netsampler
Feature: Splunk HEC Transport
This implements a new transport type, splunk. This reformats JSON-formatted output into the format required for the Splunk HTTP Event Collector, and then delivers them to the HEC.
This has been tested with Netflow v9 from a firewall using ng_netflow, where time_flow_start_ns is in nanoseconds. Required other information for the Splunk HEC call is demarshalled from the incoming data sent to the Send() method.
I'm very new to Go, so this implementation is probably imperfect. But it works well for my use case.
Hi @jmyoung Thank you for your contribution. Unfortunately I will have to politely decline adding it to the upstream branch. I do not have enough time nor resources to maintain extra transport modules. I usually advise to be piping the output of GoFlow2 to tools like Vector. Another possibility would be OpenTelemetry Collector.
The code looks ok although I would suggest to implement some kind of buffering (otherwise performances will be heavily impacted by thousands of HTTP requests per second).
I did provide similar explanations on some of the transports PRs https://github.com/netsampler/goflow2/pull/131 https://github.com/netsampler/goflow2/issues/311 https://github.com/netsampler/goflow2/issues/359 https://github.com/netsampler/goflow2/pull/366 https://github.com/netsampler/goflow2/pull/320 https://github.com/netsampler/goflow2/pull/278 https://github.com/netsampler/goflow2/pull/124 https://github.com/netsampler/goflow2/pull/96 https://github.com/netsampler/goflow2/pull/41
Just as a followup, the netflow2ng project is an example of using Goflow2 as a library and adding transport and format for ntopng to consume. So, maybe that's the approach you should take.
