[SplunkHecReceiver] Align receiver errors messages to splunk enterprise

[splunkericl]

Is your feature request related to a problem? Please describe.
Currently the HEC receiver error messages and HTTP status code is different than splunk enterprise.

Status Code + Message	Splunk Enterprise	Otel HEC Receiver	Explanation
200 Success	X	X
403 Token disabled	X		Token management is not supported on EP.
401 Token is required	X		Token validation is not supported on EP.
401 Invalid authorization	X		Token validation is not supported on EP.
403 Invalid token	X		Token validation is not supported on EP.
400 No data	X		We can contribute back to otel.
400 Invalid data format	X		We can contribute back to otel.
400 Incorrect Index	X		This requires EP to fetch information about supported index configured for the HEC token from Splunk, which isn’t supported.
500 Internal server error	X	X
503 Server is busy	X
400 Data channel is missing	X		Data channel is used for ack.
400 Invalid data channel	X		Data channel is used for ack.
400 Event field is required	X		Receiver will just respond with ‘failed to unmarshall data’ with 400
400 Event field cannot be blank	X		Receiver will just respond with ‘failed to unmarshall data’ with 400
400 ACK is disabled	X		Ack is not supported
400 Error in handling indexed fields	X	X
400 Query string authorization is not enabled	X		Query string authorization not supported on receiver

Describe the solution you'd like
Some of the HTTP responses should be implemented:

• 400 No data
• 400 Invalid Data Format
• 400 Event field is required
• 400 Event field cannot be blank
• 400 ACK is disabled
• 400 Querey string authorization is not enabled

Describe alternatives you've considered
N/A

[atoulme]

What does no data mean? An empty HTTP request or a request with no event? What is the difference between "no data" and "invalid data format"?

What exactly is the format of the response? Can you give an example?

[splunkericl]

yeah there is more documentation on the endpoint page.

But for splunk enterprise, the "No data" error is returned if the payload is rejected. This can be because the payload has invalid quotes. In the context of SplunkHECReceiver, it might be more fitting to return "Invalid Data Format" instead since this is just a decoding problem.

The http response status code would be 400 and its body would look like:

{"text":"Invalid data format","code":6}

[atoulme]

Is the code 6 attribute defined somewhere?

[splunkericl]

yeah it is defined in the response documentation on the page (expand under "Send events to the HTTP Event Collector.").

0	200	OK	Success
1	403	Forbidden	Token disabled
2	401	Unauthorized	Token is required
3	401	Unauthorized	Invalid authorization
4	403	Forbidden	Invalid token
5	400	Bad Request	No data
6	400	Bad Request	Invalid data format
7	400	Bad Request	Incorrect index
8	500	Internal Error	Internal server error
9	503	Service Unavailable	Server is busy
10	400	Bad Request	Data channel is missing
11	400	Bad Request	Invalid data channel
12	400	Bad Request	Event field is required
13	400	Bad Request	Event field cannot be blank
14	400	Bad Request	ACK is disabled
15	400	Bad Request	Error in handling indexed fields
16	400	Bad Request	Query string authorization is not enabled

[timannguyen]

@atoulme i will be working on this.

[timannguyen]

400 ACK is disabled is a splunk indexer feature that the receiver cannot be validate the token. so it will not be implemented.

[timannguyen]

Query string authorization is not enabled is also splunk indexer only feature to use token in query param. this will not be implemented.

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• receiver/splunkhec: @atoulme

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[splunkericl]

Re-commenting this thread again as one of the user runs into this problem. the HTTP client is expecting a json response like {"text": "Success", "code": 0} when hec receiver returns OK.

We can work on this so customers moving from Splunk HEC to EP HEC doesn't have to make any changes.

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• receiver/splunkhec: @atoulme

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[github-actions]

This issue has been closed as inactive because it has been stale for 120 days with no activity.