Added required epoc time field for Splunk HEC Event Receiver (#14246)

Signed-off-by: Iain <iain@digitalbadger.com>
2026-01-11 01:57:35 -03:30 · 2023-08-21 13:44:52 +01:00 · 2023-08-21 13:44:52 +01:00 · 8c7ab8fcf2
commit 8c7ab8fcf2
parent 3de8455960
1 changed files with 3 additions and 2 deletions
--- a/awx/main/utils/formatters.py
+++ b/awx/main/utils/formatters.py
@ -283,6 +283,7 @@ class LogstashFormatter(LogstashFormatterBase):
            message.update(self.get_debug_fields(record))

        if settings.LOG_AGGREGATOR_TYPE == 'splunk':
-            # splunk messages must have a top level "event" key
-            message = {'event': message}
+            # splunk messages must have a top level "event" key when using the /services/collector/event receiver.
+            # The event receiver wont scan an event for a timestamp field therefore a time field must also be supplied containing epoch timestamp
+            message = {'time': record.created, 'event': message}
        return self.serialize(message)