Skip to content

app/vlinsert: splunk support#710

Open
AndrewChubatiuk wants to merge 1 commit intomasterfrom
splunk
Open

app/vlinsert: splunk support#710
AndrewChubatiuk wants to merge 1 commit intomasterfrom
splunk

Conversation

@AndrewChubatiuk
Copy link
Contributor

@AndrewChubatiuk AndrewChubatiuk commented Sep 26, 2025
edited
Loading

Describe Your Changes

  • replaced fastjson.Parser with fastjson.Scanner, since one line can contains multiple log entries
  • added separate endpoint for Splunk HEC events
  • since no collector, that supports Splunk events provides an ability to set extra HTTP headers or extra args, -splunk.* cmd arguments were added

Checklist

The following checks are mandatory:

@AndrewChubatiuk AndrewChubatiuk marked this pull request as draft September 26, 2025 10:57
@AndrewChubatiuk AndrewChubatiuk force-pushed the splunk branch 4 times, most recently from 0fb01c9 to 77ab347 Compare December 15, 2025 19:18
@AndrewChubatiuk AndrewChubatiuk marked this pull request as ready for review December 15, 2025 19:24
@AndrewChubatiuk AndrewChubatiuk force-pushed the splunk branch 4 times, most recently from 9005319 to 43b45c8 Compare December 20, 2025 07:50
@AndrewChubatiuk
Copy link
Contributor Author

AndrewChubatiuk commented Dec 20, 2025

@valyala could you please take a look at this PR?

vadimalekseev
vadimalekseev reviewed Jan 28, 2026
View reviewed changes
app/vlinsert/splunk/splunk.go Outdated

// RequestHandler processes splunk insert requests
func RequestHandler(path string, w http.ResponseWriter, r *http.Request) bool {
if !strings.HasPrefix(path, "/services/collector/event") {
Copy link
Member

@vadimalekseev vadimalekseev Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we support the /services/collector/raw and /services/collector/health endpoints?
In log collectors like Vector and FluentBit, you can choose between different event/raw modes.

See https://docs.splunk.com/Documentation/Splunk/8.0.0/RESTREF/RESTinput#services.2Fcollector.2Fraw

JFYI: I also noticed there is /services/collector/mint endpoint, but it looks like other log collectors do not support it: https://docs.splunk.com/Documentation/Splunk/8.0.0/RESTREF/RESTinput#services.2Fcollector.2Fmint

Copy link
Contributor Author

@AndrewChubatiuk AndrewChubatiuk Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to support mint, as it's deprecated, added /health support. Regarding raw not sure how should accepted data be treated. There's no strict boundary between type passed via sourcetype and received data. Also which source types should we automatically parse and which should just accept as is

@AndrewChubatiuk AndrewChubatiuk force-pushed the splunk branch 5 times, most recently from 605b052 to 351d07f Compare February 4, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vadimalekseev vadimalekseev vadimalekseev left review comments

@valyala valyala Awaiting requested review from valyala

@func25 func25 Awaiting requested review from func25

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndrewChubatiuk @vadimalekseev