Splunk HEC only accepts flat JSON object (not nested) #17308
Comments
hvaghani221
added
bug
|
Pinging code owners for receiver/splunkhec: @atoulme @keitwb. See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
Pinging code owners for exporter/splunkhec: @atoulme @dmitryax. See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
Thank you for finding this bug! |
|
@atoulme, I am thinking of fixing this bug later this week. For the receiver, it should return the same error as an actual Splunk HEC does.
Please share your thoughts. |
|
can this issue be assigned to you? @atoulme |
@fatsheep9146 please feel free to assign to me, but it looks like @harshit-splunk is the one doing the work. It should probably go to him. |
|
ok, I assigned this to @harshit-splunk |
We can serialise nested arrays, but not sure about the map. AFAIK, Splunk will not populate search-time fields from the indexed field if the indexed field contains any serialised map. User has to write their own field extraction logic in splunk. |
|
Could we flatten the map, prefixing with the top key? |
atoulme
added
priority:p2
Yes, that's what I am going to do. |
|
Closing as fixed. |
Component(s)
exporter/splunkhec, receiver/splunkhec
What happened?
Description
According to the Splunk HEC doc,
fieldskey specifies a JSON object that contains a flat (not nested) list of explicit custom fields to be defined at index time.Steps to Reproduce
Execute the following curl request
It throws this error
{"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}The implementation of the splunkhec exporter and receiver doesn't handle it explicitly. It can lead to unexpected failure/invalid behaviour in both the exporter/receiver
Collector version
v0.67.0
Environment information
No response
OpenTelemetry Collector configuration
No response
Log output
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: