summaryrefslogtreecommitdiffstats
path: root/fluent-bit/plugins/out_splunk
diff options
context:
space:
mode:
Diffstat (limited to 'fluent-bit/plugins/out_splunk')
-rw-r--r--fluent-bit/plugins/out_splunk/CMakeLists.txt6
-rw-r--r--fluent-bit/plugins/out_splunk/splunk.c873
-rw-r--r--fluent-bit/plugins/out_splunk/splunk.h119
-rw-r--r--fluent-bit/plugins/out_splunk/splunk_conf.c313
-rw-r--r--fluent-bit/plugins/out_splunk/splunk_conf.h29
5 files changed, 0 insertions, 1340 deletions
diff --git a/fluent-bit/plugins/out_splunk/CMakeLists.txt b/fluent-bit/plugins/out_splunk/CMakeLists.txt
deleted file mode 100644
index da66bca70..000000000
--- a/fluent-bit/plugins/out_splunk/CMakeLists.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-set(src
- splunk_conf.c
- splunk.c
- )
-
-FLB_PLUGIN(out_splunk "${src}" "")
diff --git a/fluent-bit/plugins/out_splunk/splunk.c b/fluent-bit/plugins/out_splunk/splunk.c
deleted file mode 100644
index d9c28380a..000000000
--- a/fluent-bit/plugins/out_splunk/splunk.c
+++ /dev/null
@@ -1,873 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-
-/* Fluent Bit
- * ==========
- * Copyright (C) 2015-2022 The Fluent Bit Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <fluent-bit/flb_output_plugin.h>
-#include <fluent-bit/flb_http_client.h>
-#include <fluent-bit/flb_pack.h>
-#include <fluent-bit/flb_utils.h>
-#include <fluent-bit/flb_mp.h>
-#include <fluent-bit/flb_time.h>
-#include <fluent-bit/flb_gzip.h>
-#include <fluent-bit/flb_ra_key.h>
-#include <fluent-bit/flb_metrics.h>
-#include <fluent-bit/flb_log_event_decoder.h>
-
-#include <msgpack.h>
-#include "splunk.h"
-#include "splunk_conf.h"
-
-static int cb_splunk_init(struct flb_output_instance *ins,
- struct flb_config *config, void *data)
-{
- struct flb_splunk *ctx;
-
- ctx = flb_splunk_conf_create(ins, config);
- if (!ctx) {
- flb_plg_error(ins, "configuration failed");
- return -1;
- }
-
- flb_output_set_context(ins, ctx);
-
- /*
- * This plugin instance uses the HTTP client interface, let's register
- * it debugging callbacks.
- */
- flb_output_set_http_debug_callbacks(ins);
- return 0;
-}
-
-static int pack_map_meta(struct flb_splunk *ctx,
- struct flb_mp_map_header *mh,
- msgpack_packer *mp_pck,
- msgpack_object map,
- char *tag, int tag_len)
-{
- int index_key_set = FLB_FALSE;
- int sourcetype_key_set = FLB_FALSE;
- flb_sds_t str;
- struct mk_list *head;
- struct flb_splunk_field *f;
- struct flb_mp_map_header mh_fields;
- struct flb_ra_value *rval;
-
- /* event host */
- if (ctx->event_host) {
- str = flb_ra_translate(ctx->ra_event_host, tag, tag_len,
- map, NULL);
- if (str) {
- if (flb_sds_len(str) > 0) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_HOST) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_HOST,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_HOST) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(str));
- msgpack_pack_str_body(mp_pck, str, flb_sds_len(str));
- }
- flb_sds_destroy(str);
- }
- }
-
- /* event source */
- if (ctx->event_source) {
- str = flb_ra_translate(ctx->ra_event_source, tag, tag_len,
- map, NULL);
- if (str) {
- if (flb_sds_len(str) > 0) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_SOURCE,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCE) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(str));
- msgpack_pack_str_body(mp_pck, str, flb_sds_len(str));
- }
- flb_sds_destroy(str);
- }
- }
-
- /* event sourcetype (key lookup) */
- if (ctx->event_sourcetype_key) {
- str = flb_ra_translate(ctx->ra_event_sourcetype_key, tag, tag_len,
- map, NULL);
- if (str) {
- /* sourcetype_key was found */
- if (flb_sds_len(str) > 0) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCET) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_SOURCET,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCET) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(str));
- msgpack_pack_str_body(mp_pck, str, flb_sds_len(str));
- sourcetype_key_set = FLB_TRUE;
- }
- flb_sds_destroy(str);
- }
- /* If not found, it will fallback to the value set in event_sourcetype */
- }
-
- if (sourcetype_key_set == FLB_FALSE && ctx->event_sourcetype) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCET) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_SOURCET,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_SOURCET) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(ctx->event_sourcetype));
- msgpack_pack_str_body(mp_pck,
- ctx->event_sourcetype, flb_sds_len(ctx->event_sourcetype));
- }
-
- /* event index (key lookup) */
- if (ctx->event_index_key) {
- str = flb_ra_translate(ctx->ra_event_index_key, tag, tag_len,
- map, NULL);
- if (str) {
- /* sourcetype_key was found */
- if (flb_sds_len(str) > 0) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_INDEX) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_INDEX,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_INDEX) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(str));
- msgpack_pack_str_body(mp_pck, str, flb_sds_len(str));
- index_key_set = FLB_TRUE;
- }
- flb_sds_destroy(str);
- }
- /* If not found, it will fallback to the value set in event_index */
- }
-
- if (index_key_set == FLB_FALSE && ctx->event_index) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_INDEX) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_INDEX,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_INDEX) - 1);
- msgpack_pack_str(mp_pck, flb_sds_len(ctx->event_index));
- msgpack_pack_str_body(mp_pck,
- ctx->event_index, flb_sds_len(ctx->event_index));
- }
-
- /* event 'fields' */
- if (mk_list_size(&ctx->fields) > 0) {
- flb_mp_map_header_append(mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT_FIELDS) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT_FIELDS,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT_FIELDS) - 1);
-
- /* Pack map */
- flb_mp_map_header_init(&mh_fields, mp_pck);
-
- mk_list_foreach(head, &ctx->fields) {
- f = mk_list_entry(head, struct flb_splunk_field, _head);
- rval = flb_ra_get_value_object(f->ra, map);
- if (!rval) {
- continue;
- }
-
- flb_mp_map_header_append(&mh_fields);
-
- /* key */
- msgpack_pack_str(mp_pck, flb_sds_len(f->key_name));
- msgpack_pack_str_body(mp_pck, f->key_name, flb_sds_len(f->key_name));
-
- /* value */
- msgpack_pack_object(mp_pck, rval->o);
- flb_ra_key_value_destroy(rval);
- }
- flb_mp_map_header_end(&mh_fields);
- }
-
- return 0;
-}
-
-static int pack_map(struct flb_splunk *ctx, msgpack_packer *mp_pck,
- struct flb_time *tm, msgpack_object map,
- char *tag, int tag_len)
-{
- int i;
- double t;
- int map_size;
- msgpack_object k;
- msgpack_object v;
- struct flb_mp_map_header mh;
-
- t = flb_time_to_double(tm);
- map_size = map.via.map.size;
-
- if (ctx->splunk_send_raw == FLB_TRUE) {
- msgpack_pack_map(mp_pck, map_size /* all k/v */);
- }
- else {
- flb_mp_map_header_init(&mh, mp_pck);
-
- /* Append the time key */
- flb_mp_map_header_append(&mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_TIME) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_TIME,
- sizeof(FLB_SPLUNK_DEFAULT_TIME) - 1);
- msgpack_pack_double(mp_pck, t);
-
- /* Pack Splunk metadata */
- pack_map_meta(ctx, &mh, mp_pck, map, tag, tag_len);
-
- /* Add k/v pairs under the key 'event' instead of to the top level object */
- flb_mp_map_header_append(&mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT) - 1);
-
- flb_mp_map_header_end(&mh);
-
- msgpack_pack_map(mp_pck, map_size);
- }
-
- /* Append k/v */
- for (i = 0; i < map_size; i++) {
- k = map.via.map.ptr[i].key;
- v = map.via.map.ptr[i].val;
-
- msgpack_pack_object(mp_pck, k);
- msgpack_pack_object(mp_pck, v);
- }
-
- return 0;
-}
-
-
-static inline int pack_event_key(struct flb_splunk *ctx, msgpack_packer *mp_pck,
- struct flb_time *tm, msgpack_object map,
- char *tag, int tag_len)
-{
- double t;
- struct flb_mp_map_header mh;
- flb_sds_t val;
-
- t = flb_time_to_double(tm);
- val = flb_ra_translate(ctx->ra_event_key, tag, tag_len, map, NULL);
- if (!val || flb_sds_len(val) == 0) {
- if (val != NULL) {
- flb_sds_destroy(val);
- }
-
- return -1;
- }
-
- if (ctx->splunk_send_raw == FLB_FALSE) {
- flb_mp_map_header_init(&mh, mp_pck);
-
- /* Append the time key */
- flb_mp_map_header_append(&mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_TIME) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_TIME,
- sizeof(FLB_SPLUNK_DEFAULT_TIME) - 1);
- msgpack_pack_double(mp_pck, t);
-
- /* Pack Splunk metadata */
- pack_map_meta(ctx, &mh, mp_pck, map, tag, tag_len);
-
- /* Add k/v pairs under the key 'event' instead of to the top level object */
- flb_mp_map_header_append(&mh);
- msgpack_pack_str(mp_pck, sizeof(FLB_SPLUNK_DEFAULT_EVENT) -1);
- msgpack_pack_str_body(mp_pck,
- FLB_SPLUNK_DEFAULT_EVENT,
- sizeof(FLB_SPLUNK_DEFAULT_EVENT) - 1);
-
- flb_mp_map_header_end(&mh);
- }
-
- msgpack_pack_str(mp_pck, flb_sds_len(val));
- msgpack_pack_str_body(mp_pck, val, flb_sds_len(val));
- flb_sds_destroy(val);
-
- return 0;
-}
-
-#ifdef FLB_HAVE_METRICS
-static inline int splunk_metrics_format(struct flb_output_instance *ins,
- const void *in_buf, size_t in_bytes,
- char **out_buf, size_t *out_size,
- struct flb_splunk *ctx)
-{
- int ret;
- size_t off = 0;
- cfl_sds_t text;
- cfl_sds_t host;
- struct cmt *cmt = NULL;
-
- if (ctx->event_host != NULL) {
- host = ctx->event_host;
- }
- else {
- host = "localhost";
- }
-
- /* get cmetrics context */
- ret = cmt_decode_msgpack_create(&cmt, (char *) in_buf, in_bytes, &off);
- if (ret != 0) {
- flb_plg_error(ins, "could not process metrics payload");
- return -1;
- }
-
- /* convert to text representation */
- text = cmt_encode_splunk_hec_create(cmt, host, ctx->event_index, ctx->event_source, ctx->event_sourcetype);
-
- /* destroy cmt context */
- cmt_destroy(cmt);
-
- *out_buf = text;
- *out_size = flb_sds_len(text);
-
- return 0;
-}
-#endif
-
-static inline int splunk_format(const void *in_buf, size_t in_bytes,
- char *tag, int tag_len,
- char **out_buf, size_t *out_size,
- struct flb_splunk *ctx)
-{
- int ret;
- msgpack_object map;
- msgpack_sbuffer mp_sbuf;
- msgpack_packer mp_pck;
- char *err;
- flb_sds_t tmp;
- flb_sds_t record;
- flb_sds_t json_out;
- struct flb_log_event_decoder log_decoder;
- struct flb_log_event log_event;
-
- json_out = flb_sds_create_size(in_bytes * 1.5);
- if (!json_out) {
- flb_errno();
- return -1;
- }
-
- ret = flb_log_event_decoder_init(&log_decoder, (char *) in_buf, in_bytes);
-
- if (ret != FLB_EVENT_DECODER_SUCCESS) {
- flb_plg_error(ctx->ins,
- "Log event decoder initialization error : %d", ret);
-
- flb_sds_destroy(json_out);
-
- return -1;
- }
-
- while ((ret = flb_log_event_decoder_next(
- &log_decoder,
- &log_event)) == FLB_EVENT_DECODER_SUCCESS) {
-
- /* Create temporary msgpack buffer */
- msgpack_sbuffer_init(&mp_sbuf);
- msgpack_packer_init(&mp_pck, &mp_sbuf, msgpack_sbuffer_write);
-
- map = *log_event.body;
-
- if (ctx->event_key) {
- /* Pack the value of a event key */
- ret = pack_event_key(ctx, &mp_pck, &log_event.timestamp, map, tag, tag_len);
- if (ret != 0) {
- /*
- * if pack_event_key fails due to missing content in the
- * record, we just warn the user and try to pack it
- * as a normal map.
- */
- ret = pack_map(ctx, &mp_pck, &log_event.timestamp, map, tag, tag_len);
- }
- }
- else {
- /* Pack as a map */
- ret = pack_map(ctx, &mp_pck, &log_event.timestamp, map, tag, tag_len);
- }
-
- /* Validate packaging */
- if (ret != 0) {
- /* Format invalid record */
- err = flb_msgpack_to_json_str(2048, &map);
- if (err) {
- /* Print error and continue processing other records */
- flb_plg_warn(ctx->ins, "could not process or pack record: %s", err);
- msgpack_sbuffer_destroy(&mp_sbuf);
- flb_free(err);
- }
- continue;
- }
-
- /* Format as JSON */
- record = flb_msgpack_raw_to_json_sds(mp_sbuf.data, mp_sbuf.size);
- if (!record) {
- flb_errno();
- msgpack_sbuffer_destroy(&mp_sbuf);
- flb_log_event_decoder_destroy(&log_decoder);
- flb_sds_destroy(json_out);
- return -1;
- }
-
- /* On raw mode, append a breakline to every record */
- if (ctx->splunk_send_raw) {
- tmp = flb_sds_cat(record, "\n", 1);
- if (tmp) {
- record = tmp;
- }
- }
-
- tmp = flb_sds_cat(json_out, record, flb_sds_len(record));
- flb_sds_destroy(record);
- if (tmp) {
- json_out = tmp;
- }
- else {
- flb_errno();
- msgpack_sbuffer_destroy(&mp_sbuf);
- flb_log_event_decoder_destroy(&log_decoder);
- flb_sds_destroy(json_out);
- return -1;
- }
- msgpack_sbuffer_destroy(&mp_sbuf);
- }
-
- *out_buf = json_out;
- *out_size = flb_sds_len(json_out);
-
- flb_log_event_decoder_destroy(&log_decoder);
-
- return 0;
-}
-
-static void debug_request_response(struct flb_splunk *ctx,
- struct flb_http_client *c)
-{
- int ret;
- int uncompressed = FLB_FALSE;
- time_t now;
- void *tmp_buf = NULL;
- size_t tmp_size;
- size_t req_size;
- char *req_buf = NULL;
- struct tm result;
- struct tm *current;
- unsigned char *ptr;
- flb_sds_t req_headers = NULL;
- flb_sds_t req_body = NULL;
-
- if (c->body_len > 3) {
- ptr = (unsigned char *) c->body_buf;
- if (ptr[0] == 0x1F && ptr[1] == 0x8B && ptr[2] == 0x08) {
- /* uncompress payload */
- ret = flb_gzip_uncompress((void *) c->body_buf, c->body_len,
- &tmp_buf, &tmp_size);
- if (ret == -1) {
- fprintf(stdout, "[out_splunk] could not uncompress data\n");
- }
- else {
- req_buf = (char *) tmp_buf;
- req_size = tmp_size;
- uncompressed = FLB_TRUE;
- }
- }
- else {
- req_buf = (char *) c->body_buf;
- req_size = c->body_len;
- }
-
- /* create a safe buffer */
- if (req_buf) {
- req_body = flb_sds_create_len(req_buf, req_size);
- }
- }
-
- req_headers = flb_sds_create_len(c->header_buf, c->header_len);
-
- if (c->resp.data)
- now = time(NULL);
- current = localtime_r(&now, &result);
-
- fprintf(stdout,
- "[%i/%02i/%02i %02i:%02i:%02i] "
- "[out_splunk] debug HTTP 400 (bad request)\n"
- ">>> request\n"
- "%s%s\n\n"
- "<<< response\n"
- "%s\n\n",
-
- current->tm_year + 1900,
- current->tm_mon + 1,
- current->tm_mday,
- current->tm_hour,
- current->tm_min,
- current->tm_sec,
-
- req_headers,
- req_body,
- c->resp.data);
-
- if (uncompressed) {
- flb_free(tmp_buf);
- }
-
- if (req_headers) {
- flb_sds_destroy(req_headers);
- }
- if (req_body) {
- flb_sds_destroy(req_body);
- }
-}
-
-static void cb_splunk_flush(struct flb_event_chunk *event_chunk,
- struct flb_output_flush *out_flush,
- struct flb_input_instance *i_ins,
- void *out_context,
- struct flb_config *config)
-{
- int ret;
- int compressed = FLB_FALSE;
- size_t b_sent;
- flb_sds_t buf_data;
- size_t resp_size;
- size_t buf_size;
- char *endpoint;
- struct flb_splunk *ctx = out_context;
- struct flb_connection *u_conn;
- struct flb_http_client *c;
- void *payload_buf;
- size_t payload_size;
- (void) i_ins;
- (void) config;
-
- /* Get upstream connection */
- u_conn = flb_upstream_conn_get(ctx->u);
- if (!u_conn) {
- FLB_OUTPUT_RETURN(FLB_RETRY);
- }
-
-#ifdef FLB_HAVE_METRICS
- /* Check if the event type is metrics, handle the payload differently */
- if (event_chunk->type == FLB_EVENT_TYPE_METRICS) {
- ret = splunk_metrics_format(ctx->ins,
- event_chunk->data,
- event_chunk->size,
- &buf_data, &buf_size, ctx);
- }
-#endif
- if (event_chunk->type == FLB_EVENT_TYPE_LOGS) {
- /* Convert binary logs into a JSON payload */
- ret = splunk_format(event_chunk->data,
- event_chunk->size,
- (char *) event_chunk->tag,
- flb_sds_len(event_chunk->tag),
- &buf_data, &buf_size, ctx);
- }
-
- if (ret == -1) {
- flb_upstream_conn_release(u_conn);
- FLB_OUTPUT_RETURN(FLB_ERROR);
- }
-
- /* Map buffer */
- payload_buf = buf_data;
- payload_size = buf_size;
-
- /* Should we compress the payload ? */
- if (ctx->compress_gzip == FLB_TRUE) {
- ret = flb_gzip_compress((void *) buf_data, buf_size,
- &payload_buf, &payload_size);
- if (ret == -1) {
- flb_plg_error(ctx->ins,
- "cannot gzip payload, disabling compression");
- }
- else {
- compressed = FLB_TRUE;
-
- /* JSON buffer is not longer needed */
- flb_sds_destroy(buf_data);
- }
- }
-
- /* Splunk URI endpoint */
- if (ctx->splunk_send_raw) {
- endpoint = FLB_SPLUNK_DEFAULT_URI_RAW;
- }
- else {
- endpoint = FLB_SPLUNK_DEFAULT_URI_EVENT;
- }
-
- /* Compose HTTP Client request */
- c = flb_http_client(u_conn, FLB_HTTP_POST, endpoint,
- payload_buf, payload_size, NULL, 0, NULL, 0);
-
- /* HTTP Response buffer size, honor value set by the user */
- if (ctx->buffer_size > 0) {
- flb_http_buffer_size(c, ctx->buffer_size);
- }
- else {
- /*
- * If no value was set, we try to accomodate by using our post
- * payload size * 1.5, on that way we make room for large responses
- * if something goes wrong, so we don't get a partial response.
- */
- resp_size = payload_size * 1.5;
- if (resp_size < 4096) {
- resp_size = 4096;
- }
- flb_http_buffer_size(c, resp_size);
- }
-
- /* HTTP Client */
- flb_http_add_header(c, "User-Agent", 10, "Fluent-Bit", 10);
-
- /* Try to use http_user and http_passwd if not, fallback to auth_header */
- if (ctx->http_user && ctx->http_passwd) {
- flb_http_basic_auth(c, ctx->http_user, ctx->http_passwd);
- }
- else if (ctx->auth_header) {
- flb_http_add_header(c, "Authorization", 13,
- ctx->auth_header, flb_sds_len(ctx->auth_header));
- }
-
- /* Append Channel identifier header */
- if (ctx->channel) {
- flb_http_add_header(c, FLB_SPLUNK_CHANNEL_IDENTIFIER_HEADER,
- strlen(FLB_SPLUNK_CHANNEL_IDENTIFIER_HEADER),
- ctx->channel, ctx->channel_len);
- }
-
- /* Content Encoding: gzip */
- if (compressed == FLB_TRUE) {
- flb_http_set_content_encoding_gzip(c);
- }
-
- /* Map debug callbacks */
- flb_http_client_debug(c, ctx->ins->callback);
-
- /* Perform HTTP request */
- ret = flb_http_do(c, &b_sent);
- if (ret != 0) {
- flb_plg_warn(ctx->ins, "http_do=%i", ret);
- ret = FLB_RETRY;
- }
- else {
- if (c->resp.status != 200) {
- if (c->resp.payload_size > 0) {
- flb_plg_warn(ctx->ins, "http_status=%i:\n%s",
- c->resp.status, c->resp.payload);
- }
- else {
- flb_plg_warn(ctx->ins, "http_status=%i", c->resp.status);
- }
- /*
- * Requests that get 4xx responses from the Splunk HTTP Event
- * Collector will 'always' fail, so there is no point in retrying
- * them:
- *
- * https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/TroubleshootHTTPEventCollector#Possible_error_codes
- */
- ret = (c->resp.status < 400 || c->resp.status >= 500) ?
- FLB_RETRY : FLB_ERROR;
-
-
- if (c->resp.status == 400 && ctx->http_debug_bad_request) {
- debug_request_response(ctx, c);
- }
- }
- else {
- ret = FLB_OK;
- }
- }
-
- /*
- * If the payload buffer is different than incoming records in body, means
- * we generated a different payload and must be freed.
- */
- if (compressed == FLB_TRUE) {
- flb_free(payload_buf);
- }
- else {
- flb_sds_destroy(buf_data);
- }
-
- /* Cleanup */
- flb_http_client_destroy(c);
- flb_upstream_conn_release(u_conn);
- FLB_OUTPUT_RETURN(ret);
-}
-
-static int cb_splunk_exit(void *data, struct flb_config *config)
-{
- struct flb_splunk *ctx = data;
-
- flb_splunk_conf_destroy(ctx);
- return 0;
-}
-
-/* Configuration properties map */
-static struct flb_config_map config_map[] = {
- {
- FLB_CONFIG_MAP_STR, "compress", NULL,
- 0, FLB_FALSE, 0,
- "Set payload compression mechanism. Option available is 'gzip'"
- },
-
- {
- FLB_CONFIG_MAP_STR, "http_user", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, http_user),
- "Set HTTP auth user"
- },
-
- {
- FLB_CONFIG_MAP_STR, "http_passwd", "",
- 0, FLB_TRUE, offsetof(struct flb_splunk, http_passwd),
- "Set HTTP auth password"
- },
-
- {
- FLB_CONFIG_MAP_SIZE, "http_buffer_size", NULL,
- 0, FLB_FALSE, 0,
- "Specify the buffer size used to read the response from the Splunk HTTP "
- "service. This option is useful for debugging purposes where is required to read "
- "full responses, note that response size grows depending of the number of records "
- "inserted. To set an unlimited amount of memory set this value to 'false', "
- "otherwise the value must be according to the Unit Size specification"
- },
-
- {
- FLB_CONFIG_MAP_BOOL, "http_debug_bad_request", "false",
- 0, FLB_TRUE, offsetof(struct flb_splunk, http_debug_bad_request),
- "If the HTTP server response code is 400 (bad request) and this flag is "
- "enabled, it will print the full HTTP request and response to the stdout "
- "interface. This feature is available for debugging purposes."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_key", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_key),
- "Specify the key name that will be used to send a single value as part of the record."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_host", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_host),
- "Set the host value to the event data. The value allows a record accessor "
- "pattern."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_source", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_source),
- "Set the source value to assign to the event data."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_sourcetype", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_sourcetype),
- "Set the sourcetype value to assign to the event data."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_sourcetype_key", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_sourcetype_key),
- "Set a record key that will populate 'sourcetype'. If the key is found, it will "
- "have precedence over the value set in 'event_sourcetype'."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_index", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_index),
- "The name of the index by which the event data is to be indexed."
- },
-
- {
- FLB_CONFIG_MAP_STR, "event_index_key", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, event_index_key),
- "Set a record key that will populate the 'index' field. If the key is found, "
- "it will have precedence over the value set in 'event_index'."
- },
-
- {
- FLB_CONFIG_MAP_SLIST_2, "event_field", NULL,
- FLB_CONFIG_MAP_MULT, FLB_TRUE, offsetof(struct flb_splunk, event_fields),
- "Set event fields for the record. This option can be set multiple times and "
- "the format is 'key_name record_accessor_pattern'."
- },
-
- {
- FLB_CONFIG_MAP_STR, "splunk_token", NULL,
- 0, FLB_FALSE, 0,
- "Specify the Authentication Token for the HTTP Event Collector interface."
- },
-
- {
- FLB_CONFIG_MAP_BOOL, "splunk_send_raw", "off",
- 0, FLB_TRUE, offsetof(struct flb_splunk, splunk_send_raw),
- "When enabled, the record keys and values are set in the top level of the "
- "map instead of under the event key. Refer to the Sending Raw Events section "
- "from the docs for more details to make this option work properly."
- },
-
- {
- FLB_CONFIG_MAP_STR, "channel", NULL,
- 0, FLB_TRUE, offsetof(struct flb_splunk, channel),
- "Specify X-Splunk-Request-Channel Header for the HTTP Event Collector interface."
- },
-
- /* EOF */
- {0}
-};
-
-
-static int cb_splunk_format_test(struct flb_config *config,
- struct flb_input_instance *ins,
- void *plugin_context,
- void *flush_ctx,
- int event_type,
- const char *tag, int tag_len,
- const void *data, size_t bytes,
- void **out_data, size_t *out_size)
-{
- struct flb_splunk *ctx = plugin_context;
-
- return splunk_format(data, bytes, (char *) tag, tag_len,
- (char**) out_data, out_size,ctx);
-}
-
-struct flb_output_plugin out_splunk_plugin = {
- .name = "splunk",
- .description = "Send events to Splunk HTTP Event Collector",
- .cb_init = cb_splunk_init,
- .cb_flush = cb_splunk_flush,
- .cb_exit = cb_splunk_exit,
- .config_map = config_map,
- .workers = 2,
-#ifdef FLB_HAVE_METRICS
- .event_type = FLB_OUTPUT_LOGS | FLB_OUTPUT_METRICS,
-#endif
-
- /* for testing */
- .test_formatter.callback = cb_splunk_format_test,
- /* Plugin flags */
- .flags = FLB_OUTPUT_NET | FLB_IO_OPT_TLS,
-};
diff --git a/fluent-bit/plugins/out_splunk/splunk.h b/fluent-bit/plugins/out_splunk/splunk.h
deleted file mode 100644
index eef8fa8b0..000000000
--- a/fluent-bit/plugins/out_splunk/splunk.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-
-/* Fluent Bit
- * ==========
- * Copyright (C) 2015-2022 The Fluent Bit Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef FLB_OUT_SPLUNK
-#define FLB_OUT_SPLUNK
-
-#define FLB_SPLUNK_DEFAULT_HOST "127.0.0.1"
-#define FLB_SPLUNK_DEFAULT_PORT 8088
-#define FLB_SPLUNK_DEFAULT_URI_RAW "/services/collector/raw"
-#define FLB_SPLUNK_DEFAULT_URI_EVENT "/services/collector/event"
-#define FLB_SPLUNK_DEFAULT_TIME "time"
-#define FLB_SPLUNK_DEFAULT_EVENT_HOST "host"
-#define FLB_SPLUNK_DEFAULT_EVENT_SOURCE "source"
-#define FLB_SPLUNK_DEFAULT_EVENT_SOURCET "sourcetype"
-#define FLB_SPLUNK_DEFAULT_EVENT_INDEX "index"
-#define FLB_SPLUNK_DEFAULT_EVENT_FIELDS "fields"
-#define FLB_SPLUNK_DEFAULT_EVENT "event"
-#define FLB_SPLUNK_DEFAULT_HTTP_MAX "2M"
-
-#define FLB_SPLUNK_CHANNEL_IDENTIFIER_HEADER "X-Splunk-Request-Channel"
-
-#include <fluent-bit/flb_output_plugin.h>
-#include <fluent-bit/flb_sds.h>
-#include <fluent-bit/flb_record_accessor.h>
-
-struct flb_splunk_field {
- flb_sds_t key_name;
- struct flb_record_accessor *ra;
- struct mk_list _head;
-};
-
-struct flb_splunk {
- /* Payload compression */
- int compress_gzip;
-
- /* HTTP Auth */
- char *http_user;
- char *http_passwd;
-
- /* Event key */
- flb_sds_t event_key;
- struct flb_record_accessor *ra_event_key;
-
- /* Event host */
- flb_sds_t event_host;
- struct flb_record_accessor *ra_event_host;
-
- /* Event source */
- flb_sds_t event_source;
- struct flb_record_accessor *ra_event_source;
-
- /*
- * NOTE: EVENT SOURCE
- * -------------------
- * we use two separate variables since we aim to specify a default in case
- * a record accessor pattern is given but not found. The event_sourcetype_key
- * has precedence over th the 'event_sourcetype' variable.
- */
-
- /* Event sourcetype */
- flb_sds_t event_sourcetype;
-
- /* Event sourcetype record key */
- flb_sds_t event_sourcetype_key;
- struct flb_record_accessor *ra_event_sourcetype_key;
-
- /* Event index */
- flb_sds_t event_index;
-
- /* Event sourcetype record key */
- flb_sds_t event_index_key;
- struct flb_record_accessor *ra_event_index_key;
-
- /* Event fields */
- struct mk_list *event_fields;
-
- /* Internal/processed event fields */
- struct mk_list fields;
-
- /* Token Auth */
- flb_sds_t auth_header;
-
- /* Channel identifier */
- flb_sds_t channel;
- size_t channel_len;
-
- /* Send fields directly or pack data into "event" object */
- int splunk_send_raw;
-
- /* HTTP Client Setup */
- size_t buffer_size;
-
- /* HTTP: Debug bad requests (HTTP status 400) to stdout */
- int http_debug_bad_request;
-
- /* Upstream connection to the backend server */
- struct flb_upstream *u;
-
- /* Plugin instance */
- struct flb_output_instance *ins;
-};
-
-#endif
diff --git a/fluent-bit/plugins/out_splunk/splunk_conf.c b/fluent-bit/plugins/out_splunk/splunk_conf.c
deleted file mode 100644
index cc911cbeb..000000000
--- a/fluent-bit/plugins/out_splunk/splunk_conf.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-
-/* Fluent Bit
- * ==========
- * Copyright (C) 2015-2022 The Fluent Bit Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <fluent-bit/flb_output_plugin.h>
-#include <fluent-bit/flb_utils.h>
-
-#include "splunk.h"
-#include "splunk_conf.h"
-
-static int event_fields_create(struct flb_splunk *ctx)
-{
- int i = 0;
- struct mk_list *head;
- struct flb_slist_entry *kname;
- struct flb_slist_entry *pattern;
- struct flb_config_map_val *mv;
- struct flb_splunk_field *f;
-
- if (!ctx->event_fields) {
- return 0;
- }
-
- flb_config_map_foreach(head, mv, ctx->event_fields) {
- kname = mk_list_entry_first(mv->val.list, struct flb_slist_entry, _head);
- pattern = mk_list_entry_last(mv->val.list, struct flb_slist_entry, _head);
-
- f = flb_malloc(sizeof(struct flb_splunk_field));
- if (!f) {
- flb_errno();
- return -1;
- }
-
- f->key_name = flb_sds_create(kname->str);
- if (!f->key_name) {
- flb_free(f);
- return -1;
- }
-
- f->ra = flb_ra_create(pattern->str, FLB_TRUE);
- if (!f->ra) {
- flb_plg_error(ctx->ins,
- "could not process event_field number #%i with "
- "pattern '%s'",
- i, pattern->str);
- flb_sds_destroy(f->key_name);
- flb_free(f);
- return -1;
- }
-
- mk_list_add(&f->_head, &ctx->fields);
- }
-
- return 0;
-}
-
-static void event_fields_destroy(struct flb_splunk *ctx)
-{
- struct mk_list *tmp;
- struct mk_list *head;
- struct flb_splunk_field *f;
-
- mk_list_foreach_safe(head, tmp, &ctx->fields) {
- f = mk_list_entry(head, struct flb_splunk_field, _head);
- flb_sds_destroy(f->key_name);
- flb_ra_destroy(f->ra);
- mk_list_del(&f->_head);
- flb_free(f);
- }
-}
-
-struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins,
- struct flb_config *config)
-{
- int ret;
- int io_flags = 0;
- size_t size;
- flb_sds_t t;
- const char *tmp;
- struct flb_upstream *upstream;
- struct flb_splunk *ctx;
-
- ctx = flb_calloc(1, sizeof(struct flb_splunk));
- if (!ctx) {
- flb_errno();
- return NULL;
- }
- ctx->ins = ins;
- mk_list_init(&ctx->fields);
-
- ret = flb_output_config_map_set(ins, (void *) ctx);
- if (ret == -1) {
- flb_free(ctx);
- return NULL;
- }
-
- /* Set default network configuration */
- flb_output_net_default(FLB_SPLUNK_DEFAULT_HOST, FLB_SPLUNK_DEFAULT_PORT, ins);
-
- /* use TLS ? */
- if (ins->use_tls == FLB_TRUE) {
- io_flags = FLB_IO_TLS;
- }
- else {
- io_flags = FLB_IO_TCP;
- }
-
- if (ins->host.ipv6 == FLB_TRUE) {
- io_flags |= FLB_IO_IPV6;
- }
-
- /* Prepare an upstream handler */
- upstream = flb_upstream_create(config,
- ins->host.name,
- ins->host.port,
- io_flags,
- ins->tls);
- if (!upstream) {
- flb_plg_error(ctx->ins, "cannot create Upstream context");
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
-
- /* Set manual Index and Type */
- ctx->u = upstream;
-
- tmp = flb_output_get_property("http_buffer_size", ins);
- if (!tmp) {
- ctx->buffer_size = 0;
- }
- else {
- size = flb_utils_size_to_bytes(tmp);
- if (size == -1) {
- flb_plg_error(ctx->ins, "invalid 'buffer_size' value");
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- if (size < 4 *1024) {
- size = 4 * 1024;
- }
- ctx->buffer_size = size;
- }
-
- /* Compress (gzip) */
- tmp = flb_output_get_property("compress", ins);
- ctx->compress_gzip = FLB_FALSE;
- if (tmp) {
- if (strcasecmp(tmp, "gzip") == 0) {
- ctx->compress_gzip = FLB_TRUE;
- }
- }
-
- /* Event key */
- if (ctx->event_key) {
- if (ctx->event_key[0] != '$') {
- flb_plg_error(ctx->ins,
- "invalid event_key pattern, it must start with '$'");
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- ctx->ra_event_key = flb_ra_create(ctx->event_key, FLB_TRUE);
- if (!ctx->ra_event_key) {
- flb_plg_error(ctx->ins,
- "cannot create record accessor for event_key pattern: '%s'",
- ctx->event_key);
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* Event host */
- if (ctx->event_host) {
- ctx->ra_event_host = flb_ra_create(ctx->event_host, FLB_TRUE);
- if (!ctx->ra_event_host) {
- flb_plg_error(ctx->ins,
- "cannot create record accessor for event_key pattern: '%s'",
- ctx->event_host);
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* Event source */
- if (ctx->event_source) {
- ctx->ra_event_source = flb_ra_create(ctx->event_source, FLB_TRUE);
- if (!ctx->ra_event_source) {
- flb_plg_error(ctx->ins,
- "cannot create record accessor for event_source pattern: '%s'",
- ctx->event_host);
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* Event source (key lookup) */
- if (ctx->event_sourcetype_key) {
- ctx->ra_event_sourcetype_key = flb_ra_create(ctx->event_sourcetype_key, FLB_TRUE);
- if (!ctx->ra_event_sourcetype_key) {
- flb_plg_error(ctx->ins,
- "cannot create record accessor for "
- "event_sourcetype_key pattern: '%s'",
- ctx->event_host);
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* Event index (key lookup) */
- if (ctx->event_index_key) {
- ctx->ra_event_index_key = flb_ra_create(ctx->event_index_key, FLB_TRUE);
- if (!ctx->ra_event_index_key) {
- flb_plg_error(ctx->ins,
- "cannot create record accessor for "
- "event_index_key pattern: '%s'",
- ctx->event_host);
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* Event fields */
- ret = event_fields_create(ctx);
- if (ret == -1) {
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
-
- /* No http_user is set, fallback to splunk_token, if splunk_token is unset, fail. */
- if (!ctx->http_user) {
- /* Splunk Auth Token */
- tmp = flb_output_get_property("splunk_token", ins);
- if(!tmp) {
- flb_plg_error(ctx->ins, "either splunk_token or http_user should be set");
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- ctx->auth_header = flb_sds_create("Splunk ");
- t = flb_sds_cat(ctx->auth_header, tmp, strlen(tmp));
- if (t) {
- ctx->auth_header = t;
- }
- else {
- flb_plg_error(ctx->ins, "error on token generation");
- flb_splunk_conf_destroy(ctx);
- return NULL;
- }
- }
-
- /* channel */
- if (ctx->channel != NULL) {
- ctx->channel_len = flb_sds_len(ctx->channel);
- }
-
- /* Set instance flags into upstream */
- flb_output_upstream_set(ctx->u, ins);
-
- return ctx;
-}
-
-int flb_splunk_conf_destroy(struct flb_splunk *ctx)
-{
- if (!ctx) {
- return -1;
- }
-
- if (ctx->auth_header) {
- flb_sds_destroy(ctx->auth_header);
- }
- if (ctx->u) {
- flb_upstream_destroy(ctx->u);
- }
-
- if (ctx->ra_event_key) {
- flb_ra_destroy(ctx->ra_event_key);
- }
-
- if (ctx->ra_event_host) {
- flb_ra_destroy(ctx->ra_event_host);
- }
-
- if (ctx->ra_event_source) {
- flb_ra_destroy(ctx->ra_event_source);
- }
-
- if (ctx->ra_event_sourcetype_key) {
- flb_ra_destroy(ctx->ra_event_sourcetype_key);
- }
-
- if (ctx->ra_event_index_key) {
- flb_ra_destroy(ctx->ra_event_index_key);
- }
-
- event_fields_destroy(ctx);
-
- flb_free(ctx);
-
- return 0;
-}
diff --git a/fluent-bit/plugins/out_splunk/splunk_conf.h b/fluent-bit/plugins/out_splunk/splunk_conf.h
deleted file mode 100644
index c5114b1f9..000000000
--- a/fluent-bit/plugins/out_splunk/splunk_conf.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-
-/* Fluent Bit
- * ==========
- * Copyright (C) 2015-2022 The Fluent Bit Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef FLB_OUT_SPLUNK_CONF_H
-#define FLB_OUT_SPLUNK_CONF_H
-
-#include "splunk.h"
-
-struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins,
- struct flb_config *config);
-int flb_splunk_conf_destroy(struct flb_splunk *ctx);
-
-#endif