-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
Splunk Event Metadata
-
Future Sustainability
-
False
-
-
False
-
Green
-
NEW
-
Administer, API, Release Notes
-
Done
-
OBSDA-735 - Honor splunk Event metadata keys
-
-
NEW
-
0% To Do, 0% In Progress, 100% Done
-
This enhancements defines default values the log forwarders uses for Splunk metadata keys (i.e index, indexed Fields, source, and message payload key) based upon the log type and adds the capability for users to override those defaults.
-
Enhancement
-
S
Goals
- Use splunk metadata keys when forwarding
- Define "default" values for the metadata keys when non are specified
- Allow admins to specify metadata keys using established patterns for ClusterLogForwarder
Non-Goals
- Allowing user's to fully manipulate event payloads
Motivation
Splunk is a commonly used log aggregation service that has has a well defined API to make user of its feature set. Users wish to take full advantage of these features (e.g. optimized indexing, faster searching) but need the ClusterLogForwarder to expose additional configuration.
Alternatives
Acceptance Criteria
- Verify the Collector sets the `host` when forwarding logs
- Verify the ClusterLogForwarder API has fields that allows setting: `source`, `payloadKey` using the ClusterLogForwarder templating
- Verify the ClusterLogForwarder API allows setting `index_fields` using path sytax (without templating)
- Verify `sourceType` is populated with a value based upon the the data type of 'payloadkey'
- Verify the Collector sets `host`, `source`, `sourcetype` with Red Hat 'defaults' when not otherwise spec'd in the ClusterLogForwarder
- Verify the Collector forwards logs with the desired data when the metadata fields are set in the API
Risk and Assumptions
Documentation Considerations
- Update API docs
- Document the default behavior when nothing is specified
