Updated sourceType examples in the docs, api and tests to use a pod label. Added an API validation test where sourceType is templated, and fixed single quote bug in API validation tests during oc apply.

marpears · marpears · commit 48c73945bbd8 · 2026-05-05T14:45:23.000+01:00
diff --git a/api/observability/v1/output_types.go b/api/observability/v1/output_types.go
@@ -1346,13 +1346,15 @@ type Splunk struct {
 	//
 	// Examples:
 	//
-	//  1. "log4j"
+	//  1. {.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}
 	//
-	//  2. foo-{.bar||"none"}
+	//  2. "log4j"
 	//
-	//  3. {.foo||.bar||"missing"}
+	//  3. foo-{.bar||"none"}
 	//
-	//  4. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+	//  4. {.foo||.bar||"missing"}
+	//
+	//  5. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
 	//
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Pattern:=`^(([a-zA-Z0-9-_.\/])*(\{(\.[a-zA-Z0-9_]+|\."[^"]+")+((\|\|)(\.[a-zA-Z0-9_]+|\.?"[^"]+")+)*\|\|"[^"]*"\})*)*$`
diff --git a/bundle/manifests/cluster-logging.clusterserviceversion.yaml b/bundle/manifests/cluster-logging.clusterserviceversion.yaml
@@ -1957,13 +1957,15 @@ spec:
 
           Examples:
 
-           1. "log4j"
+           1. {.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}
 
-           2. foo-{.bar||"none"}
+           2. "log4j"
 
-           3. {.foo||.bar||"missing"}
+           3. foo-{.bar||"none"}
 
-           4. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+           4. {.foo||.bar||"missing"}
+
+           5. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
         displayName: SourceType
         path: outputs[0].splunk.sourceType
         x-descriptors:
diff --git a/bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml b/bundle/manifests/observability.openshift.io_clusterlogforwarders.yaml
@@ -3907,13 +3907,15 @@ spec:
 
                             Examples:
 
-                             1. "log4j"
+                             1. {.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}
 
-                             2. foo-{.bar||"none"}
+                             2. "log4j"
 
-                             3. {.foo||.bar||"missing"}
+                             3. foo-{.bar||"none"}
 
-                             4. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+                             4. {.foo||.bar||"missing"}
+
+                             5. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
                           pattern: ^(([a-zA-Z0-9-_.\/])*(\{(\.[a-zA-Z0-9_]+|\."[^"]+")+((\|\|)(\.[a-zA-Z0-9_]+|\.?"[^"]+")+)*\|\|"[^"]*"\})*)*$
                           type: string
                         tuning:
diff --git a/config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml b/config/crd/bases/observability.openshift.io_clusterlogforwarders.yaml
@@ -3907,13 +3907,15 @@ spec:
 
                             Examples:
 
-                             1. "log4j"
+                             1. {.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}
 
-                             2. foo-{.bar||"none"}
+                             2. "log4j"
 
-                             3. {.foo||.bar||"missing"}
+                             3. foo-{.bar||"none"}
 
-                             4. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+                             4. {.foo||.bar||"missing"}
+
+                             5. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
                           pattern: ^(([a-zA-Z0-9-_.\/])*(\{(\.[a-zA-Z0-9_]+|\."[^"]+")+((\|\|)(\.[a-zA-Z0-9_]+|\.?"[^"]+")+)*\|\|"[^"]*"\})*)*$
                           type: string
                         tuning:
diff --git a/config/manifests/bases/cluster-logging.clusterserviceversion.yaml b/config/manifests/bases/cluster-logging.clusterserviceversion.yaml
@@ -1880,13 +1880,15 @@ spec:
 
           Examples:
 
-           1. "log4j"
+           1. {.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}
 
-           2. foo-{.bar||"none"}
+           2. "log4j"
 
-           3. {.foo||.bar||"missing"}
+           3. foo-{.bar||"none"}
 
-           4. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+           4. {.foo||.bar||"missing"}
+
+           5. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
         displayName: SourceType
         path: outputs[0].splunk.sourceType
         x-descriptors:
diff --git a/docs/features/logforwarding/outputs/splunk-forwarding.adoc b/docs/features/logforwarding/outputs/splunk-forwarding.adoc
@@ -37,9 +37,9 @@ spec:
         url: 'http://example-splunk-hec-service:8088' # <2>
         index: '{.log_type||"main"}' # <3>
         source: '{.log_source||"undefined"}' # <4>
-        sourceType: '{.log_source||"undefined"}' # <5>
+        sourceType: '{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}' # <5>
         indexedFields: ['.log_type', '.log_source'] # <6>
-        payloadKey: '.kubernetes' # <7>
+        payloadKey: '.message' # <7>
         tuning:
           compression: gzip # <8>
   pipelines:
@@ -85,7 +85,7 @@ metadata:
   name: myapp
   labels:
     app: myapp
-    splunk_sourcetype: log4j
+    splunk/sourcetype: log4j
 spec:
   containers:
     - name: myapp
@@ -125,7 +125,7 @@ spec:
           key: hecToken
           secretName: splunk-secret
       payloadKey: .message
-      sourceType: '{.kubernetes.labels.splunk_sourcetype||"generic_single_line"}'
+      sourceType: '{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}'
       url: http://splunk.customer.com:8088
     type: splunk
   pipelines:
diff --git a/internal/generator/vector/output/splunk/splunk_sink_with_payloadkey_and_sourcetype.toml b/internal/generator/vector/output/splunk/splunk_sink_with_payloadkey_and_sourcetype.toml
@@ -25,7 +25,7 @@ if ._internal.log_type == "audit" {
    ._internal.splunk.source = ._internal.log_source
 }
 payloadKey = ["message"]
-sourceType = to_string!(._internal.foo||"missing")
+sourceType = to_string!(._internal.kubernetes.labels."splunk/sourcetype"||"generic_single_line")
 if !is_null(payloadKey) {
 	value = get!(., payloadKey) 
 	if !is_null(value) {
diff --git a/internal/generator/vector/output/splunk/splunk_sink_with_payloadkey_and_static_sourcetype.toml b/internal/generator/vector/output/splunk/splunk_sink_with_payloadkey_and_static_sourcetype.toml
@@ -0,0 +1,54 @@
+[transforms.splunk_hec_timestamp]
+type = "remap"
+inputs = ["pipelineName"]
+source = '''
+ts, err = parse_timestamp(._internal.timestamp,"%+")
+if err != null {
+	log("could not parse timestamp. err=" + err, rate_limit_secs: 0)
+} else {
+	._internal.timestamp = ts
+}
+'''
+
+[transforms.splunk_hec_metadata]
+type = "remap"
+inputs = ["splunk_hec_timestamp"]
+source = '''
+# Splunk 'source' field detection
+if ._internal.log_type == "infrastructure" && ._internal.log_source == "node" {
+    ._internal.splunk.source = to_string!(._internal.systemd.u.SYSLOG_IDENTIFIER || "")
+}
+if ._internal.log_source == "container" {
+   	._internal.splunk.source = join!([._internal.kubernetes.namespace_name, ._internal.kubernetes.pod_name, ._internal.kubernetes.container_name], "_")
+}
+if ._internal.log_type == "audit" {
+   ._internal.splunk.source = ._internal.log_source
+}
+payloadKey = ["message"]
+sourceType = "custom-type"
+if !is_null(payloadKey) {
+	value = get!(., payloadKey) 
+	if !is_null(value) {
+        internal = ._internal
+        . = {}
+        . = set!(., payloadKey, value)
+        ._internal = internal
+	    ._internal.splunk.sourcetype = sourceType
+	} else {
+		._internal.splunk.sourcetype = "_json"
+	}
+}
+'''
+
+[sinks.splunk_hec]
+type = "splunk_hec_logs"
+inputs = ["splunk_hec_metadata"]
+endpoint = "https://splunk-web:8088/endpoint"
+default_token = "SECRET[kubernetes_secret.vector-splunk-secret/hecToken]"
+timestamp_key = "._internal.timestamp"
+source = "{{ ._internal.splunk.source }}"
+sourcetype = "{{ ._internal.splunk.sourcetype }}"
+host_key = "._internal.hostname"
+[sinks.splunk_hec.encoding]
+codec = "json"
+except_fields = ["_internal"]
diff --git a/internal/generator/vector/output/splunk/splunk_test.go b/internal/generator/vector/output/splunk/splunk_test.go
@@ -124,8 +124,12 @@ var _ = Describe("Generating vector config for Splunk output", func() {
 		Entry("with payloadKey", "splunk_sink_payloadkey.toml", framework.NoOptions, func(spec *obs.OutputSpec) {
 			spec.Splunk.PayloadKey = ".openshift"
 		}),
-		Entry("with payloadKey and sourceType", "splunk_sink_with_payloadkey_and_sourcetype.toml", framework.NoOptions, func(spec *obs.OutputSpec) {
+		Entry("with payloadKey and dynamic sourceType", "splunk_sink_with_payloadkey_and_sourcetype.toml", framework.NoOptions, func(spec *obs.OutputSpec) {
 			spec.Splunk.PayloadKey = ".message"
-			spec.Splunk.SourceType = `{.foo||"missing"}`
+			spec.Splunk.SourceType = `{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}`
+		}),
+		Entry("with payloadKey and static sourceType", "splunk_sink_with_payloadkey_and_static_sourcetype.toml", framework.NoOptions, func(spec *obs.OutputSpec) {
+			spec.Splunk.PayloadKey = ".message"
+			spec.Splunk.SourceType = "custom-type"
 		}))
 })
diff --git a/test/e2e/collection/apivalidations/api_validations_test.go b/test/e2e/collection/apivalidations/api_validations_test.go
@@ -40,7 +40,8 @@ var _ = Describe("", func() {
 			Fail(err.Error())
 		}
 
-		execCMD := exec.Command("sh", "-c", fmt.Sprintf("echo '%s' | oc -n %s create -f -", crYaml, deployNS))
+		execCMD := exec.Command("oc", "-n", deployNS, "create", "-f", "-")
+		execCMD.Stdin = bytes.NewReader(crYaml)
 		reader, err := cmd.NewReader(execCMD)
 		Expect(err).ToNot(HaveOccurred())
 		defer func() {
@@ -129,10 +130,17 @@ var _ = Describe("", func() {
 		Entry("should pass for Splunk with payloadKey", "splunk-payloadkey.yaml", func(out string, err error) {
 			Expect(err).ToNot(HaveOccurred())
 		}),
-		Entry("should pass for Splunk if sourceType is used with payloadKey", "splunk-payloadkey-and-sourcetype.yaml", func(out string, err error) {
+		Entry("should pass for Splunk if static sourceType is used with payloadKey", "splunk-payloadkey-and-sourcetype.yaml", func(out string, err error) {
 			Expect(err).ToNot(HaveOccurred())
 		}),
-		Entry("should fail for Splunk if sourceType is not used with payloadKey", "splunk-sourcetype.yaml", func(out string, err error) {
+		Entry("should pass for Splunk if templated sourceType is used with payloadKey", "splunk-payloadkey-and-templated-sourcetype.yaml", func(out string, err error) {
+			Expect(err).ToNot(HaveOccurred())
+		}),
+		Entry("should fail for Splunk if static sourceType is not used with payloadKey", "splunk-sourcetype.yaml", func(out string, err error) {
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(MatchRegexp("sourceType can only be set when payloadKey is defined"))
+		}),
+		Entry("should fail for Splunk if templated sourceType is not used with payloadKey", "splunk-templated-sourcetype.yaml", func(out string, err error) {
 			Expect(err).To(HaveOccurred())
 			Expect(err.Error()).To(MatchRegexp("sourceType can only be set when payloadKey is defined"))
 		}),
diff --git a/test/e2e/collection/apivalidations/splunk-payloadkey-and-templated-sourcetype.yaml b/test/e2e/collection/apivalidations/splunk-payloadkey-and-templated-sourcetype.yaml
@@ -0,0 +1,31 @@
+apiVersion: "observability.openshift.io/v1"
+kind: ClusterLogForwarder
+metadata:
+  name: clf-validation-test
+spec:
+  serviceAccount:
+    name: clf-validation-test
+  inputs:
+    - application:
+        includes:
+          - container: myapp
+            namespace: my-app-*
+      name: myapp
+      type: application
+  outputs:
+    - name: splunk-myapp
+      splunk:
+        authentication:
+          token:
+            key: hecToken
+            secretName: splunk-myapp
+        payloadKey: .message
+        sourceType: '{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}'
+        url: 'https://splunk.customer.com:8088'
+      type: splunk
+  pipelines:
+    - name: myapp
+      inputRefs:
+        - myapp
+      outputRefs:
+        - splunk-myapp
diff --git a/test/e2e/collection/apivalidations/splunk-templated-sourcetype.yaml b/test/e2e/collection/apivalidations/splunk-templated-sourcetype.yaml
@@ -0,0 +1,30 @@
+apiVersion: "observability.openshift.io/v1"
+kind: ClusterLogForwarder
+metadata:
+  name: clf-validation-test
+spec:
+  serviceAccount:
+    name: clf-validation-test
+  inputs:
+    - application:
+        includes:
+          - container: myapp
+            namespace: my-app-*
+      name: myapp
+      type: application
+  outputs:
+    - name: splunk-myapp
+      splunk:
+        authentication:
+          token:
+            key: hecToken
+            secretName: splunk-myapp
+        sourceType: '{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}'
+        url: 'https://splunk.customer.com:8088'
+      type: splunk
+  pipelines:
+    - name: myapp
+      inputRefs:
+        - myapp
+      outputRefs:
+        - splunk-myapp
diff --git a/test/functional/outputs/splunk/forward_to_splunk_metadata_test.go b/test/functional/outputs/splunk/forward_to_splunk_metadata_test.go
@@ -369,7 +369,7 @@ var _ = Describe("Forwarding to Splunk with Metadata", func() {
 				})
 
 			framework.Secrets = append(framework.Secrets, secret)
-			framework.Labels["splunk_sourcetype"] = "log4j"
+			framework.Labels["splunk/sourcetype"] = "log4j"
 			framework.Labels["slash/test.dot"] = "log4j"
 
 			Expect(framework.Deploy()).To(BeNil())
@@ -407,8 +407,8 @@ var _ = Describe("Forwarding to Splunk with Metadata", func() {
 			}
 		},
 			Entry("should send only 'message' payload with static sourcetype", "custom-type", "custom-type"),
-			Entry("should send only 'message' payload with dynamic sourcetype field", `{.kubernetes.labels.splunk_sourcetype||"generic_single_line"}`, "log4j"),
-			Entry("should send only 'message' payload with static + dynamic sourcetype field", `foo-{.kubernetes.labels.splunk_sourcetype||"generic_single_line"}`, "foo-log4j"),
+			Entry("should send only 'message' payload with dynamic sourcetype field", `{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}`, "log4j"),
+			Entry("should send only 'message' payload with static + dynamic sourcetype field", `foo-{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}`, "foo-log4j"),
 			Entry("should send only 'message' payload with static + label with dot/slash sourcetype field", `foo-{.kubernetes.labels."slash/test.dot"||"generic_single_line"}`, "foo-log4j"),
 			Entry("should send only 'message' payload with static + fallback value's sourcetype field", `foo-{.missing||"generic_single_line"}`, "foo-generic_single_line"),
 			Entry("should send only 'message' payload with fallback value's sourcetype field", `{.missing||"generic_single_line"}`, "generic_single_line"))

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ if ._internal.log_type == "audit" {`
`25`	`25`	`._internal.splunk.source = ._internal.log_source`
`26`	`26`	`}`
`27`	`27`	`payloadKey = ["message"]`
`28`		`-sourceType = to_string!(._internal.foo\|\|"missing")`
	`28`	`+sourceType = to_string!(._internal.kubernetes.labels."splunk/sourcetype"\|\|"generic_single_line")`
`29`	`29`	`if !is_null(payloadKey) {`
`30`	`30`	`value = get!(., payloadKey)`
`31`	`31`	`if !is_null(value) {`