Skip to content
This repository was archived by the owner on Mar 21, 2020. It is now read-only.

Add option to send indexed fields along with events #25

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option to send indexed fields along with events #25

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 21 additions & 7 deletions lib/fluent/plugin/out_splunk-http-eventcollector.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ class SplunkHTTPEventcollectorOutput < BufferedOutput

config_param :test_mode, :bool, :default => false

config_param :send_fields, :bool, :default => false

config_param :server, :string, :default => 'localhost:8088'
config_param :verify, :bool, :default => true
config_param :token, :string, :default => nil
Expand All @@ -49,6 +51,7 @@ class SplunkHTTPEventcollectorOutput < BufferedOutput

config_param :sourcetype, :string, :default => 'fluentd'
config_param :source, :string, :default => nil
config_param :fields, :string, :default => nil
config_param :post_retry_max, :integer, :default => 5
config_param :post_retry_interval, :integer, :default => 5

Expand Down Expand Up @@ -157,13 +160,24 @@ def format(tag, time, record)

placeholders = @placeholder_expander.prepare_placeholders(placeholder_values)

splunk_object = Hash[
"time" => time.to_i,
"source" => if @source.nil? then tag.to_s else @placeholder_expander.expand(@source, placeholders) end,
"sourcetype" => @placeholder_expander.expand(@sourcetype.to_s, placeholders),
"host" => @placeholder_expander.expand(@host.to_s, placeholders),
"index" => @placeholder_expander.expand(@index, placeholders)
]
if @send_fields
Copy link

@kevdowney kevdowney May 11, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this be better as:

splunk_object = Hash[
    "time" => time.to_i,
    "source" => if @source.nil? then tag.to_s else @placeholder_expander.expand(@source, placeholders) end,
    "sourcetype" => @placeholder_expander.expand(@sourcetype.to_s, placeholders),
    "host" => @placeholder_expander.expand(@host.to_s, placeholders),
    "index" =>  @placeholder_expander.expand(@index, placeholders)
]

if @send_fields
    splunk_object = splunk_object.merge(Hash[
        "fields" => JSON.parse(@placeholder_expander.expand(@fields.to_s, placeholders))
    ])

splunk_object = Hash[
"time" => time.to_i,
"source" => if @source.nil? then tag.to_s else @placeholder_expander.expand(@source, placeholders) end,
"sourcetype" => @placeholder_expander.expand(@sourcetype.to_s, placeholders),
"host" => @placeholder_expander.expand(@host.to_s, placeholders),
"index" => @placeholder_expander.expand(@index, placeholders),
"fields" => JSON.parse(@placeholder_expander.expand(@fields.to_s, placeholders))
]
else
splunk_object = Hash[
"time" => time.to_i,
"source" => if @source.nil? then tag.to_s else @placeholder_expander.expand(@source, placeholders) end,
"sourcetype" => @placeholder_expander.expand(@sourcetype.to_s, placeholders),
"host" => @placeholder_expander.expand(@host.to_s, placeholders),
"index" => @placeholder_expander.expand(@index, placeholders)
]
end
# TODO: parse different source types as expected: KVP, JSON, TEXT
if @all_items
splunk_object["event"] = convert_to_utf8(record)
Expand Down