Hi Community,
I have alloy config like this
loki.process “windows_event” {
forward_to = [loki.write.bc.receiver,loki.write.splunk.receiver]
stage.json {
expressions = {
keywords = “keywords”,
level = “levelText”,
}
}
stage.labels {
values = {
keywords = null,
level = null,
}
}
stage.drop {
source = “keywords”
value = “Audit Success”
}
stage.label_drop {
values = [“keywords”]
}
}
I am sending these to my loki without issues.
in addition to that I want to send this to a splunk HTTP event collector
i.e:
https://splunk.endpoint/services/collector/event
or
https://splunk.endpoint/services/collector/raw
Right now if i send the output processed from the above-mentioned loki.process.windows_event
, I get garbage on the splunk.
The stuff i see in splunk are not readable, as below
Can Alloy send logs to an endpoint in json format.
In particular, if I want to send a json to splunk’s event endpoint, the actual message should be a child of “event”
like this
{
“event”:{
“keywords”:“your_keywords_value”,
“level”:“your_level_value”
}
}
When I enable Write-Ahead Log (WAL) for my current loki.write.splunk.receiver the content in wal file looks like this.
Do you know if this is doable with alloy. If so, how can I achieve what I need.
I am open to use a different splunk endpoint if there are other ways to do it other than the HEC endpoint (I.e: TCP ).