Files
greptimedb/servers/http/splunk/index.html
2026-06-30 13:32:50 +00:00

17 lines
8.5 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Splunk HTTP Event Collector (HEC) compatible ingestion endpoint."><title>servers::http::splunk - Rust</title><script>if(window.location.protocol!=="file:")document.head.insertAdjacentHTML("beforeend","SourceSerif4-Regular-6b053e98.ttf.woff2,FiraSans-Italic-81dc35de.woff2,FiraSans-Regular-0fe48ade.woff2,FiraSans-MediumItalic-ccf7e434.woff2,FiraSans-Medium-e1aa3f0a.woff2,SourceCodePro-Regular-8badfe75.ttf.woff2,SourceCodePro-Semibold-aa29a496.ttf.woff2".split(",").map(f=>`<link rel="preload" as="font" type="font/woff2"href="../../../static.files/${f}">`).join(""))</script><link rel="stylesheet" href="../../../static.files/normalize-9960930a.css"><link rel="stylesheet" href="../../../static.files/rustdoc-17e0aaed.css"><meta name="rustdoc-vars" data-root-path="../../../" data-static-root-path="../../../static.files/" data-current-crate="servers" data-themes="" data-resource-suffix="" data-rustdoc-version="1.96.0-nightly (ac7f9ec7d 2026-03-20)" data-channel="nightly" data-search-js="search-63369b7b.js" data-stringdex-js="stringdex-2da4960a.js" data-settings-js="settings-170eb4bf.js" ><script src="../../../static.files/storage-41dd4d93.js"></script><script defer src="../sidebar-items.js"></script><script defer src="../../../static.files/main-5013f961.js"></script><noscript><link rel="stylesheet" href="../../../static.files/noscript-f7c3ffd8.css"></noscript><link rel="alternate icon" type="image/png" href="../../../static.files/favicon-32x32-eab170b8.png"><link rel="icon" type="image/svg+xml" href="../../../static.files/favicon-044be391.svg"></head><body class="rustdoc mod"><a class="skip-main-content" href="#main-content">Skip to main content</a><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><rustdoc-topbar><h2><a href="#">Module splunk</a></h2></rustdoc-topbar><nav class="sidebar"><div class="sidebar-crate"><h2><a href="../../../servers/index.html">servers</a><span class="version">1.2.0</span></h2></div><div class="sidebar-elems"><section id="rustdoc-toc"><h2 class="location"><a href="#">Module splunk</a></h2><h3><a href="#constants">Module Items</a></h3><ul class="block"><li><a href="#constants" title="Constants">Constants</a></li><li><a href="#functions" title="Functions">Functions</a></li></ul></section><div id="rustdoc-modnav"><h2><a href="../index.html">In servers::<wbr>http</a></h2></div></div></nav><div class="sidebar-resizer" title="Drag to resize sidebar"></div><main><div class="width-limiter"><section id="main-content" class="content" tabindex="-1"><div class="main-heading"><div class="rustdoc-breadcrumbs"><a href="../../index.html">servers</a>::<wbr><a href="../index.html">http</a></div><h1>Module <span>splunk</span>&nbsp;<button id="copy-path" title="Copy item path to clipboard">Copy item path</button></h1><rustdoc-toolbar></rustdoc-toolbar><span class="sub-heading"><a class="src" href="../../../src/servers/http/splunk.rs.html#15-848">Source</a> </span></div><details class="toggle top-doc" open><summary class="hideme"><span>Expand description</span></summary><div class="docblock"><p>Splunk HTTP Event Collector (HEC) compatible ingestion endpoint.</p>
<p>Clients point their base endpoint at <code>/v1/splunk</code>, so the full paths are e.g.
<code>/v1/splunk/services/collector/event</code> and <code>/v1/splunk/services/collector/health</code>.</p>
</div></details><h2 id="constants" class="section-header">Constants<a href="#constants" class="anchor">§</a></h2><dl class="item-table"><dt><a class="constant" href="constant.DEFAULT_SPLUNK_TABLE.html" title="constant servers::http::splunk::DEFAULT_SPLUNK_TABLE">DEFAULT_<wbr>SPLUNK_<wbr>TABLE</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Default table used when neither the events <code>index</code> nor a <code>?table=</code> query
param is provided.</dd><dt><a class="constant" href="constant.HEC_HEALTHY_CODE.html" title="constant servers::http::splunk::HEC_HEALTHY_CODE">HEC_<wbr>HEALTHY_<wbr>CODE</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>HEC response code for a healthy collector. Splunk returns
<code>{"text":"HEC is healthy","code":17}</code>.</dd></dl><h2 id="functions" class="section-header">Functions<a href="#functions" class="anchor">§</a></h2><dl class="item-table"><dt><a class="fn" href="fn.apply_tag_columns.html" title="fn servers::http::splunk::apply_tag_columns">apply_<wbr>tag_<wbr>columns</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Retags <code>Field</code> columns to <code>Tag</code> per table (identity makes everything a Field) so the
insert path adds them to the primary key. Tags are scoped by table name so a batch
targeting multiple tables cant cross-promote a same-named field. Identity-only:
rebuilds under the default opt.</dd><dt><a class="fn" href="fn.handle_event.html" title="fn servers::http::splunk::handle_event">handle_<wbr>event</a></dt><dd><code>POST /services/collector/event</code> (+ <code>/services/collector</code>, <code>/event/1.0</code> aliases).
Parses HEC events, runs them through the pipeline (identity default, overridable),
and inserts with metadata columns as tags.</dd><dt><a class="fn" href="fn.handle_health.html" title="fn servers::http::splunk::handle_health">handle_<wbr>health</a></dt><dd><code>GET /services/collector/health</code> (+ <code>/1.0</code>). Public (see <code>PUBLIC_API_PREFIX</code>),
since clients probe it before sending. <code>ack</code>/<code>token</code> query params are ignored.</dd><dt><a class="fn" href="fn.hec_event_to_map.html" title="fn servers::http::splunk::hec_event_to_map">hec_<wbr>event_<wbr>to_<wbr>map</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Maps one HEC event to <code>(table, per-event map, tag names)</code>: <code>time</code>-&gt;timestamp,
<code>index</code>-&gt;table, host/source/sourcetype/<code>fields</code>-&gt;tags, <code>event</code>+rest-&gt;data.
<code>None</code> if the event isnt a JSON object.</dd><dt><a class="fn" href="fn.hec_response.html" title="fn servers::http::splunk::hec_response">hec_<wbr>response</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>HEC response body <code>{"text", "code"}</code>; clients branch on <code>code</code>.</dd><dt><a class="fn" href="fn.ingest_events.html" title="fn servers::http::splunk::ingest_events">ingest_<wbr>events</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Like <code>ingest_logs_inner</code>, but retags metadata columns (identity default) before insert.</dd><dt><a class="fn" href="fn.is_blank_event.html" title="fn servers::http::splunk::is_blank_event">is_<wbr>blank_<wbr>event</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>A HEC <code>event</code> value is blank if its <code>null</code> or an empty/whitespace-only string.</dd><dt><a class="fn" href="fn.is_splunk_request.html" title="fn servers::http::splunk::is_splunk_request">is_<wbr>splunk_<wbr>request</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dt><a class="fn" href="fn.parse_hec_events.html" title="fn servers::http::splunk::parse_hec_events">parse_<wbr>hec_<wbr>events</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Parses a HEC body into a flat list of events. Handles both batch forms: objects
concatenated with any/no separator, and a top-level array (flattened).</dd><dt><a class="fn" href="fn.parse_hec_time.html" title="fn servers::http::splunk::parse_hec_time">parse_<wbr>hec_<wbr>time</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>HEC <code>time</code>: epoch seconds (optionally fractional); values past ~1e12 are read as
milliseconds. <code>None</code> if absent/unparseable (caller falls back to ingest time).</dd><dt><a class="fn" href="fn.sanitize_index.html" title="fn servers::http::splunk::sanitize_index">sanitize_<wbr>index</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd>Coerces a Splunk <code>index</code> into a valid table name (<code>NAME_PATTERN</code>); <code>None</code> if empty.</dd><dt><a class="fn" href="fn.validate_event.html" title="fn servers::http::splunk::validate_event">validate_<wbr>event</a><span title="Restricted Visibility">&nbsp;🔒</span> </dt><dd><code>event</code> missing -&gt; 12, <code>event</code> blank -&gt; 13.
present, non-null but unparsable <code>time</code> -&gt; 6.</dd></dl></section></div></main></body></html>