Skip to content

Commit

Permalink
Use optional SSM variable to determine JSON-formatted splunk payload
Browse files Browse the repository at this point in the history
  • Loading branch information
@kwessel
kwessel committed Mar 10, 2023
1 parent 96969d0 commit 44ebeaf
Showing 1 changed file with 30 additions and 29 deletions.
59 changes: 30 additions & 29 deletions splunk-cloudwatch-logs-processor/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ const getSplunkLogger = (parsed, context, callback) => {
if (cacheEntry && Date.now() <= cacheEntry.expireDT) {
if ('logger' in cacheEntry) {
console.log("found in cache for", parsed.logGroup);
CloudWatchToSplunk(parsed, context, cacheEntry.logger, cacheEntry.sourceType, callback);
CloudWatchToSplunk(parsed, context, cacheEntry, callback);
return;
}

Expand All @@ -100,6 +100,7 @@ const getSplunkLogger = (parsed, context, callback) => {
path.join(ssmPath, 'hec_endpoint'),
path.join(ssmPath, 'hec_token'),
path.join(ssmPath, 'sourcetype'),
path.join(ssmPath, 'splunk_json'),
],
WithDecryption: true
};
Expand All @@ -112,6 +113,11 @@ const getSplunkLogger = (parsed, context, callback) => {

console.log('Data retrieved from SSM:', JSON.stringify(ssmData, null, 2));

// Make splunk_json optional
if (InvalidParameters in ssmData && ssmData.InvalidParameters.indexOf('splunk_json') != -1) {
ssmData.InvalidParameters.splice(ssmData.InvalidParameters.indexOf('splunk_json'), 1);
}

if (ssmData.InvalidParameters.length > 0) {
const cacheExpireDT = Date.now() + SPLUNK_CACHE_TTL;
console.log('set expireDT to:', cacheExpireDT);
Expand Down Expand Up @@ -153,18 +159,21 @@ const getSplunkLogger = (parsed, context, callback) => {
ssmCache[parsed.logGroup] = {
logger: logger,
expireDT: cacheExpireDT,
sourceType: keyData.sourcetype
sourceType: keyData.sourcetype,
splunkJSON: keyData.splunk_json
};

console.log("wrote to cache for", parsed.logGroup);
// FIXME: Maybe we should just pass in whole keyData object to
// extract logger and sourcetype inside function.
CloudWatchToSplunk(parsed, context, logger, keyData.sourcetype, callback);
CloudWatchToSplunk(parsed, context, ssmCache[parsed.logGroup], callback);
}
});
};

const CloudWatchToSplunk = (parsed, context, logger, sourcetype, callback) => {
const CloudWatchToSplunk = (parsed, context, ssmCache, callback) => {
const logger = ssmCache.logger;
const sourcetype = ssmCache.sourceType;
const splunkjson = ssmCache.splunkJSON;

// First, configure logger to automatically add Lambda metadata and to hook into Lambda callback
configureLogger(context, logger, callback); // eslint-disable-line no-use-before-define

Expand All @@ -187,33 +196,25 @@ const CloudWatchToSplunk = (parsed, context, logger, sourcetype, callback) => {

let log;

try {
log = JSON.parse(item.message);
} catch (e) {
log = { message: item.message };
}

// Add metadata fields if not present
if (!metadata in log) {
log.metadata = {};
}

if (!time in log.metadata) {
log.metadata.time = item.timestamp ? new Date(item.timestamp).getTime() / 1000 : Date.now();
}

if (!host in log.metadata) {
log.metadata.host = parsed.logGroup;
if (splunkjson) {
try {
log = JSON.parse(item.message);
} catch (e) { }
}

if (!source in log.metadata) {
log.metadata.source = parsed.logStream;
}
if (!log) {
log = {
message: item.message,
metadata: {
time: item.timestamp ? new Date(item.timestamp).getTime() / 1000 : Date.now(),
host: parsed.logGroup,
source: parsed.logStream,
sourcetype: sourcetype,
//index: 'main',
},
};

if (!sourcetype in log.metadata) {
log.metadata.sourcetype = sourcetype;
}

console.log(log);
logger.send(log);
count += 1;
Expand Down

0 comments on commit 44ebeaf

Please sign in to comment.