Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Splunk HEC Exporter Transmission to HEC Endpoint Fails With Missing Body #29693

Closed
bdschaap opened this issue Dec 7, 2023 · 10 comments
Closed
Labels
bug Something isn't working exporter/splunkhec

Comments

@bdschaap
Copy link

bdschaap commented Dec 7, 2023

Component(s)

exporter/splunkhec

What happened?

Description

Splunk HEC Exporter transmission to HEC endpoint fails when there is a missing body field. The otel logs data model lists body as an optional field. I'm using Faro Web SDK which has a log type (measurement) that does not contain a body field.

Steps to Reproduce

Transmit a log without a body field.

Expected Result

OTLP logs received and exported with a missing body field should not fail transmission to a HEC endpoint. Perhaps a default value should be set. Alternative is that the HEC endpoint (ie Splunk Forwarder, Splunk Enterprise, Splunk Cloud, etc) should accept a missing body field. I have encountered this behavior with a Splunk Forwarder.

Actual Result

400 response code is returned stating bad data format.

Collector version

opentelemetry-collector-contrib:0.88.0

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

exporters:
  splunk_hec/dev:
	token: "<guid>"
	endpoint: "https://splunkforwarder.mydomain.local:8088/services/collector/event"
	source: "otel"
	hec_metadata_to_otel_attrs:
	  source: "service.name"        
	sourcetype: "faro"
	index: "dev"

Log output

No response

Additional context

No response

@bdschaap bdschaap added bug Something isn't working needs triage New item requiring triage labels Dec 7, 2023
Copy link
Contributor

github-actions bot commented Dec 7, 2023

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@crobert-1
Copy link
Member

Agreed that the body of a log is optional, as stated in the spec here.

Can you share the full error message you're receiving? I'm wondering if this is possibly a duplicate of #29551.

@bdschaap
Copy link
Author

bdschaap commented Dec 7, 2023

Looks like #29551 was fixed in 0.89.0. I'm still on 0.88.0. I'll update first and report back.

@bdschaap
Copy link
Author

bdschaap commented Dec 7, 2023

Sorry I misread that. I'm guessing it will be in the next release. Will try when it's available.

@bdschaap
Copy link
Author

I tried v0.91.0 and no longer receive an error but I can't find the log in Splunk. The log is still only transmitted and found in Splunk if I manually supply the body field in the log. I reverted to v0.88.0 to capture the error message below.

2023-12-12T14:41:22.416Z        error   exporterhelper/retry_sender.go:145      Exporting failed. The error is not retryable. Dropping data.    {"kind": "exporter", "data_type": "logs", "name": "splunk_hec", "error": "Permanent error: \"HTTP/1.1 400 Bad Request\\r\\n
Content-Length: 64\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/json; charset=UTF-8\\r\\nDate: Tue, 12 Dec 2023 14:41:21 GMT\\r\\nServer: Splunkd\\r\\nVary: Authorization\\r\\nX-Content-Type-Options: nosniff\\r\\nX-Frame-Options: SAMEORIGIN\\r\\n\\r\\n{
\\\"text\\\":\\\"Invalid data format\\\",\\\"code\\\":6,\\\"invalid-event-number\\\":0}\"", "dropped_items": 1}
go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send
        go.opentelemetry.io/collector/[email protected]/exporterhelper/retry_sender.go:145
go.opentelemetry.io/collector/exporter/exporterhelper.(*logsExporterWithObservability).send
        go.opentelemetry.io/collector/[email protected]/exporterhelper/logs.go:176
go.opentelemetry.io/collector/exporter/exporterhelper.(*queueSender).start.func1
        go.opentelemetry.io/collector/[email protected]/exporterhelper/queue_sender.go:126
go.opentelemetry.io/collector/exporter/exporterhelper/internal.(*boundedMemoryQueue).Start.func1
        go.opentelemetry.io/collector/[email protected]/exporterhelper/internal/bounded_memory_queue.go:52

@atoulme
Copy link
Contributor

atoulme commented Dec 12, 2023

"I can't find the log in Splunk" - how are you looking for it? Can you elaborate? Please open a support case with Splunk to follow up.

@bdschaap
Copy link
Author

bdschaap commented Dec 12, 2023

My Otel Collector sends logs to a Splunk Heavy Forwarder which then sends them to Splunk Cloud. I'm searching for the logs in Splunk Cloud. The logs with the missing body field cannot be found in the specified index and sourcetype on v0.91.0. If I manually edit the json to add the body field and then retransmit the log to my Otel Collector then I find that log in Splunk Cloud. I also checked the splunkd internal logs to see if I could find the reason but didn't find anything.

I'll open a support case with Splunk.

@atoulme
Copy link
Contributor

atoulme commented Dec 12, 2023

To be precise, there is no such thing as a "body" field. You are referring to the content of the value associated with the "event" key in the JSON object sent as a HEC event. Please let me know if I'm missing something in this clarification.

@bdschaap
Copy link
Author

Makes sense. I'm referring to the name of the field in Otel log data model. I believe the log is transformed to a HEC event by the Splunk HEC Exporter.

@atoulme atoulme removed the needs triage New item requiring triage label Dec 12, 2023
@atoulme
Copy link
Contributor

atoulme commented Jan 5, 2024

This is resolved with #29551. Closing.

@atoulme atoulme closed this as completed Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working exporter/splunkhec
Projects
None yet
Development

No branches or pull requests

3 participants