Edge Delta Splunk Mapper

Create a payload for the Splunk event endpoint.

3 minute read

Overview

The Splunk Mapper node applies mappings to create a new payload for the Splunk event endpoint. The output of this node can only be received by the Splunk destination node. This node can ingest a log type or a custom type. There are some restrictions around what types of values can populate certain fields, for example the “event” field of the Splunk payload can only take string values, JSON strings, and json/maps.

incoming_data_types: custom, log, cluster_pattern_and_sample
outgoing_data_types: splunk_payload

Most of the fields in the schema can be customized, except “event” and “index”. If not customized, it will use the default value:

Time: item["timestamp"]
Host: item["resource"]["host.name"]
Source: item["resource"]["__src_name"]
Sourcetype: item["resource"]["src_type"]
Event: item["body"]
Fields: item["attributes"]
Index: none

If the specified field is missing from the incoming item, an empty string will be used as default value.

Example Configuration

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_source_type: item["resource"]["src_type"]
    splunk_source: item["resource"]["__src_name"]
    splunk_host: item["resource"]["host.name"]
    splunk_index: "edgedelta"
    splunk_event: item["body"]
    splunk_fields: item["attributes"]
    splunk_time: item["timestamp"]

Example Input log

{
  "_type": "log",
  "body": "12:37 [TRACE] hello trace - i am a trace log - environment:prod, latency=143ms",
  "resource": {
    "ed.conf.id": "123456789-1234-1234-1234-123456789",
    "ed.org.id": "123456789-1234-1234-1234-123456789",
    "ed.tag": "testing pipeline",
    "host.ip": "10.0.0.1",
    "host.name": "ED_TEST",
    "src_type": "memory_input"
  },
  "timestamp": 1715681562252
}

Example Output

{
  "Event": "12:37 [TRACE] hello trace - i am a trace log - environment:prod, latency=143ms",
  "Fields": null,
  "Host": "ED_TEST",
  "Index": "edgedelta",
  "Source": "fileinput|stat|ED_TEST|Unknown|Unknown",
  "SourceType": "memory_input",
  "Time": "1726710644.177"
}

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: splunk_mapper

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

splunk_event

The splunk_event parameter defines the event field of the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is required.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_event: item["body"]

splunk_source

The splunk_source parameter defines the source field of the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is required.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_source: item["resource"]["__src_name"]

splunk_source_type

The splunk_source_type parameter defines the sourcetype field of the Splunk payload from the given input item. It is specified as with CEL and you can use CEL macros. A source type is required.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_source_type: item["resource"]["src_type"]

Optional Parameters

splunk_fields

The splunk_fields parameter defines fields in the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is optional.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_fields: item["attributes"]

splunk_host

The splunk_host parameter defines the host field of the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is optional.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_host: item["resource"]["host.name"]

splunk_index

The splunk_index parameter defines the index field of the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is optional.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_index: <index>

splunk_time

The splunk_time parameter defines the “time” field of the Splunk payload from the given input item. It is specified with CEL and you can use CEL macros. It is optional.

nodes:
  - name: splunk_payload_mapping_example
    type: splunk_mapper
    splunk_time: item["timestamp"]