Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-7253

The splunk event host is splunk address when payloadKey is specified.

XMLWordPrintable

    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Release Note Not Required
    • Log Collection - Sprint 271, Log Collection - Sprint 272

      Description of problem:

      The splunk event host should be the origin hostname. but when payloadKey is defined, it is the splunk server address

      How reproducible:

      Always

      Steps to Reproduce:

      1. use payloadKey=.message in CLF 
        apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: collector
spec:
  managementState: Managed
  outputs:
  - name: splunk-hec
    splunk:
      authentication:
        token:
          key: hecToken
          secretName: to-splunk-secret
      payloadKey: .message
      source: '{.log_source||.log_type||"logcollector"}'
      url: http://splunk-default-service.splunk-aosqe.svc:8088
    type: splunk
  pipelines:
  - inputRefs:
    - application
    name: pipe1
    outputRefs:
    - splunk-hec
  serviceAccount:
    name: logcollector
      1. Check the host in event.

      Actual results:

      The host is splunk server address (splunk-default-service.splunk-aosqe.svc:8088) 

        {
      "_bkt": "main~0~1571D407-55A0-48CF-B3DA-E1CD94DAF244",
      "_cd": "0:104798",
      "_indextime": "1748486775",
      "_raw": "{\"message\":\"ㄅㄉˇˋㄓˊ˙ㄚㄞㄢㄦㄆ 中国 883.317µs ā á ǎ à ō ó ▅ ▆ ▇ █ 々\"}",
      "_serial": "0",
      "_si": [
        "splunk-default-0",
        "main"
      ],
      "_sourcetype": "generic_single_line",
      "_time": "2025-05-29T02:46:15.000+00:00",
      "host": "splunk-default-service.splunk-aosqe.svc:8088",
      "index": "main",
      "linecount": "1",
      "source": "container",
      "sourcetype": "generic_single_line",
      "splunk_server": "splunk-default-0"
    }

      Expected results:

      The host is the origin hostname (ip-10-0-38-10.us-east-2.compute.internal )
      {
      "_bkt": "main~0~1571D407-55A0-48CF-B3DA-E1CD94DAF244",
      "_cd": "0:106308",
      "_indextime": "1748486894",
      "_raw": "

      {\"message\":\"ㄅㄉˇˋㄓˊ˙ㄚㄞㄢㄦㄆ 中国 883.317µs ā á ǎ à ō ó ▅ ▆ ▇ █ 々\"}

      ",
      "_serial": "0",
      "_si": [
      "splunk-default-0",
      "main"
      ],
      "_sourcetype": "generic_single_line",
      "_subsecond": ".771",
      "_time": "2025-05-29T02:48:13.771+00:00",
      "host": "ip-10-0-38-10.us-east-2.compute.internal",
      "index": "main",
      "linecount": "1",
      "source": "container",
      "sourcetype": "generic_single_line",
      "splunk_server": "splunk-default-0"
      }

        1. screenshot-1.png
          screenshot-1.png
          82 kB

              vparfono Vitalii Parfonov
              rhn-support-anli Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: