Support for raw events

[lorenzobenvenuti]

Hi,

any plans to support raw events? If you're OK with that, I can try to put a PR together.

Thanks,

lorenzo

[vietk]

Hello @lorenzobenvenuti,

No raw events planed on our side yet.
If you need it, you are more than welcome to contribute.

Regards

[lorenzobenvenuti]

Hi @vietk ,

I played a bit with the library and HEC and realized that my use case can be solved in two ways: either using raw events or supporting a custom event serializer. The issue with the current approach is that the event field content is something like

{
  "message": "my log message"
   "severity": "INFO"
   "time": 1653464900.155
}

My problem is that I want to index just my log message (I already have a source type for that), not the JSON wrapper.
Using raw events solves the issue, because the client performs a POST with just the original message; an alternative approach would be allowing the users to specify a custom EventBodySerializer to customize the event field content (see com.splunk.logging.serialization.HecJsonSerializer#serialize). For example, my use case could be solved by injecting a PlainTextEventBodySerializer which is already provided by splunk-library-javalogging. Probably this approach is more flexible than raw events? Thoughts?

Thanks,

lorenzo

[vietk]

I would say, if raw events is already fitting your need, just contribute for that, it probably also fit also for some other people.
I have the feeling that the EventBodySerializer is more for specific case or maybe things that would be fixable or server side.

[lorenzobenvenuti]

Hi @vietk , I've just created an MR implementing support for raw events: #99

[vietk]

ok will look at it ASAP

[rquinio1A]

@lorenzobenvenuti Thanks for the contribution, it's released in 2.3.0!
In case you want to be credited in the README I think you need to ask the bot in #1