Skip to main content

Module splunk

Module splunk 

Source
Expand description

Splunk HTTP Event Collector (HEC) compatible ingestion endpoint.

Clients point their base endpoint at /v1/splunk, so the full paths are e.g. /v1/splunk/services/collector/event and /v1/splunk/services/collector/health.

ConstantsΒ§

DEFAULT_SPLUNK_TABLE πŸ”’
Default table used when neither the event’s index nor a ?table= query param is provided.
HEC_HEALTHY_CODE πŸ”’
HEC response code for a healthy collector. Splunk returns {"text":"HEC is healthy","code":17}.

FunctionsΒ§

apply_tag_columns πŸ”’
Retags Field columns to Tag per table (identity makes everything a Field) so the insert path adds them to the primary key. Tags are scoped by table name so a batch targeting multiple tables can’t cross-promote a same-named field. Identity-only: rebuilds under the default opt.
handle_event
POST /services/collector/event (+ /services/collector, /event/1.0 aliases). Parses HEC events, runs them through the pipeline (identity default, overridable), and inserts with metadata columns as tags.
handle_health
GET /services/collector/health (+ /1.0). Public (see PUBLIC_API_PREFIX), since clients probe it before sending. ack/token query params are ignored.
hec_event_to_map πŸ”’
Maps one HEC event to (table, per-event map, tag names): time->timestamp, index->table, host/source/sourcetype/fields->tags, event+rest->data. None if the event isn’t a JSON object.
hec_response πŸ”’
HEC response body {"text", "code"}; clients branch on code.
ingest_events πŸ”’
Like ingest_logs_inner, but retags metadata columns (identity default) before insert.
is_blank_event πŸ”’
A HEC event value is blank if it’s null or an empty/whitespace-only string.
is_splunk_request πŸ”’
parse_hec_events πŸ”’
Parses a HEC body into a flat list of events. Handles both batch forms: objects concatenated with any/no separator, and a top-level array (flattened).
parse_hec_time πŸ”’
HEC time: epoch seconds (optionally fractional); values past ~1e12 are read as milliseconds. None if absent/unparseable (caller falls back to ingest time).
sanitize_index πŸ”’
Coerces a Splunk index into a valid table name (NAME_PATTERN); None if empty.
validate_event πŸ”’
event missing -> 12, event blank -> 13. present, non-null but unparsable time -> 6.