OBSDOCS-1808: Honor splunk Event metadata keys

theashiot · openshift-cherrypick-robot · commit f1baee4c4fb4 · 2025-11-05T13:18:56.000Z
diff --git a/configuring/configuring-log-forwarding.adoc b/configuring/configuring-log-forwarding.adoc
@@ -121,7 +121,14 @@ include::modules/enabling-multi-line-exception-detection.adoc[leveloffset=+2]
 
 include::modules/cluster-logging-collector-log-forward-gcp.adoc[leveloffset=+1]
 
-include::modules/logging-forward-splunk.adoc[leveloffset=+1]
+[id="forwarding-logs-to-splunk_{context}"]
+== Forwarding logs to Splunk
+
+Splunk is a log aggregation service that has a well defined API to make use of its feature set. You can forward logs to Splunk from the `ClusterLogForwarder` Custom Resource (CR).
+
+include::modules/logging-forward-splunk.adoc[leveloffset=+2]
+
+include::modules/default-splunk-metadata-key-values.adoc[leveloffset=+2]
 
 include::modules/logging-http-forward.adoc[leveloffset=+1]
 
diff --git a/modules/default-splunk-metadata-key-values.adoc b/modules/default-splunk-metadata-key-values.adoc
@@ -0,0 +1,75 @@
+:_newdoc-version: 2.18.4
+:_template-generated: 2025-10-09
+:_mod-docs-content-type: REFERENCE
+
+[id="default-splunk-metadata-key-values_{context}"]
+= Default Splunk metadata key values
+
+{clo} sets default values for some Splunk metadata keys if you do not configure them in the `spec.output.splunk.source` field of the `ClusterLogForwarder` Custom Resource (CR).
+
+The following table describes the default value that will be used for Splunk metadata, depending on `log_type` and `log_source` attributes.
+
+.Default metadata key values
+[cols="1,1,1,1,1"]
+|====
+|Key 
+a|Infrastructure Journal
+
+* log_type:infrastructure
+* log_source:node
+
+a|Infrastructure or application container
+
+* log_type: infrastructure, application
+
+* log_source:container
+
+a|Audit
+
+* log_type:audit
+* log_source: auditd, ovn, openshiftAPI
+, kubeAPI
+
+|Note
+
+
+
+|`index`
+|
+|
+|
+|Not configured by default.
+
+
+|`source`
+|SYSLOG_IDENTIFIER
+|ns_name_podName_containerName
+|.log_source
+|
+
+|`indexedFields`
+|
+|
+|
+|Not configured by default.
+
+
+|`sourceType`
+|`_json` or `generic_single_line`
+|`_json` or `generic_single_line`
+|`_json` or `generic_single_line`
+|Determined automatically based on the type of the final event payload.
+
+
+|`host`
+|`.hostname`
+|`.hostname`
+|`.hostname`
+|Not configurable.
+
+|`payloadKey`
+|
+|
+|
+|Not configured by default.
+|====
diff --git a/modules/logging-forward-splunk.adoc b/modules/logging-forward-splunk.adoc
@@ -3,8 +3,8 @@
 // * configuring/configuring-log-forwarding.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="logging-forward-splunk_{context}"]
-= Forwarding logs to Splunk
+[id="logging-forward-splunk-http-event-collector_{context}"]
+= Forwarding logs to Splunk HTTP Event Collector
 
 You can forward logs to the Splunk HTTP Event Collector (HEC).
 
@@ -63,9 +63,13 @@ spec:
 <4> Specify the name of the secret that contains your HEC token.
 <5> Specify the URL, including port, of your Splunk HEC.
 <6> Specify the name of the index to send events to. If you do not specify an index, the default index of the splunk server configuration is used. This is an optional field.
-<7> Specify the source of events to be sent to this sink. You can configure dynamic per-event values. This field is optional.
-<8> Specify the fields to be added to the Splunk index. This field is optional.
-<9> Specify the record field to be used as the payload. This field is optional.
+<7> Specify the source of events to be sent to this sink. You can configure dynamic per-event values. This field is optional. If you do not specify a value, the value of the field will be determined by the `log_type` and `log_source` values. For example, see link:https://docs.redhat.com/en/documentation/red_hat_openshift_logging/6.3/html-single/configuring_logging/index#default-splunk-metadata-key-values_configuring-log-forwarding[Default Splunk metadata key values]. 
+<8> Specify the fields to be added to the Splunk index. This field is optional. The values are stored directly in the index alongside the raw event data, allowing for faster search performance on those fields.
+However, `indexed_fields` fields increase storage use. Use them only for high-value fields that provide significant search benefits, for example, large datasets with frequent queries on specific fields.
+You can use complex and nested fields as indexed fields. These are automatically transformed to meet Splunk's requirements.
+<9> Specify the record field to be used as the payload.
+By default, the `payloadKey` field is not set, which means the complete log record is forwarded as the payload.
+Use the `payloadKey` field carefully. Selecting a single field as the payload may cause other important information in the log to be dropped, potentially leading to inconsistent or incomplete log events.
 <10> Specify the compression configuration, which can be either `gzip` or `none`. The default value is `none`. This field is optional.
 <11> Specify the input names. 
 <12> Specify the name of the output to use when forwarding logs with this pipeline.
