Expand description
Splunk HTTP Event Collector (HEC) compatible ingestion endpoint.
Clients point their base endpoint at /v1/splunk, so the full paths are e.g.
/v1/splunk/services/collector/event and /v1/splunk/services/collector/health.
ConstantsΒ§
- DEFAULT_
SPLUNK_ πTABLE - Default table used when neither the eventβs
indexnor a?table=query param is provided. - HEC_
HEALTHY_ πCODE - HEC response code for a healthy collector. Splunk returns
{"text":"HEC is healthy","code":17}.
FunctionsΒ§
- apply_
tag_ πcolumns - Retags
Fieldcolumns toTagper table (identity makes everything a Field) so the insert path adds them to the primary key. Tags are scoped by table name so a batch targeting multiple tables canβt cross-promote a same-named field. Identity-only: rebuilds under the default opt. - handle_
event POST /services/collector/event(+/services/collector,/event/1.0aliases). Parses HEC events, runs them through the pipeline (identity default, overridable), and inserts with metadata columns as tags.- handle_
health GET /services/collector/health(+/1.0). Public (seePUBLIC_API_PREFIX), since clients probe it before sending.ack/tokenquery params are ignored.- hec_
event_ πto_ map - Maps one HEC event to
(table, per-event map, tag names):time->timestamp,index->table, host/source/sourcetype/fields->tags,event+rest->data.Noneif the event isnβt a JSON object. - hec_
response π - HEC response body
{"text", "code"}; clients branch oncode. - ingest_
events π - Like
ingest_logs_inner, but retags metadata columns (identity default) before insert. - is_
blank_ πevent - A HEC
eventvalue is blank if itβsnullor an empty/whitespace-only string. - is_
splunk_ πrequest - parse_
hec_ πevents - Parses a HEC body into a flat list of events. Handles both batch forms: objects concatenated with any/no separator, and a top-level array (flattened).
- parse_
hec_ πtime - HEC
time: epoch seconds (optionally fractional); values past ~1e12 are read as milliseconds.Noneif absent/unparseable (caller falls back to ingest time). - sanitize_
index π - Coerces a Splunk
indexinto a valid table name (NAME_PATTERN);Noneif empty. - validate_
event π eventmissing -> 12,eventblank -> 13. present, non-null but unparsabletime-> 6.