fluentbit in and out to support hec_token passthrough #11301
Description
Is your feature request related to a problem? Please describe.
Hi all,
i'd like to ask if it's possible to have the same behavior as fluentbit version prior to 4.0.2 where this change was made #10329
in a multi-tenant central logging platform i want to be able to passthrough the splunk hec token from the sources to splunk. to keep their respective indexes.
diagram of what I need.
Describe the solution you'd like
I need to be able to passthrough the hec token set by the sources
example:
server1 fluentbit.conf
[OUTPUT]
name splunk
host server3
Splunk_Token AAA
server2 fluentbit.conf
[OUTPUT]
name splunk
host server3
Splunk_Token BBB
server3 fluentbit.conf
[INPUT]
name splunk
store_token_in_metadata true
[OUTPUT]
name splunk
host splunk_server
Splunk_Token ZZZ
behavior in fluentbit 4.0.1
server3 sends logs from server1 and server2 to splunk_server using their respective index in splunk
behavior in fluentbit 4.2.1
server3 overwrites hec_token to ZZZ therefore all logs goes to one index
Describe alternatives you've considered
For now 4.0.1 version solves this problem but not 100% my need (addressed in additional context).
one suggestion would be to allow Splunk_Token to be blank optional - now it's obligatory
if Splunk_Token is blank it then uses the one from metadata hec_token
Additional context
I'm assessing this solution to enrich data before sending to datadog for example.
if I have the origin hec_token I can enrich with team, account_id tag before sending to datadog
problem is that to access the log metadata in lua i need at least version 4.0.4
https://docs.fluentbit.io/manual/data-pipeline/filters/lua#lua-extended-callback-with-groups-and-metadata-support
currently this is the solution that would work
- use 4.0.1 to pass hec_token forward
- to 4.2.1 to enrich using lua filter
thanks,
regards,c