indexed_fields sends nested objects #24152
Description
A note for the community
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Problem
Vector appears to send objects as field values when a nested value is referenced in indexed_fields. This type of value is not supported by Splunk and it returns a 400
2025-11-05T10:34:15.315981Z ERROR sink{component_kind="sink" component_id=splunk_raw component_type=splunk_hec_logs}:request{request_id=16}: vector::sinks::util::retries: Not retriable; dropping the request. reason="response status: 400 Bad Request" internal_log_rate_limit=true
The docs specify that only strings can be used as field values:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/IFXandHEC
Only strings can be used as field values.
For example, when indexed_fields is set to kubernetes.cluster where kubernetes is an object:
splunk_raw:
type: splunk_hec_logs
inputs:
- splunk_router.raw
encoding:
codec: text
endpoint: "http://mitmproxy"
index: "{{ config.sinks.splunk_raw.index }}"
indexed_fields:
- kubernetes.clusterI find, when inspecting Vector using a mitmproxy, that the request that vector sent to Splunk was invalid:
{
"event": "foobar",
"fields": {
"kubernetes": {
"cluster": "eu-west-1-foo"
}
},
"time": 1762342983.017,
"host": "ip-10-1-1-1.eu-west-1.compute.internal",
"index": "my-index",
"source": "aws",
"sourcetype": "_json"
}
I would expect this to be flattened automatically to a valid HEC event like:
{
"event": "foobar",
"fields": {
"kubernetes.cluster": "eu-west-1-foo"
},
"time": 1762342983.017,
"host": "ip-10-1-1-1.eu-west-1.compute.internal",
"index": "my-index",
"source": "aws",
"sourcetype": "_json"
}
Currently only top-level strings in an event can be referenced in indexed_fields.
Configuration
Version
v0.50.0
Debug Output
Example Data
No response
Additional Context
No response
References
No response