RubyGems - fluent-plugin-splunk-hec - Versions diffs - 1.1.2 → 1.2.0 - Mend

fluent-plugin-splunk-hec 1.1.2 → 1.2.0

Files changed (18) hide show

checksums.yaml +4 -4
data/Gemfile +2 -0
data/Gemfile.lock +125 -14
data/README.md +136 -74
data/Rakefile +6 -1
data/VERSION +1 -1
data/fluent-plugin-splunk-hec.gemspec +9 -3
data/lib/fluent/plugin/out_splunk.rb +313 -0
data/lib/fluent/plugin/{out_splunk_hec → out_splunk}/match_formatter.rb +5 -3
data/lib/fluent/plugin/out_splunk/version.rb +3 -0
data/lib/fluent/plugin/out_splunk_hec.rb +130 -190
data/lib/fluent/plugin/out_splunk_hec/version.rb +2 -0
data/lib/fluent/plugin/out_splunk_ingest_api.rb +109 -0
data/test/fluent/plugin/out_splunk_hec_test.rb +232 -221
data/test/fluent/plugin/out_splunk_ingest_api_test.rb +244 -0
data/test/test_helper.rb +10 -7
metadata +82 -23
data/test/lib/webmock/http_lib_adapters/httpclient_adapter.rb +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22a452a5a8d26e0d4d3c747a7a5697b0eb65cc0d765ab002670bf0e4a486605b
-  data.tar.gz: 38ba434b4e7d8a18f95c60b8078de11ac8d07f454157651ffdfc49988ff6cbe3
+  metadata.gz: 5d3a2f11d9a4a81af516b66534c533a87ac2333deb62db605d3600ae3d4c6138
+  data.tar.gz: 4d62b7be1185257cea93eba96cb2ca8f5c4a7b6ad9f2f04bc8355cd9039f1c6e
 SHA512:
-  metadata.gz: d607f9195904ade6028405372116d529af7a295cfacf9f46a96ac145aa52637aa008d3f9e7c8b9b43cc415e99c7595b20a64ee2b4e3bf5bb96b74c4984857e9a
-  data.tar.gz: 2d76734a944ff176515f15fb530dbbd08579fb6be1b33554ee10ece7fa7419ff86d562b5145a201a6ae2dda8f3aaf860ae5c22495ed275154206f2105c2cc9ae
+  metadata.gz: 47c0f04fa3c7040c3f1f02f5555e4dbb6cdf15a8d62bbb709058b8f641a8e6c304f3294cd2349dbac288c0bcd2723338d33b5e6424f57076106b87bc82e7281c
+  data.tar.gz: 0f59b7a77013c4aaca16693e8852bffc990be1cb2be088ebdb03f639bfec1e3277d5e402ed4809a6b965355dba97df99e62fcf828857946de89afb58a0ef7734

data/Gemfile CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 source 'https://rubygems.org'
 group :test do

data/Gemfile.lock CHANGED

@@ -1,22 +1,44 @@
 PATH
   remote: .
   specs:
-    fluent-plugin-splunk-hec (1.1.1)
-      fluentd (~> 1.4)
+    fluent-plugin-splunk-hec (1.2.0)
+      fluent-plugin-kubernetes_metadata_filter (= 2.1.2)
+      fluentd (= 1.4)
       multi_json (~> 1.13)
       net-http-persistent (~> 3.0)
+      openid_connect (~> 1.1.6)
+      prometheus-client (~> 0.9.0)
 GEM
   remote: https://rubygems.org/
   specs:
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activesupport (6.0.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
     addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
+    aes_key_wrap (1.0.1)
+    ast (2.4.0)
+    attr_required (1.0.1)
+    bindata (2.4.4)
+    concurrent-ruby (1.1.5)
     connection_pool (2.2.2)
-    cool.io (1.5.3)
+    cool.io (1.5.4)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     dig_rb (1.0.1)
     docile (1.3.1)
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    fluent-plugin-kubernetes_metadata_filter (2.1.2)
+      fluentd (>= 0.14.0, < 2)
+      kubeclient (~> 1.1.4)
+      lru_redux
     fluentd (1.4.0)
       cool.io (>= 1.4.5, < 2.0.0)
       dig_rb (~> 1.0.0)
@@ -28,19 +50,89 @@ GEM
       tzinfo (~> 1.0)
       tzinfo-data (~> 1.0)
       yajl-ruby (~> 1.0)
-    hashdiff (0.3.8)
+    hashdiff (0.4.0)
+    http (0.9.8)
+      addressable (~> 2.3)
+      http-cookie (~> 1.0)
+      http-form_data (~> 1.0.1)
+      http_parser.rb (~> 0.6.0)
+    http-accept (1.7.0)
+    http-cookie (1.0.3)
+      domain_name (~> 0.5)
+    http-form_data (1.0.3)
     http_parser.rb (0.6.0)
+    httpclient (2.8.3)
+    i18n (1.7.0)
+      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.2)
     json (2.1.0)
+    json-jwt (1.10.2)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+    kubeclient (1.1.4)
+      activesupport
+      http (= 0.9.8)
+      recursive-open-struct (= 1.0.0)
+      rest-client
+    lru_redux (1.1.0)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    mime-types (3.3)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2019.1009)
+    mini_mime (1.0.2)
     minitest (5.11.3)
-    msgpack (1.2.7)
-    multi_json (1.13.1)
-    net-http-persistent (3.0.0)
+    msgpack (1.3.1)
+    multi_json (1.14.1)
+    net-http-persistent (3.1.0)
       connection_pool (~> 2.2)
-    power_assert (1.1.3)
-    public_suffix (3.0.3)
+    netrc (0.11.0)
+    openid_connect (1.1.8)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.5.0)
+      rack-oauth2 (>= 1.6.1)
+      swd (>= 1.0.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (>= 1.0.1)
+    parallel (1.13.0)
+    parser (2.6.0.0)
+      ast (~> 2.4.0)
+    power_assert (1.1.4)
+    powerpack (0.1.2)
+    prometheus-client (0.9.0)
+      quantile (~> 0.2.1)
+    public_suffix (3.1.1)
+    quantile (0.2.1)
+    rack (2.0.7)
+    rack-oauth2 (1.10.0)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.9.0)
+      rack
+    rainbow (3.0.0)
     rake (12.3.2)
-    safe_yaml (1.0.4)
-    serverengine (2.1.0)
+    recursive-open-struct (1.0.0)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rubocop (0.63.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    ruby-progressbar (1.10.0)
+    safe_yaml (1.0.5)
+    serverengine (2.1.1)
       sigdump (~> 0.2.2)
     sigdump (0.2.4)
     simplecov (0.16.1)
@@ -49,18 +141,36 @@ GEM
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     strptime (0.2.3)
-    test-unit (3.3.0)
+    swd (1.1.2)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
+    test-unit (3.3.3)
       power_assert
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2018.9)
+    tzinfo-data (1.2019.3)
       tzinfo (>= 1.0.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.6)
+    unicode-display_width (1.4.1)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.8)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (1.1.0)
+      activesupport
+      httpclient (>= 2.4)
     webmock (3.5.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
     yajl-ruby (1.4.1)
+    zeitwerk (2.2.0)
 PLATFORMS
   ruby
@@ -70,9 +180,10 @@ DEPENDENCIES
   fluent-plugin-splunk-hec!
   minitest (~> 5.0)
   rake (~> 12.0)
+  rubocop (~> 0.63.1)
   simplecov
   test-unit (~> 3.0)
   webmock (~> 3.5.0)
 BUNDLED WITH
-   2.0.1
+   2.0.2

data/README.md CHANGED

@@ -1,12 +1,14 @@
 [![CircleCI](https://circleci.com/gh/git-lfs/git-lfs.svg?style=shield&circle-token=856152c2b02bfd236f54d21e1f581f3e4ebf47ad)](https://circleci.com/gh/splunk/fluent-plugin-splunk-hec)
 # fluent-plugin-splunk-hec
-[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com) over the HEC (HTTP Event Collector) API.
+[Fluentd](https://fluentd.org/) output plugin to send events and metrics to [Splunk](https://www.splunk.com) in 2 modes:<br/>
+1) Via Splunk's [HEC (HTTP Event Collector) API](http://dev.splunk.com/view/event-collector/SP-CAAAE7F)<br/>
+2) Via the [Splunk Ingest API](https://sdc.splunkbeta.com/reference/api/ingest/v1beta2)
 ## Installation
 ### RubyGems
-```
+```
 $ gem install fluent-plugin-splunk-hec
 ```
 ### Bundler
@@ -27,9 +29,7 @@ $ bundle
 * See also: [Output Plugin Overview](https://docs.fluentd.org/v1.0/articles/output-plugin-overview)
-### Examples
-#### Example 1: Minimum Configs
+#### Example 1: Minimum Configuration
 ```
 <match **>
@@ -42,7 +42,25 @@ $ bundle
 This example is very basic, it just tells the plugin to send events to Splunk HEC on `https://12.34.56.78:8088` (https is the default protocol), using the HEC token `00000000-0000-0000-0000-000000000000`. It will use whatever index, source, sourcetype are configured in HEC. And the `host` of each event is the hostname of the machine which running fluentd.
-#### Example 2: Overwrite HEC defaults
+#### Example 2: Configuration example
+```
+<match **>
+@type splunk_ingest_api
+service_client_identifier xxxxxxxx
+service_client_secret_key xxxx-xxxxx
+token_endpoint /system/identity/v2beta1/token
+ingest_api_host api.url.splunk.com
+ingest_api_tenant mytenant
+ingest_api_events_endpoint /ingest/mybuild/events
+debug_http false
+</match>
+```
+This example shows the configuration to be used for sending events to ingest API. This configuration shows how to use `service_client_identifier`, `service_client_secret_key` to get token from `token_endpoint` and send events to `ingest_api_host` for the tenant `ingest_api_tenant` at the endpoint `ingest_api_events_endpoint`. The `debug_http` flag indicates whether the user wants to print debug logs to stdout.
+#### Example 3: Overwrite HEC defaults
 ```
 <match **>
@@ -72,21 +90,21 @@ Sometimes you want to use the values from the input event for these parameters,
 </match>
 ```
-In the second example (in order to keep it concise, we just omitted the repeating parameters, and we will keep doing so in the following examples), it uses the `source_key` config to set the source of event to the value of the event's `file_path` field. Given an input event like
+In this example (in order to keep it concise, we just omitted the repeating parameters, and we will keep doing so in the following examples), it uses the `source_key` config to set the source of event to the value of the event's `file_path` field. Given an input event like
 ```javascript
 {"file_path": "/var/log/splunk.log", "message": "This is an exmaple.", "level": "info"}
 ```
-Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is
+Then the source for this event will be "/var/log/splunk.log". And the "file\_path" field will be removed from the input event, so what you will eventually get ingested in Splunk is:
 ```javascript
-{"message": "This is an exmaple.", "level": "info"}
+{"message": "This is an example.", "level": "info"}
 ```
 If you want to keep "file\_path" in the event, you can use `keep_keys`.
 Besides `source_key` there are also other `*_key` parameters, check the parameters details below.
-#### Example 3: Sending metrics
+#### Example 4: Sending metrics
-[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is avaialble since Splunk 7.0.0, you can use this output plugin to send events as metrics to a Splunk metric index by setting `data_type` to "metric".
+[Metrics](https://docs.splunk.com/Documentation/Splunk/latest/Metrics/Overview) is available since Splunk 7.0.0, you can use this output plugin to send events as metrics to a Splunk metric index by setting `data_type` to "metric".
 ```
 <match **>
@@ -98,7 +116,7 @@ Besides `source_key` there are also other `*_key` parameters, check the paramete
 </match>
 ```
-With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-varlue pair in the event is a metric name-value pair. For example, given an input event like
+With this configuration, the plugin will treat each input event as a collection of metrics, i.e. each key-value pair in the event is a metric name-value pair. For example, given an input event like
 ```javascript
 {"cpu/usage": 0.5, "cpu/rate": 10, "memory/usage": 100, "memory/rss": 90}
@@ -129,107 +147,136 @@ You should change the configuration to
 All other properties of the input (in this example, "app"), will be sent as dimensions of the metric. You can use the `<fields>` section to customize the dimensions.
-### Parameters
+### Type of plugin
 #### @type
-This value must be `splunk_hec`.
-#### protocol (enum) (optional)
+This value must be set to `splunk_hec` when using HEC API and to `splunk_ingest_api` when using the ingest API. Only one type either `splunk_hec` or `splunk_ingest_api` is expected to be used when configuring this plugin.
-Protocol to use to call HEC API.
+### Parameters for `splunk_hec`
-Available values: http, https
+#### protocol (enum) (optional)
-Default value: `https`.
+This is the protocol to use for calling the HEC API. Available values are: http, https. This parameter is
+set to `https` by default.
 ### hec_host (string) (required)
-The hostname/IP to HEC, or HEC load balancer.
+The hostname/IP for the HEC token or the HEC load balancer.
 ### hec_port (integer) (optional)
-The port number to HEC, or HEC load balancer.
-Default value: `8088`.
+The port number for the HEC token or the HEC load balancer. The default value is `8088`.
 ### hec_token (string) (required)
-The HEC token.
+Identifier for the HEC token.
-### index (string) (optional)
+### metrics_from_event (bool) (optional)
-The Splunk index to index events. When not set, will be decided by HEC. This is exclusive with `index_key`.
+When `data_type` is set to "metric", the ingest API will treat every key-value pair in the input event as a metric name-value pair. Set `metrics_from_event` to `false` to disable this behavior and use `metric_name_key` and `metric_value_key` to define metrics. The default value is `true`.
-### index_key (string) (optional)
+### metric_name_key (string) (optional)
-Field name to contain Splunk index name. This is exclusive with `index`.
+Field name that contains the metric name. This parameter only works in conjunction with the `metrics_from_event` paramter. When this prameter is set, the `metrics_from_event` parameter is automatically set to `false`.
-### host (string) (optional)
+### metric_value_key (string) (optional)
-The host field for events. This is exclusive with `host_key`.
+Field name that contains the metric value, this parameter is required when `metric_name_key` is configured.
-Default value: the hostname of the host machine.
+### coerce_to_utf8 (bool) (optional)
-### host_key (string) (optional)
+Indicates whether to allow non-UTF-8 characters in user logs. If set to `true`, any non-UTF-8 character is replaced by the string specified in `non_utf8_replacement_string`. If set to `false`, the Ingest API errors out any non-UTF-8 characters. This parameter is set to `true` by default.
-Field name to contain host. This is exclusive with `host`.
+### non_utf8_replacement_string (string) (optional)
-### source (string) (optional)
+If `coerce_to_utf8` is set to `true`, any non-UTF-8 character is replaced by the string you specify in this parameter. The parameter is set to `' '` by default.
-The source field for events, when not set, will be decided by HEC. This is exclusive with `source_key`.
+### Parameters for `splunk_ingest_api`
-### source_key (string) (optional)
+### service_client_identifier: (optional) (string)
-Field name to contain source. This is exclusive with `source`.
+Splunk uses the client identifier to make authorized requests to the ingest API.
-### sourcetype (string) (optional)
+### service_client_secret_key: (string)
-The sourcetype field for events, when not set, will be decided by HEC. This is exclusive with `sourcetype_key`.
+The client identifier uses this authorization to make requests to the ingest API.
-### sourcetype_key (string) (optional)
+### token_endpoint: (string)
-Field name to contain sourcetype. This is exclusive with `sourcetype`.
+This value indicates which endpoint Splunk should look to for the authorization token necessary for requests to the ingest API.
-### metrics_from_event (bool) (optional)
+### ingest_api_host: (string)
-When `data_type` is set to "metric", by default it will treat every key-value pair in the input event as a metric name-value pair. Set `metrics_from_event` to `false` to disable this behavior and use `metric_name_key` and `metric_value_key` to define metrics.
+Indicates which url/hostname to use for requests to the ingest API.
-Default value: `true`.
+### ingest_api_tenant: (string)
-### metric_name_key (string) (optional)
+Indicates which tenant Splunk should use for requests to the ingest API.
-Field name to contain metric name. This is exclusive with `metrics_from_event`, when this is set, `metrics_from_event` will be set to `false`.
+### ingest_api_events_endpoint: (string)
-### metric_value_key (string) (optional)
+Indicates which endpoint to use for requests to the ingest API.
-Field name to contain metric value, this is required when `metric_name_key` is set.
+### debug_http: (bool)
+Set to True if you want to debug requests and responses to ingest API. Default is false.
-### keep_keys (bool) (optional)
+### Parameters for both `splunk_hec` and `splunk_ingest_api`
-By default, all the fields used by the `*_key` parameters will be removed from the original input events. To change this behavior, set this parameter to `true`.
+### index (string) (optional)
-Default value: `true`.
+Identifier for the Splunk index to be used for indexing events. If this parameter is not set,
+the indexer is chosen by HEC. This parameter only works in conjunction with the `index_key` parameter.
-### coerce_to_utf8 (bool) (optional)
+### index_key (string) (optional)
-Whether to allow non-UTF-8 characters in user logs. If set to true, any non-UTF-8 character would be replaced by the string specified by `non_utf8_replacement_string`. If set to false, any non-UTF-8 character would trigger the plugin to error out.
+The field name that contains the Splunk index name. This parameter works in conjunction with `index` and will
+not work if the `index` parameter is not set.
-Default value: `true`.
+### host (string) (optional)
-### non_utf8_replacement_string (string) (optional)
+The host location for events. This parameter only works in conjunction with the `host_key` parameter.
+If the parameter is not set, the default value is the hostname of the machine runnning fluentd.
+### host_key (string) (optional)
+Key for the host location. This parameter only works in conjunction with the `host` parameter. If the `host`
+parameter is not set, this parameter is ignored.
+### source (string) (optional)
+The source field for events. If this parameter is not set, the source will be decided by HEC. This
+parameter only works in conjunction with the `source_key` parameter.
+### source_key (string) (optional)
+Field name to contain source. This parameter only works in conjunction with the `source` parameter.
+### sourcetype (string) (optional)
+The sourcetype field for events. When not set, the sourcetype is decided by HEC. This parameter only works in
+conjunction with the `sourcetype_key` parameter.
+### sourcetype_key (string) (optional)
-If `coerce_to_utf8` is set to true, any non-UTF-8 character would be replaced by the string specified here.
+Field name that contains the sourcetype. This parameter only works in conjunction with the `sourcetype` parameter.
-Default value: `' '`.
+### fields (init) (optional)
+Lets you specify the index-time fields for the event data type, or metric dimensions for the metric data type. Null value fields are removed.
+### keep_keys (boolean) (Optional)
+By default, all the fields used by the `*_key` parameters are removed from the original input events. To change this behavior, set this parameter to `true`. This parameter is set to `false` by default.
+When set to true, all fields defined in `index_key`, `host_key`, `source_key`, `sourcetype_key`, `metric_name_key`, and `metric_value_key` are saved in the original event.
 ### &lt;fields&gt; section (optional) (single)
-Depending on the value of `data_type` parameter, the parameters inside `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
+Depending on the value of `data_type` parameter, the parameters inside the `<fields>` section have different meanings. Despite the meaning, the syntax for parameters is unique.
 #### When `data_type` is `event`
-In this case, parameters inside `<fields>` will be used as indexed fields. And these fields will be removed from the original input events. Please see the "Add a "fields" property at the top JSON level" [here](http://dev.splunk.com/view/event-collector/SP-CAAAFB6) for details. Given we have configuration like
+In this case, parameters inside `<fields>` are used as indexed fields and removed from the original input events. Please see the "Add a "fields" property at the top JSON level" [here](http://dev.splunk.com/view/event-collector/SP-CAAAFB6) for details. Given we have configuration like
 ```
 <match **>
@@ -273,7 +320,7 @@ If a parameter has just a key, it means its value is exactly the same as the key
 #### When `data_type` is `metric`
-For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension will be sent. For example, given configuration like
+For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>` is not presented, the original input event will be used as dimensions. If an empty `<fields></fields>` is presented, no dimension is sent. For example, given the following configuration:
 ```
 <match **>
@@ -291,22 +338,22 @@ For metrics, parameters inside `<fields>` are used as dimensions. If `<fields>`
 </match>
 ```
-and an input event like
+and the following input event:
 ```javascript
 {"application": "webServer", "file": "server.rb", "value": 100, "status": "OK", "message": "Normal", "name": "CPU Usage"}
 ```
-Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer" will be sent to Splunk.
+Then, a metric of "CPU Usage" with value=100, along with 3 dimensions file="server.rb", status="OK", and app="webServer" are sent to Splunk.
 ### &lt;format&gt; section (optional) (multiple)
-The `<format>` section let us define which formatter to use to format events.
+The `<format>` section let you define which formatter to use to format events.
 By default, it uses [the `json` formatter](https://docs.fluentd.org/v1.0/articles/formatter_jso://docs.fluentd.org/v1.0/articles/formatter_json).
-Besides the `@type` parameter, you should define all other parameters for the formatter inside this section.
+Besides the `@type` parameter, you should define the other parameters for the formatter inside this section.
-Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does, to define tag matching. But default, every event will be formatted with `json`. For example:
+Multiple `<format>` sections can be defined to use different formatters for different tags. Each `<format>` section accepts an argument just like the `<match>` section does to define tag matching. By default, every event is formatted with `json`. For example:
 ```
 <match **>
@@ -324,13 +371,31 @@ Multiple `<format>` sections can be defined to use different formatters for diff
   </format>
 ```
-In this example, it will format events with tags which start with `sometag.` with the `single_value` formatter, and format events with tags `some.othertag` with the `csv` formatter, and format all other events with the `json` formatter (the default formatter).
+This example:
+- Formats events with tags that start with `sometag.` with the `single_value` formatter
+- Formats events with tags `some.othertag` with the `csv` formatter
+- Formats all other events with the `json` formatter (the default formatter)
 If you want to use a different default formatter, you can add a `<format **>` (or `<format>`) section.
 #### @type (string) (required)
-Defines which formatter to use.
+Specifies which formatter to use.
+### Net::HTTP::Persistent parameters (optional)
+The following parameters can be used for tuning HTTP connections:
+#### idle_timeout (integer)
+The default is five seconds. If a connection has not been used for five seconds, it is automatically reset at next use, in order to avoid attempting to send to a closed connection. Specifiy `nil` to prohibit any timeouts.
+#### read_timeout (integer)
+The amount of time allowed between reading two chunks from the socket. The default value is `nil`, which means no timeout.
+#### open_timeout (integer)
+The amount of time to wait for a connection to be opened. The default is `nil`, which means no timeout.
 ### Net::HTTP::Persistent parameters (optional)
@@ -338,7 +403,7 @@ The following parameters can be used for tuning HTTP connections
 #### idle_timeout (integer)
-The default is 5 seconds. If a connection has not been used for this number of seconds it will automatically be reset upon the next use to avoid attempting to send to a closed connection; nil means no timeout.
+The default is 5 seconds. If a connection has not been used for this number of seconds it will automatically be reset upon the next use to avoid attempting to send to a closed connection; nil means no timeout.
 #### read_timeout (integer)
@@ -350,8 +415,7 @@ The default is nil. The amount of time to wait for a connection to be opened.
 ### SSL parameters
-There are quite some parameters you can use to configure SSL (for HTTPS protocol).
-All these parameters are optional.
+The following optional parameters let you configure SSL for HTTPS protocol.
 #### client_cert (string)
@@ -375,9 +439,7 @@ List of SSl ciphers allowed.
 #### insecure_ssl (bool)
-Indicates if insecure SSL connection is allowed, i.e. do not verify the server's certificate.
-Default value: `false`.
+Specifies whether an insecure SSL connection is allowed. If set to false, Splunk does not verify an insecure server certificate. This parameter is set to `false` by default.
 ## About Buffer
@@ -392,4 +454,4 @@ Here are some hints:
 ## License
-Please see [LICENSE](LICENSE).
+Please see [LICENSE](LICENSE).