Add fields to log message using HttpEventCollectorLogbackAppender

[christophersavory]

curl -k https://<host>:443/services/collector/event -H "Authorization: Splunk <token>" -d '{"event": "Hello, world!", "sourcetype": "test-sourcetype", "host": "test-host", "source": "test-source", "fields":{"app_id":"999999999"}}'

I am trying to replicate the log event above using the HttpEventCollectorLogbackAppender. I can send everything to Splunk except the "fields".

I can see that there is a fields property being added in HecJsonSerializer, and that is for metadata not in the MetadataTags.HEC_TAGS set. I think this is what I need, but I can't figure out a way to add metadata outside that Set through the XML configuration. The metadata is list fixed in lines 75-88 of HttpEventCollectorLogbackAppender.java. How can we add metadata like in the curl request above without having to extend HttpEventCollectorLogbackAppender?

[m-flak]

You have to define your own JsonLayout because the library currently does not support Encoders. Anything that you wish to provide to Splunk via HEC must be redundantly defined in a class extending ch.qos.logback.contrib.json.classic.JsonLayout and your logback.xml.

After implementing your layout in the code, you use it like:

<layout class="com.mycompany.app.logging.SplunkJsonLayout">
            <jsonFormatter class="ch.qos.logback.contrib.jackson.JacksonJsonFormatter" />
            <appendLineSeparator>true</appendLineSeparator>
            <app_id>999999999</app_id>
</layout>