		}
+		logstorage.RenameField(p.Fields, msgFields, "_msg")
+		lmp.AddRow(ts, p.Fields, -1)
+	}
+	if err := p.Error(); err != nil {
+		return true, err
+	}
+	return true, nil
+}
+
+var (
+	requestsTotal = metrics.NewCounter(`vl_http_requests_total{path="/insert/splunk"}`)
+	errorsTotal   = metrics.NewCounter(`vl_http_errors_total{path="/insert/splunk"}`)
+
+	requestDuration = metrics.NewSummary(`vl_http_request_duration_seconds{path="/insert/splunk"}`)
+)

app/vlinsert/splunk/splunk_test.go

@@ -0,0 +1,95 @@
+package splunk
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/VictoriaMetrics/VictoriaLogs/app/vlinsert/insertutil"
+)
+
+func TestProcessStreamInternalSuccess(t *testing.T) {
+	f := func(data, timeField, msgField string, timestampsExpected []int64, resultExpected string) {
+		t.Helper()
+
+		timeFields := []string{timeField}
+		msgFields := []string{msgField}
+		tlp := &insertutil.TestLogMessageProcessor{}
+		r := bytes.NewBufferString(data)
+		if err := processStreamInternal("test", r, timeFields, msgFields, tlp); err != nil {
+			t.Fatalf("unexpected error: %s", err)
+		}
+
+		if err := tlp.Verify(timestampsExpected, resultExpected); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	data := `{"@timestamp":"2023-06-06T04:48:11.735Z","event":"foobar","source":"docker","host":"localhost"}` +
+		`{"@timestamp":"2023-06-06T04:48:12.735+01:00","event":"baz"}` +
+		`{"event":"xyz","@timestamp":"2023-06-06 04:48:13.735Z","x":"y"}`
+	timeField := "@timestamp"
+	msgField := "event"
+	timestampsExpected := []int64{1686026891735000000, 1686023292735000000, 1686026893735000000}
+	resultExpected := `{"_msg":"foobar","source":"docker","host":"localhost"}
+{"_msg":"baz"}
+{"_msg":"xyz","x":"y"}`
+	f(data, timeField, msgField, timestampsExpected, resultExpected)
+
+	// Non-existing msgField
+	data = `{"@timestamp":"2023-06-06T04:48:11.735Z","log":{"offset":71770,"file":{"path":"/var/log/auth.log"}},"message":"foobar"}` +
+		`{"@timestamp":"2023-06-06T04:48:12.735+01:00","message":"baz"}`
+	timeField = "@timestamp"
+	msgField = "foobar"
+	timestampsExpected = []int64{1686026891735000000, 1686023292735000000}
+	resultExpected = `{"log.offset":"71770","log.file.path":"/var/log/auth.log","message":"foobar"}
+{"message":"baz"}`
+	f(data, timeField, msgField, timestampsExpected, resultExpected)
+
+	// invalid lines among valid lines
+	data = `
+dsfodmasd
+
+{"time":"2023-06-06T04:48:11.735Z","log":{"offset":71770,"file":{"path":"/var/log/auth.log"}},"message":"foobar"}
+invalid line
+{"time":"2023-06-06T04:48:12.735+01:00","message":"baz"}
+asbsdf
+
+`
+	timeField = "time"
+	msgField = "message"
+	timestampsExpected = []int64{1686026891735000000, 1686023292735000000}
+	resultExpected = `{"log.offset":"71770","log.file.path":"/var/log/auth.log","_msg":"foobar"}
+{"_msg":"baz"}`
+	f(data, timeField, msgField, timestampsExpected, resultExpected)
+}
+
+func TestProcessStreamInternalFailure(t *testing.T) {
+	f := func(data string) {
+		t.Helper()
+
+		tlp := &insertutil.TestLogMessageProcessor{}
+		r := strings.NewReader(data)
+		if err := processStreamInternal("test", r, []string{"time"}, nil, tlp); err == nil {
+			t.Fatalf("expected error, got nil")
+		}
+
+		if err := tlp.Verify(nil, ""); err != nil {
+			t.Fatalf("unexpected error: %s", err)
+		}
+	}
+
+	// invalid json
+	f("foobar")
+
+	f(`foo
+bar`)
+
+	f(`
+foo
+
+`)
+
+	// invalid timestamp field
+	f(`{"time":"foobar"}`)
+}

deployment/docker/victorialogs/vector/splunk/compose.yml

@@ -0,0 +1,3 @@
+include:
+ - ../compose-base.yml
+name: vector-splunk

deployment/docker/victorialogs/vector/splunk/vector.yml

@@ -0,0 +1,36 @@
+api:
+  enabled: true
+  address: 0.0.0.0:8686
+sources:
+  docker:
+    type: docker_logs
+  metrics:
+    type: internal_metrics
+transforms:
+  msg_parser:
+    type: remap
+    inputs:
+      - docker
+    source: |
+      .message = parse_json(.message) ?? .message
+sinks:
+  splunk:
+    type: splunk_hec_logs
+    inputs:
+      - msg_parser
+    endpoint: http://vlagent:9429/insert/splunk
+    indexed_fields:
+      - image
+    encoding:
+      codec: json
+    compression: gzip
+    default_token: test
+    healthcheck:
+      enabled: false
+  victoriametrics:
+    type: prometheus_remote_write
+    endpoint: http://victoriametrics:8428/api/v1/write
+    inputs: 
+      - metrics
+    healthcheck:
+      enabled: false