Skip to content

feat(splunk_hec source): support second-stage framing and decoding#25312

Draft
thomasqueirozb wants to merge 2 commits intomasterfrom
splunk-hec-second-stage-decoder-framing
Draft

feat(splunk_hec source): support second-stage framing and decoding#25312
thomasqueirozb wants to merge 2 commits intomasterfrom
splunk-hec-second-stage-decoder-framing

Conversation

@thomasqueirozb
Copy link
Copy Markdown
Contributor

@thomasqueirozb thomasqueirozb commented Apr 27, 2026

Summary

Add optional framing and decoding configuration to the splunk_hec source. When set, the inner payload is decoded after the HEC envelope is parsed, with envelope metadata layered on top so decoder-produced fields win on conflict. Both endpoints supported; legacy behavior preserved when unset.

Vector configuration

sources:
  hec:
    type: splunk_hec
    address: 0.0.0.0:8088
    valid_tokens: ["test-token"]
    decoding:
      codec: json

How did you test this PR?

  • 12 new unit tests covering: string/object/array event decoding, decoder-wins precedence for host/channel/index/source/sourcetype, fallback timestamp on /event and /raw, decoder errors return HTTP 200, partial-decode requests do not return an ackId, InvalidEventNumber reports envelope index (not fan-out event index), and schema definition includes the codec's root.
  • Full splunk_hec test suite (64 tests) green.
  • make fmt, make check-clippy, make check-generated-docs pass.
  • Manual smoke test with the config above and curl ... -d '{\"event\":\"{\\\"foo\\\":\\\"bar\\\"}\",\"host\":\"client-host\"}'.

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

NA

@github-actions github-actions Bot added domain: sources Anything related to the Vector's sources domain: external docs Anything related to Vector's external, public documentation work in progress labels Apr 27, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 27, 2026
View reviewed changes
Comment thread changelog.d/splunk_hec_source_codec.enhancement.md
@@ -0,0 +1 @@
The `splunk_hec` source now accepts optional `framing` and `decoding` configuration. When set, Vector applies a second decoding pass after the HEC envelope is parsed: on `/services/collector/event` the envelope's `event` field is fed through the codec (string contents are passed as raw bytes; objects, arrays, and other JSON values are JSON-serialized first to preserve shape), and on `/services/collector/raw` the request body is fed through the codec directly. A single envelope can fan out to multiple events. Decoder-produced fields win on conflict with HEC envelope metadata, and decode failures do not surface to the Splunk client. When neither field is set the source preserves its existing behavior unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

domain: external docs Anything related to Vector's external, public documentation domain: sources Anything related to the Vector's sources work in progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomasqueirozb @github-advanced-security