mirror of
https://github.com/GreptimeTeam/greptimedb.git
synced 2026-07-05 13:30:44 +00:00
17 lines
8.5 KiB
HTML
17 lines
8.5 KiB
HTML
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Splunk HTTP Event Collector (HEC) compatible ingestion endpoint."><title>servers::http::splunk - Rust</title><script>if(window.location.protocol!=="file:")document.head.insertAdjacentHTML("beforeend","SourceSerif4-Regular-6b053e98.ttf.woff2,FiraSans-Italic-81dc35de.woff2,FiraSans-Regular-0fe48ade.woff2,FiraSans-MediumItalic-ccf7e434.woff2,FiraSans-Medium-e1aa3f0a.woff2,SourceCodePro-Regular-8badfe75.ttf.woff2,SourceCodePro-Semibold-aa29a496.ttf.woff2".split(",").map(f=>`<link rel="preload" as="font" type="font/woff2"href="../../../static.files/${f}">`).join(""))</script><link rel="stylesheet" href="../../../static.files/normalize-9960930a.css"><link rel="stylesheet" href="../../../static.files/rustdoc-17e0aaed.css"><meta name="rustdoc-vars" data-root-path="../../../" data-static-root-path="../../../static.files/" data-current-crate="servers" data-themes="" data-resource-suffix="" data-rustdoc-version="1.96.0-nightly (ac7f9ec7d 2026-03-20)" data-channel="nightly" data-search-js="search-63369b7b.js" data-stringdex-js="stringdex-2da4960a.js" data-settings-js="settings-170eb4bf.js" ><script src="../../../static.files/storage-41dd4d93.js"></script><script defer src="../sidebar-items.js"></script><script defer src="../../../static.files/main-5013f961.js"></script><noscript><link rel="stylesheet" href="../../../static.files/noscript-f7c3ffd8.css"></noscript><link rel="alternate icon" type="image/png" href="../../../static.files/favicon-32x32-eab170b8.png"><link rel="icon" type="image/svg+xml" href="../../../static.files/favicon-044be391.svg"></head><body class="rustdoc mod"><a class="skip-main-content" href="#main-content">Skip to main content</a><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><rustdoc-topbar><h2><a href="#">Module splunk</a></h2></rustdoc-topbar><nav class="sidebar"><div class="sidebar-crate"><h2><a href="../../../servers/index.html">servers</a><span class="version">1.2.0</span></h2></div><div class="sidebar-elems"><section id="rustdoc-toc"><h2 class="location"><a href="#">Module splunk</a></h2><h3><a href="#constants">Module Items</a></h3><ul class="block"><li><a href="#constants" title="Constants">Constants</a></li><li><a href="#functions" title="Functions">Functions</a></li></ul></section><div id="rustdoc-modnav"><h2><a href="../index.html">In servers::<wbr>http</a></h2></div></div></nav><div class="sidebar-resizer" title="Drag to resize sidebar"></div><main><div class="width-limiter"><section id="main-content" class="content" tabindex="-1"><div class="main-heading"><div class="rustdoc-breadcrumbs"><a href="../../index.html">servers</a>::<wbr><a href="../index.html">http</a></div><h1>Module <span>splunk</span> <button id="copy-path" title="Copy item path to clipboard">Copy item path</button></h1><rustdoc-toolbar></rustdoc-toolbar><span class="sub-heading"><a class="src" href="../../../src/servers/http/splunk.rs.html#15-848">Source</a> </span></div><details class="toggle top-doc" open><summary class="hideme"><span>Expand description</span></summary><div class="docblock"><p>Splunk HTTP Event Collector (HEC) compatible ingestion endpoint.</p>
|
||
<p>Clients point their base endpoint at <code>/v1/splunk</code>, so the full paths are e.g.
|
||
<code>/v1/splunk/services/collector/event</code> and <code>/v1/splunk/services/collector/health</code>.</p>
|
||
</div></details><h2 id="constants" class="section-header">Constants<a href="#constants" class="anchor">§</a></h2><dl class="item-table"><dt><a class="constant" href="constant.DEFAULT_SPLUNK_TABLE.html" title="constant servers::http::splunk::DEFAULT_SPLUNK_TABLE">DEFAULT_<wbr>SPLUNK_<wbr>TABLE</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Default table used when neither the event’s <code>index</code> nor a <code>?table=</code> query
|
||
param is provided.</dd><dt><a class="constant" href="constant.HEC_HEALTHY_CODE.html" title="constant servers::http::splunk::HEC_HEALTHY_CODE">HEC_<wbr>HEALTHY_<wbr>CODE</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>HEC response code for a healthy collector. Splunk returns
|
||
<code>{"text":"HEC is healthy","code":17}</code>.</dd></dl><h2 id="functions" class="section-header">Functions<a href="#functions" class="anchor">§</a></h2><dl class="item-table"><dt><a class="fn" href="fn.apply_tag_columns.html" title="fn servers::http::splunk::apply_tag_columns">apply_<wbr>tag_<wbr>columns</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Retags <code>Field</code> columns to <code>Tag</code> per table (identity makes everything a Field) so the
|
||
insert path adds them to the primary key. Tags are scoped by table name so a batch
|
||
targeting multiple tables can’t cross-promote a same-named field. Identity-only:
|
||
rebuilds under the default opt.</dd><dt><a class="fn" href="fn.handle_event.html" title="fn servers::http::splunk::handle_event">handle_<wbr>event</a></dt><dd><code>POST /services/collector/event</code> (+ <code>/services/collector</code>, <code>/event/1.0</code> aliases).
|
||
Parses HEC events, runs them through the pipeline (identity default, overridable),
|
||
and inserts with metadata columns as tags.</dd><dt><a class="fn" href="fn.handle_health.html" title="fn servers::http::splunk::handle_health">handle_<wbr>health</a></dt><dd><code>GET /services/collector/health</code> (+ <code>/1.0</code>). Public (see <code>PUBLIC_API_PREFIX</code>),
|
||
since clients probe it before sending. <code>ack</code>/<code>token</code> query params are ignored.</dd><dt><a class="fn" href="fn.hec_event_to_map.html" title="fn servers::http::splunk::hec_event_to_map">hec_<wbr>event_<wbr>to_<wbr>map</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Maps one HEC event to <code>(table, per-event map, tag names)</code>: <code>time</code>->timestamp,
|
||
<code>index</code>->table, host/source/sourcetype/<code>fields</code>->tags, <code>event</code>+rest->data.
|
||
<code>None</code> if the event isn’t a JSON object.</dd><dt><a class="fn" href="fn.hec_response.html" title="fn servers::http::splunk::hec_response">hec_<wbr>response</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>HEC response body <code>{"text", "code"}</code>; clients branch on <code>code</code>.</dd><dt><a class="fn" href="fn.ingest_events.html" title="fn servers::http::splunk::ingest_events">ingest_<wbr>events</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Like <code>ingest_logs_inner</code>, but retags metadata columns (identity default) before insert.</dd><dt><a class="fn" href="fn.is_blank_event.html" title="fn servers::http::splunk::is_blank_event">is_<wbr>blank_<wbr>event</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>A HEC <code>event</code> value is blank if it’s <code>null</code> or an empty/whitespace-only string.</dd><dt><a class="fn" href="fn.is_splunk_request.html" title="fn servers::http::splunk::is_splunk_request">is_<wbr>splunk_<wbr>request</a><span title="Restricted Visibility"> 🔒</span> </dt><dt><a class="fn" href="fn.parse_hec_events.html" title="fn servers::http::splunk::parse_hec_events">parse_<wbr>hec_<wbr>events</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Parses a HEC body into a flat list of events. Handles both batch forms: objects
|
||
concatenated with any/no separator, and a top-level array (flattened).</dd><dt><a class="fn" href="fn.parse_hec_time.html" title="fn servers::http::splunk::parse_hec_time">parse_<wbr>hec_<wbr>time</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>HEC <code>time</code>: epoch seconds (optionally fractional); values past ~1e12 are read as
|
||
milliseconds. <code>None</code> if absent/unparseable (caller falls back to ingest time).</dd><dt><a class="fn" href="fn.sanitize_index.html" title="fn servers::http::splunk::sanitize_index">sanitize_<wbr>index</a><span title="Restricted Visibility"> 🔒</span> </dt><dd>Coerces a Splunk <code>index</code> into a valid table name (<code>NAME_PATTERN</code>); <code>None</code> if empty.</dd><dt><a class="fn" href="fn.validate_event.html" title="fn servers::http::splunk::validate_event">validate_<wbr>event</a><span title="Restricted Visibility"> 🔒</span> </dt><dd><code>event</code> missing -> 12, <code>event</code> blank -> 13.
|
||
present, non-null but unparsable <code>time</code> -> 6.</dd></dl></section></div></main></body></html> |