Goals

• Use splunk metadata keys when forwarding
• Define "default" values for the metadata keys when non are specified
• Allow admins to specify metadata keys using established patterns for ClusterLogForwarder
   

  Non-Goals

• Allowing user's to fully manipulate event payloads

Motivation

Splunk is a commonly used log aggregation service that has has a well defined API to make user of its feature set. Users wish to take full advantage of these features (e.g. optimized indexing, faster searching) but need the ClusterLogForwarder to expose additional configuration.

Alternatives

Acceptance Criteria

• Verify the Collector sets the `host` when forwarding logs
• Verify the ClusterLogForwarder API has fields that allows setting: `source`, `index_fields` using the ClusterLogForwarder templating
• Verify the Collector sets `host`, `source`, `sourcetype` with Red Hat 'defaults' when not otherwise spec'd in the ClusterLogForwarder
• Verify the Collector forwards logs with the desired data when the metadata fields are set in the API

Risk and Assumptions

Documentation Considerations

• Update API docs
• Document the default behavior when nothing is specified

Open Questions

Additional Notes