How to assign the log path to "source" field in Splunk while using fluent-bit?

Question

I am using fluent-bit as the log collector and redirecting the log files to Splunk HEC. In event metadata, I would like to set "source" as the log path but it failed.

[INPUT]
Name              tail
Tag               jsm_on_centos8-2
Path              /home/dujas/fluent-bit/conf/inputs/atlassian-jira-snip3.log
DB                /home/dujas/fluent-bit/db/test.db
Read_from_Head    True
Buffer_Chunk_Size 20480KB
Buffer_Max_Size   20480KB
multiline.parser  jsm

[OUTPUT]
Name             Splunk
Match            *
Host             centos8-1
Port             8043
tls              on
tls.verify       on
tls.ca_file      /home/dujas/certs/ca.pem
tls.crt_file     /home/dujas/certs/centos8-2_all.pem
tls.key_file     /home/dujas/certs/centos8-2.key
tls.key_passwd   <key password>
Splunk_Token     <token value>
Splunk_Send_Raw  off
event_host       ${HOSTNAME}
event_source     $path
event_key        $time $message

With such configuration, Splunk took token name as the source:

Anything I missed?

One workaround is to set the event_source manually with the log path, but what if the log path is like:/home/dujas/logs/*.log?

score 0 · Accepted Answer · answered Feb 18 '23 at 09:31

0

Issue got fixed after adding path_key in input plugin and reserve_data in filter plugin.

answered Feb 18 '23 at 09:31

joker57

110
7

How to assign the log path to "source" field in Splunk while using fluent-bit?

1 Answers1