in_splunk: Implement handling remote addr feature

[cosmo0920]

Currently, in_splunk does not handle remote address.
This could be inconvenient to track remote address for traceability.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added remote address tracking with new configuration options to inject remote addresses into logs.
  • Supports X-Forwarded-For header extraction with fallback to connection address.

• Tests

  • Added test coverage for remote address extraction functionality.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This change adds X-Forwarded-For (XFF) header extraction and remote address injection to the Splunk input plugin. New configuration options enable capturing remote addresses from XFF headers or connection peer addresses, with configurable field names for storing the data in log records.

Changes

Cohort / File(s)	Summary
Configuration & Structure plugins/in_splunk/splunk.c, plugins/in_splunk/splunk.h, plugins/in_splunk/splunk_config.c	Added config options add_remote_addr (boolean) and remote_addr_key (string, default "remote_addr"), along with struct fields for per-request remote address tracking (current_remote_addr, current_remote_addr_len)
Protocol Handler plugins/in_splunk/splunk_prot.c, plugins/in_splunk/splunk_prot.h	Implemented XFF header parsing with HTTP/1.1 and HTTP/2.0 support; added remote address extraction utilities (extract_xff_value, extract_remote_address, append_remote_addr); refactored payload processing to propagate and inject remote address into log events; added SPLUNK_XFF_HEADER macro
Tests tests/runtime/in_splunk.c	Added integration test flb_test_splunk_xff_extract() validating XFF header extraction and remote address injection in HTTP requests

Sequence Diagram

sequenceDiagram
    actor Client
    participant Handler as Protocol Handler
    participant Parser as Header Parser
    participant Logger as Log Processor
    participant Output as Output

    Client->>Handler: HTTP Request + X-Forwarded-For Header
    Handler->>Parser: Extract XFF Header / Connection Address
    Parser->>Parser: Parse X-Forwarded-For Value
    Parser->>Handler: Return Remote Address
    Handler->>Handler: Store current_remote_addr
    Handler->>Logger: Process Payload (with remote_addr context)
    Logger->>Logger: Append Remote Address Field to Record
    Logger->>Output: Emit Log with Remote Address
    Handler->>Handler: Clear current_remote_addr (keep-alive cleanup)

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

Suggested Labels

docs-required

Suggested Reviewers

• edsiper
• patrick-stephens
• fujimotos
• koleini

Poem

🐰 A hop through headers, a quest for the true,
X-Forwarded-For hops now bring remote in view,
Each packet adorned with its origin's light,
The Splunk plugin bounces into the night!
Forward the address, let logging take flight! 🌙✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing remote address handling in the Splunk input plugin, which aligns with the comprehensive modifications across configuration, protocol handling, and testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ba50be0c16

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Handle non-map records before iterating keys

The new body-building path always treats record as a map and iterates record->via.map without checking record->type. This is a regression from the prior set_body_from_msgpack_object() path, which safely handled non-map records. If a Splunk payload is a JSON array containing scalar entries (or any non-object element), process_json_payload_pack() still forwards each element here, and this dereference will read the wrong union field, leading to undefined behavior or crashes. Consider keeping the old fallback for non-map objects or validating the record type before iterating.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@plugins/in_splunk/splunk_prot.c`:
- Around line 1381-1399: In splunk_prot_handle_ng() the per-request fields
context->current_remote_addr and context->current_remote_addr_len are set but
never reset, allowing stale addresses to persist across requests; update the
function to ensure these fields are cleared before every return (or funnel
returns through a single cleanup label), e.g., after using
extract_remote_address(), when falling back to peer
(flb_connection_get_remote_address(parent_session->connection)), and prior to
any early exits: set context->current_remote_addr = NULL and
context->current_remote_addr_len = 0 (or free/reset as appropriate) so the same
cleanup performed in splunk_prot_handle() is applied here.

🧹 Nitpick comments (5)

plugins/in_splunk/splunk.h (1)

76-79: Consider using const char * instead of flb_sds_t for borrowed pointers.

current_remote_addr is assigned non-owned pointers from either the XFF header value or flb_connection_get_remote_address() in splunk_prot.c. Using flb_sds_t is misleading since it implies an owned/allocated string that should be managed with flb_sds_* functions.

For clarity and to prevent accidental misuse:

♻️ Suggested change

     /* Remote address */
-    flb_sds_t current_remote_addr;
+    const char *current_remote_addr;
     size_t current_remote_addr_len;

plugins/in_splunk/splunk_prot.c (4)

265-290: Const-correctness issue in output parameter.

The function assigns const char * values (from extract_xff_value and flb_connection_get_remote_address) to *out, but out is declared as char **. This discards the const qualifier and may cause compiler warnings.

♻️ Suggested fix

 static int extract_remote_address(const char *xff_value,
                                   size_t xff_value_len,
                                   struct flb_connection *connection,
-                                  char **out,
+                                  const char **out,
                                   size_t *out_len)
 {

Also update the corresponding field type in splunk.h and call sites in splunk_prot_handle() and splunk_prot_handle_ng().

---

424-428: Unused parameters in function signature.

The remote_addr and remote_addr_len parameters are added to the signature but never used. The function uses ctx->current_remote_addr and ctx->current_remote_addr_len directly at lines 478-480.

Either use the passed parameters or remove them from the signature to avoid confusion:

♻️ Option 1: Remove unused parameters

 static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *record,
                                    flb_sds_t tag, flb_sds_t tag_from_record,
-                                   struct flb_time tm,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct flb_time tm)

♻️ Option 2: Use the passed parameters

     if (ret == FLB_EVENT_ENCODER_SUCCESS) {
         ret = append_remote_addr(ctx,
-                                 ctx->current_remote_addr,
-                                 ctx->current_remote_addr_len);
+                                 remote_addr,
+                                 remote_addr_len);
     }

---

775-780: Unused parameters in function signature.

Similar to process_flb_log_append(), the remote_addr and remote_addr_len parameters are not used within this function. The downstream process_raw_payload_pack() accesses ctx->current_remote_addr directly.

Consider removing these unused parameters for consistency:

♻️ Suggested change

 static int process_hec_raw_payload(struct flb_splunk *ctx, struct splunk_conn *conn,
                                    flb_sds_t tag,
                                    struct mk_http_session *session,
-                                   struct mk_http_request *request,
-                                   const char *remote_addr,
-                                   size_t remote_addr_len)
+                                   struct mk_http_request *request)

---

1115-1118: Missing cleanup on early return paths.

The per-request remote address is cleared at the end of successful processing, but multiple early return paths (lines 861, 928, 974, 1040, 1066, 1088, 1104) skip this cleanup. While the state is re-initialized at the start of each request (lines 1003-1004), for defensive coding it would be cleaner to use a goto cleanup pattern to ensure consistent cleanup.

Alternatively, since the state is always re-initialized at the start of splunk_prot_handle(), this might be acceptable as-is. Just ensure this initialization always happens before any potential use.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing cleanup of per-request remote address in splunk_prot_handle_ng().

Unlike splunk_prot_handle() which clears current_remote_addr at lines 1115-1118, splunk_prot_handle_ng() never clears the per-request state after processing. This could cause stale remote address values to leak to subsequent requests on the same HTTP/2 stream or connection.

♻️ Suggested fix - add cleanup before return

Add cleanup before each return statement, or consolidate returns through a cleanup label:

     flb_sds_destroy(tag);
+
+    /* Clear per-request remote address */
+    context->current_remote_addr = NULL;
+    context->current_remote_addr_len = 0;
+
     return ret;
 }

🤖 Prompt for AI Agents

In `@plugins/in_splunk/splunk_prot.c` around lines 1381 - 1399, In
splunk_prot_handle_ng() the per-request fields context->current_remote_addr and
context->current_remote_addr_len are set but never reset, allowing stale
addresses to persist across requests; update the function to ensure these fields
are cleared before every return (or funnel returns through a single cleanup
label), e.g., after using extract_remote_address(), when falling back to peer
(flb_connection_get_remote_address(parent_session->connection)), and prior to
any early exits: set context->current_remote_addr = NULL and
context->current_remote_addr_len = 0 (or free/reset as appropriate) so the same
cleanup performed in splunk_prot_handle() is applied here.