fluent-plugin-splunkhec 1.0.1 → 1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/README.md +10 -0
- data/fluent-plugin-splunkhec.gemspec +1 -1
- data/lib/fluent/plugin/out_splunkhec.rb +26 -7
- data/test/helper.rb +1 -1
- data/test/plugin/test_out_splunkhec.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b095141e9e4ae6cecb11bfc80c7fe26503858909
|
4
|
+
data.tar.gz: e080ff03c7f54382761dfac6957807be0b278106
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1cbaa497638b467481b56f0472eb6eb20067784e88d6213baa8b74729194baa9fcfb5941f9e14fff3937d4d29ceed282dc36254810dc619d508cc599fe1eb54c
|
7
|
+
data.tar.gz: 8f5046116bd7fa08500b7b7b6ff0814cb46dd8b4b8ce269879cc6acc75f29ead9f64531972e1b5abad2c4a05d113e634d75fc74701529e087b7bbe2fe2c8fd22
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -21,6 +21,8 @@ The Splunk HEC is running on a Heavy Forwarder or single instance. More info abo
|
|
21
21
|
event_host fluentdhost #optional
|
22
22
|
source fluentd #optional
|
23
23
|
sourcetype data:type #optional
|
24
|
+
usejson true #optional defaults to true
|
25
|
+
send_event_as_json true #optional
|
24
26
|
</source>
|
25
27
|
```
|
26
28
|
|
@@ -57,6 +59,14 @@ Specify the source-field for the event data in Splunk. If you don't specify this
|
|
57
59
|
|
58
60
|
Specify the sourcetype-field for the event data in Splunk. If you don't specify this the plug-in will use the tag from the FluentD input plug-in.
|
59
61
|
|
62
|
+
## config: send_event_as_json
|
63
|
+
|
64
|
+
Specify if an event should be sent as json rather than as a string. Can be 'true' or 'false'. If you don't specify then this will be 'false'.
|
65
|
+
|
66
|
+
## config: usejson
|
67
|
+
|
68
|
+
Specify the event type as JSON (true|default) or raw (false) for sending Log4J messages so Splunk so it can parse the time field it self based on the format 'time' regex match found in the source, uses millisecond precision.
|
69
|
+
|
60
70
|
## Contributing
|
61
71
|
|
62
72
|
1. Fork it
|
@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
4
|
|
5
5
|
Gem::Specification.new do |gem|
|
6
6
|
gem.name = "fluent-plugin-splunkhec"
|
7
|
-
gem.version = "1.
|
7
|
+
gem.version = "1.1"
|
8
8
|
gem.authors = "Coen Meerbeek"
|
9
9
|
gem.email = "cmeerbeek@gmail.com"
|
10
10
|
gem.description = %q{Output plugin for the Splunk HTTP Event Collector.}
|
@@ -7,16 +7,18 @@ module Fluent
|
|
7
7
|
Fluent::Plugin.register_output('splunkhec', self)
|
8
8
|
|
9
9
|
# Primary Splunk HEC configuration parameters
|
10
|
-
config_param :host, :string, :default => 'localhost'
|
11
|
-
config_param :protocol, :string, :default => 'http'
|
12
|
-
config_param :port, :string, :default => '8088'
|
13
|
-
config_param :token, :string, :default => nil
|
10
|
+
config_param :host, :string, :default => 'localhost'
|
11
|
+
config_param :protocol, :string, :default => 'http'
|
12
|
+
config_param :port, :string, :default => '8088'
|
13
|
+
config_param :token, :string, :default => nil
|
14
14
|
|
15
15
|
# Splunk event parameters
|
16
16
|
config_param :index, :string, :default => "main"
|
17
17
|
config_param :event_host, :string, :default => nil
|
18
18
|
config_param :source, :string, :default => "fluentd"
|
19
19
|
config_param :sourcetype, :string, :default => nil
|
20
|
+
config_param :send_event_as_json, :string, :default => "false"
|
21
|
+
config_param :usejson, :string, :default => "true"
|
20
22
|
|
21
23
|
# This method is called before starting.
|
22
24
|
# Here we construct the Splunk HEC URL to POST data to
|
@@ -44,7 +46,13 @@ module Fluent
|
|
44
46
|
else
|
45
47
|
@event_sourcetype = conf['sourcetype']
|
46
48
|
end
|
47
|
-
|
49
|
+
|
50
|
+
if conf['send_event_as_json'] == 'true'
|
51
|
+
@event_send_as_json = true
|
52
|
+
else
|
53
|
+
@event_send_as_json = false
|
54
|
+
end
|
55
|
+
|
48
56
|
@event_index = @index
|
49
57
|
@event_source = @source
|
50
58
|
end
|
@@ -72,7 +80,11 @@ module Fluent
|
|
72
80
|
when Fixnum
|
73
81
|
event = record.to_s
|
74
82
|
when Hash
|
75
|
-
|
83
|
+
if @event_send_as_json
|
84
|
+
event = record.to_json
|
85
|
+
else
|
86
|
+
event = record.to_json.gsub("\"", %q(\\\"))
|
87
|
+
end
|
76
88
|
else
|
77
89
|
event = record
|
78
90
|
end
|
@@ -82,7 +94,14 @@ module Fluent
|
|
82
94
|
end
|
83
95
|
|
84
96
|
# Build body for the POST request
|
85
|
-
|
97
|
+
if @usejson == 'false'
|
98
|
+
event = record["time"]+ " " + record["message"].to_json.gsub(/^"|"$/,"")
|
99
|
+
body = '{"time":"'+ DateTime.parse(record["time"]).strftime("%Q") +'", "event":"' + event + '", "sourcetype" :"' + @event_sourcetype + '", "source" :"' + @event_source + '", "index" :"' + @event_index + '", "host" : "' + @event_host + '"}'
|
100
|
+
elsif @event_send_as_json
|
101
|
+
body = '{"time" :' + time.to_s + ', "event" :' + event + ', "sourcetype" :"' + @event_sourcetype + '", "source" :"' + @event_source + '", "index" :"' + @event_index + '", "host" : "' + @event_host + '"}'
|
102
|
+
else
|
103
|
+
body = '{"time" :' + time.to_s + ', "event" :"' + event + '", "sourcetype" :"' + @event_sourcetype + '", "source" :"' + @event_source + '", "index" :"' + @event_index + '", "host" : "' + @event_host + '"}'
|
104
|
+
end
|
86
105
|
log.debug "splunkhec: " + body + "\n"
|
87
106
|
|
88
107
|
uri = URI(@splunk_url)
|
data/test/helper.rb
CHANGED
@@ -13,7 +13,7 @@ class SplunkHECOutputTest < Test::Unit::TestCase
|
|
13
13
|
token BAB747F3-744E-41BA
|
14
14
|
]
|
15
15
|
|
16
|
-
def
|
16
|
+
def create_driver_splunkhec(conf = CONFIG_SPLUNKHEC)
|
17
17
|
Fluent::Test::InputTestDriver.new(Fluent::SplunkHECOutput).configure(conf)
|
18
18
|
end
|
19
19
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-splunkhec
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: '1.1'
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Coen Meerbeek
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-08-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|