/ Jan 20th, 2020 /

The `splunk_hec` sink does not index fields by default

This gives you full control over which fields are indexed
type: breaking changedomain: sinkssink: splunk_hec 1537

There is no longer a distinction within Vector between explicit and implicit event fields. All fields are now implicit and therefore the splunk_hec sink will not index any fields by default.

Upgrade Guide

In order to mark desired fields as indexed you can use the optional configuration option indexed_fields:

vector.toml
[sinks.my_sink_id]
   type = "splunk_hec"
   inputs = ["my-source-id"]
+  indexed_fields = ["foo", "bar"]

This change was made available in 0.7.0. You can get this change by downloading the latest stable release.

Like What You See?

Follow @vectordotdev
Get real-time updates!
Star timberio/vector
Star the repo to support us.