Document Splunk HEC metadata and raw endpoint support#278
Open
Document Splunk HEC metadata and raw endpoint support#278
Conversation
Update the to_splunk reference with the neo event metadata options, raw endpoint behavior, and examples for time, fields, and raw events.
Contributor
|
📦 Preview · View → · 🟢 Live Verified for |
Update the to_splunk reference to describe raw HEC mode through the mutually exclusive raw expression instead of the removed endpoint option.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Problem
to_splunkreference did not cover the new HEC metadata options or raw endpoint mode from the code PR._time, indexed HEC fields, and raw event ingestion.raw=...API instead of the earlier endpoint-selector draft.🛠️ Solution
to_splunksignature and option descriptions forevent,raw,time, andfields.event=...selects the envelope payload, andraw=<string>selects raw HEC mode.event=...andraw=...are mutually exclusive.fieldsis not supported withraw=....💬 Review
- Check that the raw endpoint wording makes request-level metadata clear.
- Check that the examples use the final
- Check that the examples match the neo
🛠️ Code PR: tenzir/tenzir#6074raw=...UX.to_splunkbehavior in Add Splunk HEC metadata and raw endpoint support tenzir#6074 and tenzir/tenzir-plugins#520.🧩 Plugin PR: tenzir/tenzir-plugins#520
🎫 References TNZ-517, TNZ-518, TNZ-519