From ec6a4fcc2cef317c7430bcdea98f2e30ffb85951 Mon Sep 17 00:00:00 2001 From: Romain FLOYRAC Date: Thu, 20 Mar 2025 13:57:02 +0100 Subject: [PATCH] output splunk plugin: add possibility to set source with record key similarly to sourcetype Signed-off-by: Romain FLOYRAC --- plugins/out_splunk/splunk.c | 30 +++++++++++++++++++++++++++--- plugins/out_splunk/splunk.h | 6 +++++- plugins/out_splunk/splunk_conf.c | 25 +++++++++++++------------ 3 files changed, 45 insertions(+), 16 deletions(-) diff --git a/plugins/out_splunk/splunk.c b/plugins/out_splunk/splunk.c index 5e9bd37ab4e..715eb960f24 100644 --- a/plugins/out_splunk/splunk.c +++ b/plugins/out_splunk/splunk.c @@ -269,6 +269,7 @@ static int pack_map_meta(struct flb_splunk *ctx, char *tag, int tag_len) { int index_key_set = FLB_FALSE; + int source_key_set = FLB_FALSE; int sourcetype_key_set = FLB_FALSE; flb_sds_t str; struct mk_list *head; @@ -294,11 +295,13 @@ static int pack_map_meta(struct flb_splunk *ctx, } } - /* event source */ - if (ctx->event_source) { - str = flb_ra_translate(ctx->ra_event_source, tag, tag_len, + + /* event source (key lookup) */ + if (ctx->event_source_key) { + str = flb_ra_translate(ctx->ra_event_source_key, tag, tag_len, map, NULL); if (str) { + /* source_key was found */ if (flb_sds_len(str) > 0) { flb_mp_map_header_append(mh); msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) -1); @@ -307,11 +310,25 @@ static int pack_map_meta(struct flb_splunk *ctx, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) - 1); msgpack_pack_str(mp_pck, flb_sds_len(str)); msgpack_pack_str_body(mp_pck, str, flb_sds_len(str)); + source_key_set = FLB_TRUE; } flb_sds_destroy(str); } + /* If not found, it will fallback to the value set in event_source */ + } + + if (source_key_set == FLB_FALSE && ctx->event_source) { + flb_mp_map_header_append(mh); + msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) -1); + msgpack_pack_str_body(mp_pck, + FLB_SPLUNK_DEFAULT_EVENT_SOURCE, + sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) - 1); + msgpack_pack_str(mp_pck, flb_sds_len(ctx->event_source)); + msgpack_pack_str_body(mp_pck, + ctx->event_source, flb_sds_len(ctx->event_source)); } + /* event sourcetype (key lookup) */ if (ctx->event_sourcetype_key) { str = flb_ra_translate(ctx->ra_event_sourcetype_key, tag, tag_len, @@ -1117,6 +1134,13 @@ static struct flb_config_map config_map[] = { "Set the source value to assign to the event data." }, + { + FLB_CONFIG_MAP_STR, "event_source_key", NULL, + 0, FLB_TRUE, offsetof(struct flb_splunk, event_source_key), + "Set a record key that will populate 'source'. If the key is found, it will " + "have precedence over the value set in 'event_source'." + }, + { FLB_CONFIG_MAP_STR, "event_sourcetype", NULL, 0, FLB_TRUE, offsetof(struct flb_splunk, event_sourcetype), diff --git a/plugins/out_splunk/splunk.h b/plugins/out_splunk/splunk.h index f86d918327b..1178d51e086 100644 --- a/plugins/out_splunk/splunk.h +++ b/plugins/out_splunk/splunk.h @@ -62,7 +62,11 @@ struct flb_splunk { /* Event source */ flb_sds_t event_source; - struct flb_record_accessor *ra_event_source; + + /* Event source record key */ + flb_sds_t event_source_key; + struct flb_record_accessor *ra_event_source_key; + /* * NOTE: EVENT SOURCE diff --git a/plugins/out_splunk/splunk_conf.c b/plugins/out_splunk/splunk_conf.c index 43ccdc1879c..c102bf075ee 100644 --- a/plugins/out_splunk/splunk_conf.c +++ b/plugins/out_splunk/splunk_conf.c @@ -195,26 +195,27 @@ struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins, } } - /* Event source */ - if (ctx->event_source) { - ctx->ra_event_source = flb_ra_create(ctx->event_source, FLB_TRUE); - if (!ctx->ra_event_source) { + /* Event source (key lookup) */ + if (ctx->event_source_key) { + ctx->ra_event_source_key = flb_ra_create(ctx->event_source_key, FLB_TRUE); + if (!ctx->ra_event_source_key) { flb_plg_error(ctx->ins, - "cannot create record accessor for event_source pattern: '%s'", - ctx->event_host); + "cannot create record accessor for " + "event_source_key pattern: '%s'", + ctx->event_source_key); flb_splunk_conf_destroy(ctx); return NULL; } } - /* Event source (key lookup) */ + /* Event sourcetype (key lookup) */ if (ctx->event_sourcetype_key) { ctx->ra_event_sourcetype_key = flb_ra_create(ctx->event_sourcetype_key, FLB_TRUE); if (!ctx->ra_event_sourcetype_key) { flb_plg_error(ctx->ins, "cannot create record accessor for " "event_sourcetype_key pattern: '%s'", - ctx->event_host); + ctx->event_sourcetype_key); flb_splunk_conf_destroy(ctx); return NULL; } @@ -227,7 +228,7 @@ struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins, flb_plg_error(ctx->ins, "cannot create record accessor for " "event_index_key pattern: '%s'", - ctx->event_host); + ctx->event_index_key); flb_splunk_conf_destroy(ctx); return NULL; } @@ -273,7 +274,7 @@ struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins, flb_plg_error(ctx->ins, "cannot create record accessor for " "metadata_auth_key pattern: '%s'", - ctx->event_host); + ctx->metadata_auth_key); flb_splunk_conf_destroy(ctx); return NULL; } @@ -312,8 +313,8 @@ int flb_splunk_conf_destroy(struct flb_splunk *ctx) flb_ra_destroy(ctx->ra_event_host); } - if (ctx->ra_event_source) { - flb_ra_destroy(ctx->ra_event_source); + if (ctx->ra_event_source_key) { + flb_ra_destroy(ctx->ra_event_source_key); } if (ctx->ra_event_sourcetype_key) {