This processor serves as a counterpart for PutSplunk processor. While the later solves communication using TCP and UDP protocols, PutSplunkHTTP aims to send events into Splunk via HTTP or HTTPS. In this fashion, this processor shows similarities with GetSplunk processor and the properties relevant to the connection with Splunk server are identical. There are however some aspects unique for this processor:
PutSplunkHTTP allows the user to specify some metadata about the event being sent to the Splunk. These include: the "Character Set" and the "Content Type" of the flow file content, using the matching properties. If the incoming flow file has "mime.type" attribute, the processor will use it, unless the "Content Type" property is set, in which case the property will override the flow file attribute.
The "Source", "Source Type", "Host" and "Index" properties are optional and will be set by Splunk if unspecified. If set, the default values will be overwritten by user specified ones. For more details about the Splunk API, please visit this documentation.
HTTP Event Collector (HEC) in Splunk provides the possibility of index acknowledgement, which can be used to monitor the indexing status of the individual events. PutSplunkHTTP supports this feature by enriching the outgoing flow file with the necessary information, making it possible for a later processor to poll the status based on. The necessary information for this is stored within flow file attributes "splunk.acknowledgement.id" and "splunk.responded.at".
For further steps of acknowledgement handling in NiFi side, please refer to QuerySplunkIndexingStatus processor. For more details about the index acknowledgement, please visit this documentation.
For more refined processing, flow files are enriched with additional information if possible. The information is stored in the flow file attribute "splunk.status.code" or "splunk.response.code", depending on the success of the processing. The attribute "splunk.status.code" is always filled when the Splunk API call is executed and contains the HTTP status code of the response. In case the flow file transferred into "failure" relationship, the "splunk.response.code" might be also filled, based on the Splunk response code.