in_splunk: Implement handling remote addr feature

[cosmo0920]

Currently, in_splunk does not handle remote address.
This could be inconvenient to track remote address for traceability.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature
  in_splunk: Add remote_addr related parameters' descriptions fluent-bit-docs#2360

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Splunk input plugin can optionally capture a request's remote address (from X-Forwarded-For or connection) and include it in emitted events; the record key for this value is configurable.

• Tests

  • Added runtime test to verify remote-address extraction and inclusion in events.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds configurable remote-address extraction to the Splunk input: new config options to enable injection and set the record key, per-request extraction from X-Forwarded-For or peer address, propagation into payload processing, and per-request state to avoid leakage.

Changes

Cohort / File(s)	Summary
Configuration & plugin state plugins/in_splunk/splunk.c, plugins/in_splunk/splunk.h, plugins/in_splunk/splunk_config.c	Added config options add_remote_addr and remote_addr_key; added runtime fields add_remote_addr, remote_addr_key, current_remote_addr, current_remote_addr_len; initialize current_remote_addr state in context creation.
Protocol, header parsing & payload flow plugins/in_splunk/splunk_prot.c, plugins/in_splunk/splunk_prot.h	Introduced HTTP header lookup, X-Forwarded-For extraction and fallback to peer address; resolve and store per-request remote address; propagate remote address through payload processing functions and append to emitted records; added SPLUNK_XFF_HEADER macro.
Tests tests/runtime/in_splunk.c	Added test flb_test_splunk_xff_extract() (registered in TEST_LIST) to validate XFF extraction and record injection.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Handler as "Splunk Request Handler"
    participant Headers as "HTTP Header Parser"
    participant Resolver as "XFF / Peer Resolver"
    participant Processor as "Payload Processor"
    participant Emitter as "Record Emitter"

    Client->>Handler: Send HTTP request (may include X-Forwarded-For)
    Handler->>Headers: Parse request headers
    Headers->>Resolver: Lookup "x-forwarded-for"
    alt XFF present
        Resolver->>Resolver: Extract first IP from XFF
    else XFF absent
        Resolver->>Resolver: Use peer connection address
    end
    Resolver->>Handler: Provide remote address
    Handler->>Processor: Process payload + remote address
    Processor->>Emitter: Append remote_addr key to record (if enabled)
    Emitter->>Emitter: Emit enriched log event
    Handler->>Handler: Clear per-request remote address state

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• in_http: add fluentd like add_remote_addr functionality #11080 — Implements a similar add_remote_addr feature with config fields, header parsing, and remote address propagation in HTTP input code paths.

Suggested reviewers

• edsiper

Poem

🐰 I sniff headers on a moonlit track,
I pull the IP from XFF’s pack,
I tuck it into each log so neat,
A carrot-note where records meet,
Hop—now Splunk knows who’s coming back!

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'in_splunk: Implement handling remote addr feature' directly describes the main change: adding remote address handling to the in_splunk input plugin, which aligns with the file modifications and PR objectives.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cosmo0920-extract-remote-addr-on-in_splunk

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ba50be0c16

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 1381-1399: In splunk_prot_handle_ng() the per-request fields
context->current_remote_addr and context->current_remote_addr_len are set but
never reset, allowing stale addresses to persist across requests; update the
function to ensure these fields are cleared before every return (or funnel
returns through a single cleanup label), e.g., after using
extract_remote_address(), when falling back to peer
(flb_connection_get_remote_address(parent_session->connection)), and prior to
any early exits: set context->current_remote_addr = NULL and
context->current_remote_addr_len = 0 (or free/reset as appropriate) so the same
cleanup performed in splunk_prot_handle() is applied here.

🧹 Nitpick comments (5)

plugins/in_splunk/splunk.h (1)

76-79: Consider using const char * instead of flb_sds_t for borrowed pointers.

current_remote_addr is assigned non-owned pointers from either the XFF header value or flb_connection_get_remote_address() in splunk_prot.c. Using flb_sds_t is misleading since it implies an owned/allocated string that should be managed with flb_sds_* functions.

For clarity and to prevent accidental misuse:

♻️ Suggested change

     /* Remote address */
-    flb_sds_t current_remote_addr;
+    const char *current_remote_addr;
     size_t current_remote_addr_len;

plugins/in_splunk/splunk_prot.c (4)

265-290: Const-correctness issue in output parameter.

The function assigns const char * values (from extract_xff_value and flb_connection_get_remote_address) to *out, but out is declared as char **. This discards the const qualifier and may cause compiler warnings.

♻️ Suggested fix

 static int extract_remote_address(const char *xff_value,
                                   size_t xff_value_len,
                                   struct flb_connection *connection,
-                                  char **out,
+                                  const char **out,
                                   size_t *out_len)
 {

Also update the corresponding field type in splunk.h and call sites in splunk_prot_handle() and splunk_prot_handle_ng().

---

424-428: Unused parameters in function signature.

The remote_addr and remote_addr_len parameters are added to the signature but never used. The function uses ctx->current_remote_addr and ctx->current_remote_addr_len directly at lines 478-480.

Either use the passed parameters or remove them from the signature to avoid confusion:

♻️ Option 1: Remove unused parameters

 static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *record,
                                    flb_sds_t tag, flb_sds_t tag_from_record,
-                                   struct flb_time tm,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct flb_time tm)

♻️ Option 2: Use the passed parameters

     if (ret == FLB_EVENT_ENCODER_SUCCESS) {
         ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
+                                 remote_addr,
+                                 remote_addr_len);
     }

---

775-780: Unused parameters in function signature.

Similar to process_flb_log_append(), the remote_addr and remote_addr_len parameters are not used within this function. The downstream process_raw_payload_pack() accesses ctx->current_remote_addr directly.

Consider removing these unused parameters for consistency:

♻️ Suggested change

 static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
                                    flb_sds_t tag,
                                    struct mk_http_session *session,
-                                   struct mk_http_request *request,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct mk_http_request *request)

---

1115-1118: Missing cleanup on early return paths.

The per-request remote address is cleared at the end of successful processing, but multiple early return paths (lines 861, 928, 974, 1040, 1066, 1088, 1104) skip this cleanup. While the state is re-initialized at the start of each request (lines 1003-1004), for defensive coding it would be cleaner to use a goto cleanup pattern to ensure consistent cleanup.

Alternatively, since the state is always re-initialized at the start of splunk_prot_handle(), this might be acceptable as-is. Just ensure this initialization always happens before any potential use.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

plugins/in_splunk/splunk_prot.c (2)

424-481: Unused parameters: remote_addr and remote_addr_len are never referenced.

The function signature was updated to accept remote_addr and remote_addr_len, but the implementation uses ctx->current_remote_addr and ctx->current_remote_addr_len directly (lines 479-480). Either use the parameters or remove them from the signature.

♻️ Option 1: Remove unused parameters (simpler)

 static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *record,
                                    flb_sds_t tag, flb_sds_t tag_from_record,
-                                   struct flb_time tm,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct flb_time tm)
 {

And update call sites accordingly.

♻️ Option 2: Use the parameters instead of context fields

     if (ret == FLB_EVENT_ENCODER_SUCCESS) {
         ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
+                                 remote_addr,
+                                 remote_addr_len);
     }

---

775-814: Unused parameters: remote_addr and remote_addr_len are never referenced.

Similar to process_flb_log_append, these parameters are added to the signature but never used. The underlying process_raw_payload_pack reads from ctx->current_remote_addr directly.

♻️ Suggested fix - remove unused parameters

 static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
                                    flb_sds_t tag,
                                    struct mk_http_session *session,
-                                   struct mk_http_request *request,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct mk_http_request *request)
 {

Update the call site at line 1027 accordingly.

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 1455-1459: In splunk_prot_handle_ng() the cleanup lines refer to
an undefined variable ctx; replace those uses with the correct function-local
variable name context (i.e., set context->current_remote_addr = NULL and
context->current_remote_addr_len = 0) so the per-request remote address is
cleared on the correct struct instance.

🧹 Nitpick comments (1)

plugins/in_splunk/splunk_prot.c (1)

265-290: Const-correctness issue: discarding const qualifier.

The function accepts char **out but assigns const char * values to it (from extract_xff_value and flb_connection_get_remote_address). This silently discards the const qualifier. Consider changing the output parameter type to preserve const-correctness.

♻️ Suggested fix

 static int extract_remote_address(const char *xff_value,
                                   size_t xff_value_len,
                                   struct flb_connection *connection,
-                                  char **out,
+                                  const char **out,
                                   size_t *out_len)
 {
     const char *value = NULL;
     size_t len = 0;

     extract_xff_value(xff_value, xff_value_len, &value, &len);

     if (value == NULL && connection != NULL) {
         value = flb_connection_get_remote_address(connection);
         if (value != NULL) {
             len = strlen(value);
         }
     }

     if (value == NULL || len == 0) {
         return -1;
     }

-    *out = value;
+    *out = value;
     *out_len = len;
     return 0;
 }

Also update the callers (splunk_prot_handle and splunk_prot_handle_ng) to declare hval as const char *:

-    char *hval = NULL;
+    const char *hval = NULL;

And update the context fields if they aren't already const char *.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 1381-1399: Add a NULL-check for request->stream->parent before
dereferencing parent_session->connection: after assigning parent_session =
(struct flb_http_server_session *) request->stream->parent, verify
parent_session != NULL and return an error (e.g., -1) or perform appropriate
error handling if it is NULL; then continue with the existing logic that uses
parent_session->connection (used by extract_remote_address and
flb_connection_get_remote_address) to avoid a crash if the parent session is
missing.

🧹 Nitpick comments (1)

plugins/in_splunk/splunk_prot.c (1)

424-481: Use the passed remote_addr parameters to avoid shared mutable state.
Right now process_flb_log_append() ignores its new parameters and re-reads ctx->current_remote_addr. Using the parameters makes the function’s contract explicit and reduces reliance on shared state.

♻️ Suggested change

-    if (ret == FLB_EVENT_ENCODER_SUCCESS) {
-        ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
-    }
+    if (ret == FLB_EVENT_ENCODER_SUCCESS) {
+        ret = append_remote_addr(ctx, remote_addr, remote_addr_len);
+    }

Also applies to: 775-780

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

plugins/in_splunk/splunk_prot.c (2)

424-486: Unused parameters: remote_addr and remote_addr_len are passed but ignored.

The function signature accepts remote_addr and remote_addr_len parameters (lines 427-428), but the implementation at lines 482-485 uses ctx->current_remote_addr and ctx->current_remote_addr_len directly instead. This inconsistency makes the API misleading.

🐛 Proposed fix: use the passed parameters

     if (ret == FLB_EVENT_ENCODER_SUCCESS) {
         ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
+                                 remote_addr,
+                                 remote_addr_len);
     }

Alternatively, if the intent is to always use the context's current address, remove the unused parameters from the function signature.

---

780-819: Unused parameters in process_hec_raw_payload.

The function signature was extended to include remote_addr and remote_addr_len (lines 784-785), but these parameters are never used in the function body. The call to process_raw_payload_pack at line 816 doesn't pass them, and process_raw_payload_pack reads from ctx->current_remote_addr directly.

Either remove the unused parameters from the signature, or if they were intended for future use, add a comment explaining this.

♻️ Proposed fix: remove unused parameters

 static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
                                    flb_sds_t tag,
                                    struct mk_http_session *session,
-                                   struct mk_http_request *request,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct mk_http_request *request)

Then update the call site at line 1032 accordingly.

🧹 Nitpick comments (1)

plugins/in_splunk/splunk_prot.c (1)

265-290: Const-correctness issue: output parameter should be const char **.

The function assigns a const char * (from extract_xff_value and flb_connection_get_remote_address) to *out, but the parameter is declared as char **. This casts away const, which could lead to undefined behavior if callers attempt to modify the returned string.

♻️ Proposed fix

-static int extract_remote_address(const char *xff_value,
-                                  size_t xff_value_len,
-                                  struct flb_connection *connection,
-                                  char **out,
-                                  size_t *out_len)
+static int extract_remote_address(const char *xff_value,
+                                  size_t xff_value_len,
+                                  struct flb_connection *connection,
+                                  const char **out,
+                                  size_t *out_len)

This will require updating the callers to use const char * for the corresponding local variables (hval in splunk_prot_handle and splunk_prot_handle_ng).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 454-456: The call to
flb_log_event_encoder_set_body_from_msgpack_object is passing the wrong argument
(ctx) — replace the first parameter with the log encoder instance by passing
&ctx->log_encoder instead of ctx so the function receives a pointer to the
flb_log_event_encoder (change the call in the else branch where
flb_log_event_encoder_set_body_from_msgpack_object(ctx, record) is used).

🧹 Nitpick comments (3)

plugins/in_splunk/splunk_prot.c (3)

265-290: Consider improving const-correctness.

The function assigns const char *value to char **out, discarding the const qualifier. Since the returned pointer refers to either header data or the connection's address string (both effectively read-only), the output parameter should be const char **out to preserve type safety.

♻️ Suggested fix

 static int extract_remote_address(const char *xff_value,
                                   size_t xff_value_len,
                                   struct flb_connection *connection,
-                                  char **out,
+                                  const char **out,
                                   size_t *out_len)

This would require updating the callers to use const char * for the address variables as well.

---

424-428: Unused parameters: remote_addr and remote_addr_len are never used.

The function signature was updated to accept remote_addr and remote_addr_len parameters, but the body uses ctx->current_remote_addr and ctx->current_remote_addr_len instead. Either use the passed parameters or remove them from the signature to avoid confusion.

♻️ Option 1: Use the parameters

     if (ret == FLB_EVENT_ENCODER_SUCCESS) {
         ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
+                                 remote_addr,
+                                 remote_addr_len);
     }

♻️ Option 2: Remove unused parameters

 static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *record,
                                    flb_sds_t tag, flb_sds_t tag_from_record,
-                                   struct flb_time tm,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct flb_time tm)

And update all call sites to remove the extra arguments.

Also applies to: 482-486

---

783-785: Unused parameters: remote_addr and remote_addr_len are never used.

Similar to process_flb_log_append, these parameters are added to the signature but never used in the function body. The called function process_raw_payload_pack uses ctx->current_remote_addr directly. Consider removing these parameters for consistency.

[edsiper]

@cosmo0920 thanks, would you please reduce or squash the commits ?

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugins/in_splunk/splunk_prot.c (1)

781-820: 🛠️ Refactor suggestion | 🟠 Major

Unused parameters remote_addr and remote_addr_len in process_hec_raw_payload.

These parameters are accepted but never referenced. The downstream process_raw_payload_pack reads from ctx->current_remote_addr directly. Either use the parameters or drop them from the signature to avoid confusion.

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 1387-1407: In splunk_prot_handle_ng ensure
context->current_remote_addr and context->current_remote_addr_len are always
cleaned up before any early return: either move the existing cleanup into a
single exit/cleanup block and jump to it (e.g., add a cleanup label and use goto
for the early-return paths) or insert the same cleanup call(s) immediately
before each early return (the spots around the current early returns that
reference request handling); specifically reference and clear
context->current_remote_addr and reset context->current_remote_addr_len so no
leaked pointer remains.
- Around line 1008-1025: The per-request remote address
(ctx->current_remote_addr and ctx->current_remote_addr_len) is set by
extract_remote_address or flb_connection_get_remote_address but not cleared on
multiple early-return paths, causing state leakage across keep-alive requests;
modify the function to centralize cleanup (e.g., introduce a cleanup label and
jump to it on every early return) or explicitly reset ctx->current_remote_addr =
NULL and ctx->current_remote_addr_len = 0 before each return so that the state
is always cleared; update the code paths that follow the
extract_remote_address/flb_connection_get_remote_address logic to use the
centralized cleanup (or inline clears) and ensure existing final cleanup at the
original end of the function covers all exit paths.
- Around line 1008-1025: The code stores per-request state in struct flb_splunk
fields current_remote_addr/current_remote_addr_len; instead, resolve the remote
address into local variables and pass them as explicit parameters to downstream
functions (e.g., change calls that currently rely on ctx->current_remote_addr to
accept (remote_addr, remote_addr_len)), update extract_remote_address usage to
populate local vars, and modify process_hec_raw_payload and any other functions
invoked from the two handlers to accept the new parameters and use them instead
of ctx fields; remove setting/clearing of ctx->current_remote_addr and
ctx->current_remote_addr_len and ensure all call sites are updated to pass the
address/length through the call stack.
- Around line 424-428: The function process_flb_log_append currently declares
parameters remote_addr and remote_addr_len but reads ctx->current_remote_addr
and ctx->current_remote_addr_len instead; update the function body (locations
where ctx->current_remote_addr / ctx->current_remote_addr_len are used, e.g.,
around the existing lines ~484–486) to use the passed-in remote_addr and
remote_addr_len parameters instead so the signature is actually used, and remove
any compiler-warning workarounds if present; ensure callers already pass the
correct values (no caller changes needed if they do).
- Around line 162-227: http2 header values from nghttp2 are transient and are
being stored as dangling pointers; update the HTTP/2 handling so header values
are duplicated before storing: in the code path where http2 headers are added
(see http2_header_callback and calls to flb_http_request_set_header) allocate
and pass an owned copy of value (e.g. use cfl_sds_create_len or equivalent
strdup-like allocator used for "host"/"content-type") instead of the raw nghttp2
buffer; alternatively modify flb_http_request_set_header to always duplicate the
supplied value when request type is HTTP/2 (so flb_http_request_get_header
returns a stable pointer later). Ensure the duplicated buffer length is used
(not strlen on temporary buffer) and free the copy when the request is torn
down.

🧹 Nitpick comments (2)

plugins/in_splunk/splunk_prot.c (1)

265-290: Const-correctness: extract_remote_address assigns const char * to char **out.

value is declared const char * (line 271) and flb_connection_get_remote_address also returns const char * (line 277), but the output parameter out is char **. This silently drops the const qualifier, potentially allowing callers to modify read-only memory. Consider changing out to const char **.

tests/runtime/in_splunk.c (1)

30-30: Relative include path for plugin internal header.

#include "../../plugins/in_splunk/splunk_prot.h" is fragile and will break if the test file moves. This is a minor concern but consistent with how other plugin tests in this repo reference internal headers.