Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

output splunk plugin: add possibility to set source with record key #10109

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

output splunk plugin: add possibility to set source with record key #10109

wants to merge 1 commit into from
+45 −16

Conversation

rfloyrac
Copy link

@rfloyrac rfloyrac commented Mar 20, 2025
edited
Loading

Similarly to event_sourcetype_key, add the possibility to set the splunk source from a specific key of the record.
The key is set via the config property event_source_key and takes precedence if both event_source and event_source_key are set.

The code is a pure adaptation of what was done for the event_sourcetype_key ==> aaecf64

Documentation: PR to fluent-bit-docs PR 1591

Testing
fluent-bit.config.conf: |-

[SERVICE]
  Flush        1
  Daemon       Off
  Log_Level    info

@INCLUDE fluent-bit.test-log.conf

fluent-bit.test-log.conf: |-

[INPUT]
  Name        tail
  DB           /logs/.fluentbit.test-log.db
  DB.locking   true
  Refresh_Interval 5
  read_from_head   true
  Path_Key filepath
  Static_Batch_Size 1M
  Path        /logs/test.log
  tag         test
  Threaded    true

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source source_from_output
  event_host My_pod
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source source_from_event_source
  event_source_key $source_from_record_key
  event_host My_pod_1
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[OUTPUT]
  Name        splunk
  Match       test
  Host        splunk-indexer.splunk
  Splunk_Token ${SPLUNK_TOKEN}
  event_index ${SPLUNK_INDEX}
  event_source_key $source_from_record_key_2
  event_host My_pod_2
  event_sourcetype fluentbit
  event_key $log
  TLS         on
  TLS.Verify  off
  workers     2

[FILTER]
  Name record_modifier
  Match *
  Record source_from_record_key source_from_record_key
  Record source_from_record_key_2 source_from_record_key_2

image

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@rfloyrac rfloyrac force-pushed the feature/splunk_source_as_key branch from 19b849f to ec6a4fc Compare March 20, 2025 14:23
@rfloyrac rfloyrac marked this pull request as ready for review March 20, 2025 14:45
@rfloyrac rfloyrac mentioned this pull request Mar 20, 2025
Open
@rfloyrac
Copy link
Author

filter_rewrite_tag.c:354: Check heavy_loop > got... failed
expect: 100000 got: 100000

hmm not sure what to say :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edsiper edsiper

@leonardo-albertovich leonardo-albertovich

@fujimotos fujimotos

@koleini koleini

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rfloyrac @superjo007