@@ -233,6 +233,15 @@ static int process_raw_payload_pack(struct flb_splunk *ctx, flb_sds_t tag, char
233233 FLB_LOG_EVENT_STRING_VALUE (buf , size ));
234234 }
235235
236+ if (ctx -> ingested_auth_header != NULL ) {
237+ if (ret == FLB_EVENT_ENCODER_SUCCESS ) {
238+ ret = flb_log_event_encoder_append_metadata_values (
239+ & ctx -> log_encoder ,
240+ FLB_LOG_EVENT_CSTRING_VALUE ("hec_token" ),
241+ FLB_LOG_EVENT_CSTRING_VALUE (ctx -> ingested_auth_header ));
242+ }
243+ }
244+
236245 if (ret == FLB_EVENT_ENCODER_SUCCESS ) {
237246 ret = flb_log_event_encoder_commit_record (& ctx -> log_encoder );
238247 }
@@ -281,6 +290,15 @@ static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *recor
281290 record );
282291 }
283292
293+ if (ctx -> ingested_auth_header != NULL ) {
294+ if (ret == FLB_EVENT_ENCODER_SUCCESS ) {
295+ ret = flb_log_event_encoder_append_metadata_values (
296+ & ctx -> log_encoder ,
297+ FLB_LOG_EVENT_CSTRING_VALUE ("hec_token" ),
298+ FLB_LOG_EVENT_CSTRING_VALUE (ctx -> ingested_auth_header ));
299+ }
300+ }
301+
284302 if (ret == FLB_EVENT_ENCODER_SUCCESS ) {
285303 ret = flb_log_event_encoder_commit_record (& ctx -> log_encoder );
286304 }
@@ -477,6 +495,7 @@ static int process_hec_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
477495 int ret = 0 ;
478496 int type = -1 ;
479497 struct mk_http_header * header ;
498+ struct mk_http_header * header_auth ;
480499 int extra_size = -1 ;
481500 struct mk_http_header * headers_extra ;
482501 int gzip_compressed = FLB_FALSE ;
@@ -508,6 +527,13 @@ static int process_hec_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
508527 return -1 ;
509528 }
510529
530+ header_auth = & session -> parser .headers [MK_HEADER_AUTHORIZATION ];
531+ if (header_auth -> key .data != NULL ) {
532+ if (strncasecmp (header_auth -> val .data , "Splunk " , 7 ) == 0 ) {
533+ ctx -> ingested_auth_header = header_auth -> val .data ;
534+ }
535+ }
536+
511537 extra_size = session -> parser .headers_extra_count ;
512538 if (extra_size > 0 ) {
513539 for (i = 0 ; i < extra_size ; i ++ ) {
@@ -548,6 +574,7 @@ static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *c
548574{
549575 int ret = -1 ;
550576 struct mk_http_header * header ;
577+ struct mk_http_header * header_auth ;
551578
552579 header = & session -> parser .headers [MK_HEADER_CONTENT_TYPE ];
553580 if (header -> key .data == NULL ) {
@@ -565,6 +592,13 @@ static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *c
565592 return -1 ;
566593 }
567594
595+ header_auth = & session -> parser .headers [MK_HEADER_AUTHORIZATION ];
596+ if (header_auth -> key .data != NULL ) {
597+ if (strncasecmp (header_auth -> val .data , "Splunk " , 7 ) == 0 ) {
598+ ctx -> ingested_auth_header = header_auth -> val .data ;
599+ }
600+ }
601+
568602 /* Always handle as raw type of payloads here */
569603 ret = process_raw_payload_pack (ctx , tag , request -> data .data , request -> data .len );
570604
@@ -889,6 +923,9 @@ static int process_hec_payload_ng(struct flb_http_request *request,
889923 struct flb_splunk * ctx )
890924{
891925 int type = -1 ;
926+ int ret = 0 ;
927+ size_t size = 0 ;
928+ char * auth_header ;
892929
893930 type = HTTP_CONTENT_UNKNOWN ;
894931
@@ -905,6 +942,11 @@ static int process_hec_payload_ng(struct flb_http_request *request,
905942 }
906943 }
907944
945+ ret = flb_hash_table_get (request -> headers , "authorization" , 13 , (void * * )& auth_header , & size );
946+ if (ret != 0 ) {
947+ ctx -> ingested_auth_header = auth_header ;
948+ }
949+
908950 if (request -> body == NULL || cfl_sds_len (request -> body ) <= 0 ) {
909951 send_response_ng (response , 400 , "error: no payload found\n" );
910952
0 commit comments