Skip to content

feat(splunk hec source): Allow content-type header if it includes application/json #23024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(splunk hec source): Allow content-type header if it includes application/json #23024

wants to merge 3 commits into from

Conversation

tot19
Copy link

@tot19 tot19 commented May 10, 2025
edited
Loading

Summary

Updated the Splunk HEC source to accept requests that contain the header content-type with any value containing "application/json," not the exact value of "application/json." This matches the behavior of a true Splunk HEC. Allows sources from AWS to successfully send events to the Splunk HEC source without additional proxying to update headers.

Change Type

  • Bug fix
  • New feature
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

How did you test this PR?

make check-fmt
make check-clippy
make check-component-docs

Against Vector before change ack disabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 04:28:13 GMT

The request's content-type is not supported

Against Vector after change ack disabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 400 Bad Request
content-type: application/json
content-length: 36
date: Sun, 11 May 2025 04:27:24 GMT

{"text":"Ack is disabled","code":14}

Against Splunk HEC:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 400 Bad Request
Date: Sat, 10 May 2025 16:02:24 GMT
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 36
Vary: Authorization
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Server: Splunkd

{"text":"ACK is disabled","code":14}

Against Vector after change ack enabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 200 OK
content-type: application/json
content-length: 20
date: Sun, 11 May 2025 04:29:17 GMT

{"acks":{"0":false}}

Against Vector before change bad header:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: random' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 02:50:05 GMT

The request's content-type is not supported

Against Vector after change bad header:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: random' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 04:25:15 GMT

The request's content-type is not supported

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the "no-changelog" label to this PR.

Notes

  • Please read our Vector contributor resources.
  • Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
  • The CI checks run only after we manually approve them.
    • We recommend adding a pre-push hook, please see this template.
    • Alternatively, we recommend running the following locally before pushing to the remote branch:
      • cargo fmt --all
      • cargo clippy --workspace --all-targets -- -D warnings
      • cargo nextest run --workspace (alternatively, you can run cargo test --all)
      • ./scripts/check_changelog_fragments.sh
  • After a review is requested, please avoid force pushes to help us review incrementally.
    • Feel free to push as many commits as you want. They will be squashed into one before merging.
    • For example, you can run git merge origin master and git push.
  • If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
    run cargo vdev build licenses to regenerate the license inventory and commit the changes (if any). More details here.

References

Closes #23023

@tot19 tot19 requested a review from a team as a code owner May 10, 2025 16:03
@github-actions github-actions bot added the domain: sources Anything related to the Vector's sources label May 10, 2025
@tot19 tot19 changed the title #23022 Allow content-type header if it only includes application/json… feat(splunk hec sink) Allow content-type header if it only includes application/json… May 10, 2025
@tot19 tot19 changed the title feat(splunk hec sink) Allow content-type header if it only includes application/json… feat(splunk hec source) Allow content-type header if it only includes application/json… May 10, 2025
@tot19 tot19 changed the title feat(splunk hec source) Allow content-type header if it only includes application/json… feat(splunk hec source) Allow content-type header if it includes application/json May 10, 2025
@tot19 tot19 changed the title feat(splunk hec source) Allow content-type header if it includes application/json feat(splunk hec source): Allow content-type header if it includes application/json May 12, 2025
@tot19
Copy link
Author

tot19 commented May 12, 2025

Sorry, I clearly don't know how to read or make a title

pront
pront reviewed May 12, 2025
View reviewed changes
Copy link
Member

@pront pront left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @tot19, this changes makes sense to me. Some tests are failing though and will need to be fixed. Also, please include a changelog. The PR description has some great info, we can reuse those for the changelog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pront pront pront left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
domain: sources Anything related to the Vector's sources
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tot19 @pront