Add copy fields feat to output splunk plugin #668
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kirillov6
approved these changes
Aug 15, 2024
HeadHunter483
force-pushed
the
667-output-splunk-copy-fields
branch
from
f1e10b3
to
f8f9588
Compare
goshansmails
approved these changes
Aug 15, 2024
HeadHunter483
force-pushed
the
667-output-splunk-copy-fields
branch
from
f8f9588
to
9cd45aa
Compare
HeadHunter483
force-pushed
the
667-output-splunk-copy-fields
branch
from
9cd45aa
to
6532d83
Compare
HeadHunter483
force-pushed
the
667-output-splunk-copy-fields
branch
from
6532d83
to
0b94b9f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pr adds "copy_fields" param to the output splunk plugin. It is a map of strings to strings. Keys and values are json paths, keys are paths in the original event, values are paths in the output json. This feature allows copying data from the original event to the additional meta data provided for splunk like timestamp in "time" or other data in "fields". Overwriting "event" and any of its subfields is not allowed to preserve original event as is.
Fixes #667