Document Splunk HEC metadata and raw endpoint support#278
Merged
mavam merged 2 commits intotopic/new-executorfrom Apr 28, 2026
Merged
Document Splunk HEC metadata and raw endpoint support#278mavam merged 2 commits intotopic/new-executorfrom
mavam merged 2 commits intotopic/new-executorfrom
Conversation
Update the to_splunk reference with the neo event metadata options, raw endpoint behavior, and examples for time, fields, and raw events.
Contributor
|
📦 Preview · |
Update the to_splunk reference to describe raw HEC mode through the mutually exclusive raw expression instead of the removed endpoint option.
IyeOnline
approved these changes
Apr 28, 2026
mavam
added a commit
to tenzir/tenzir
that referenced
this pull request
Apr 28, 2026
## 🔍 Problem
- The neo `to_splunk` path could only send HEC event envelopes.
- Users could not set HEC `_time`, attach indexed HEC fields, or send
already-formatted log text to Splunk's raw HEC endpoint.
- Raw HEC metadata is request-level, so batching has to respect metadata
changes.
- The legacy `to_splunk` implementation should remain untouched.
## 🛠️ Solution
- Add neo `to_splunk` support for `time=...` and event-mode
`fields={...}`.
- Keep HEC event envelopes as the default; `event=...` selects the
envelope payload and defaults to `this`.
- Add raw HEC mode with the mutually exclusive `raw=<string>` option
instead of an endpoint selector.
- Send raw events to `/services/collector/raw` with request-level
metadata query parameters and a generated request channel.
- Split adjacent raw batches when request metadata changes, preserve raw
pending events across compression failures, and keep raw metadata
aligned when null raw rows are skipped.
- Add validation tests, live Splunk coverage, and a changelog entry.
## 💬 Review
- Check the final `event=` / `raw=` UX and validation behavior.
- Check raw batching around metadata changes and null raw rows.
- Check `time` and `fields` validation, warning, and omission behavior.
- The `contrib/tenzir-plugins` submodule points at the companion plugin
commit on `tenzir/tenzir-plugins:topic/to-splunk-improvements`.
<sub>
🧩 Plugin PR: tenzir/tenzir-plugins#520<br>
📚 Docs PR: tenzir/docs#278<br>
✅ Closes TNZ-517, TNZ-518, TNZ-519
</sub>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Problem
to_splunkreference did not cover the new HEC metadata options or raw endpoint mode from the code PR._time, indexed HEC fields, and raw event ingestion.raw=...API instead of the earlier endpoint-selector draft.🛠️ Solution
to_splunksignature and option descriptions forevent,raw,time, andfields.event=...selects the envelope payload, andraw=<string>selects raw HEC mode.event=...andraw=...are mutually exclusive.fieldsis not supported withraw=....💬 Review
- Check that the raw endpoint wording makes request-level metadata clear.
- Check that the examples use the final
- Check that the examples match the neo
🛠️ Code PR: tenzir/tenzir#6074raw=...UX.to_splunkbehavior in Add Splunk HEC metadata and raw endpoint support tenzir#6074 and tenzir/tenzir-plugins#520.🧩 Plugin PR: tenzir/tenzir-plugins#520
🎫 References TNZ-517, TNZ-518, TNZ-519