I am using the managed version of Splunk Sink connector and moving the data into SPLUNK using HEC endpoint.
While the record metadata and value are being moved to SPLUNK, the record key does not seem to be copied over.
Is this the default behavior of SPLUNK sink connector and if yes, is there a SMT that can copy the record key into SPLUNK?
The config file is as below
{
"name" : "[redacted]",
"topics" : "[redacted]",
"input.data.format" : "[redacted]",
"connector.class" : "SplunkSink",
"kafka.auth.mode" : "KAFKA_API_KEY",
"kafka.api.key" : "[redacted]",
"kafka.api.secret" : "[redacted]",
"splunk.hec.uri" : "https://splunk.[redacted].io:443",
"splunk.hec.token" : "[redacted]",
"splunk.indexes" : "[redacted]",
"splunk.sources" : "[redacted]",
"splunk.hec.ssl.validate.certs" : "false",
"splunk.hec.raw" : "false",
"splunk.hec.track.data" : "true",
"splunk.hec.http.keepalive" : "true",
"splunk.hec.max.http.connection.per.channel": "2",
"splunk.hec.total.channels" : "2",
"splunk.hec.socket.timeout" : "60",
"splunk.hec.use.record.timestamp" : "true",
"splunk.hec.threads" : "1",
"splunk.hec.max.outstanding.events" : "10000",
"splunk.hec.max.retries" : "5",
"splunk.hec.backoff.threshhold.seconds" : "60",
"splunk.hec.json.event.formatted" : "false",
"splunk.hec.max.batch.size" : "500",
"splunk.hec.lb.poll.interval" : "120",
"splunk.flush.window" : "10",
"splunk.hec.ack.enabled" : "false",
"splunk.header.support" : "true",
"tasks.max" : "3"
}
Much appreciated.