CompactJsonFormatter is not working with Splunk EventCollector Sink

[avireddy02]

Splunk EventCollector Sink is not working with CompactJsonFormatter. Looks like it's not generating Event attribute.

Error: A status code of BadRequest was received when attempting to send to http://localhost:8088/services/collector. The event has been discarded and will not be placed back in the queue.

[merbla]

Hi @avireddy02,

The BAD Request will be related to the CompactJsonFormatter not creating the payload as per the HEC endpoint definition. See these links.

• Format events for HTTP Event Collector
• Getting data in with HTTP Event Collector.

By default, a formatter is included with the Sink here.

In particular check out this line, you can see some specific properties set in the JSON.

HTH.

[merbla]

@avireddy02 if you think a compact formatter is worthwhile, please feel free to submit a PR with a subclassed formatter specific for Splunk.

[merbla]

Fixed in #57

[avireddy02]

@merbla

public CompactSplunkJsonFormatter(bool renderTemplate = false, string source = null, string sourceType = null, string host = null, string index = null)

When host is not specified, can we default host to Dns.GetHostName()?

[merbla]

That sounds reasonable.