splunk_hec source support events from Splunk Universal Forwarder

[zifengyu]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Use Cases

Splunk Universal Forwarder may send event data via HTTP. We want to configure Vector to consolidate events from forwarders while splunk_hec source could not receive the data.

vector

[sources.splunk]
type = "splunk_hec"
address = "0.0.0.0:8080"
token = "eb514d08-d2bd-4e50-a10b-f71ed9922ea0"
valid_tokens = [ "eb514d08-d2bd-4e50-a10b-f71ed9922ea0" ]

splunkforwarder (etc/system/local/outputs.conf)

[httpout]
httpEventCollectorToken = eb514d08-d2bd-4e50-a10b-f71ed9922ea0
uri = http://localhost:8080

https://docs.splunk.com/Documentation/Forwarder/8.2.5/Forwarder/Configureforwardingwithoutputs.conf#Configure_the_universal_forwarder_to_send_data_over_HTTP

No data received in vector and we saw below error message in splunkd.log which possibly causes the failure.

04-08-2022 18:17:23.266 +0800 ERROR HttpClientRequest [1689039 parsing] - Caught exception while parsing HTTP reply: Unexpected character while looking for value: 'H'

Attempted Solutions

No response

Proposal

No response

References

No response

Version

No response

[spencergilbert]

I believe this duplicates https://github.com/vectordotdev/vector/issues/3848