splunk output with splunk_send_raw on is using the wrong endpoint #8927
Comments
|
We should make the URi configurable with send raw @cosmo0920 |
|
It would solve my issue, but I'm not sure why you want to ever hit the {
"event": "<message sent to the /raw endpoint>",
"time": "<timestamp when the message was received>"
}This wrapping is exactly what the splunk output in fluent bit is doing by default, i.e. Thus, there is never a need to use the
In both cases however, the output from fluent-bit is JSON object and thus has to go to the |
Fixes fluent#8927. This does **not** remove the ability to send raw events, i.e. using `Splunk_Send_Raw On`, but rather sends them to correct endpoint.
Fixes fluent#8927. This does **not** remove the ability to send raw events, i.e. using `Splunk_Send_Raw On`, but rather sends them to correct endpoint. Signed-off-by: Philip Meier <github.pmeier@posteo.de>
Bug Report
Describe the bug
When using the
splunkoutput withSplunk_Send_Raw Onthe data is send to the/services/collector/rawendpoint rather than/services/collector/event:fluent-bit/plugins/out_splunk/splunk.h
Lines 25 to 26 in c3d1280
This seems to be wrong. To the best of my understanding, the term "raw" for Splunk means "raw log message without metadata". It is not entirely clear from their documentation, but in the examples they are only ever explicitly using the
/services/collector/rawendpoint when sending pure messages. This is also supported by our observations that when we are usingSplunk_Send_Raw On, the whole record is showing up as JSON string as message, rather than it being parsed out.This was introduced in aeb18f7 (cc @edsiper) and first released with v1.8.0. The commit message states
without further indication what exactly was supposed to be fixed by this. In contrast, this likely broke the raw mode.
The text was updated successfully, but these errors were encountered: