Skip to content

feat: Allow using contentctl to send data trough EP with hec (ADDON-82127) #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Allow using contentctl to send data trough EP with hec (ADDON-82127) #428

wants to merge 1 commit into from

Conversation

@mgazda-splunk
Copy link

This adds support for optionally specifying HEC servers being different than Splunk servers.

So instead:
contentctl -> HEC Splunk -> Search Splunk -> result

Will be:
contentctl -> HEC server (EP with SPL2 pipeline) -> EP sends data to Splunk with S2S/HEC -> Search Splunk -> result

This comment was marked as outdated.

Sign in to view

@mgazda-splunk mgazda-splunk force-pushed the user/mgazda/ADDON-82127-Allow-using-contentctl-to-send-data-trough-EP-with-hec branch 4 times, most recently from 5d0f3e9 to 46f2b67 Compare July 10, 2025 19:12
@mgazda-splunk mgazda-splunk requested a review from Copilot July 10, 2025 19:12

This comment was marked as outdated.

Sign in to view

@mgazda-splunk mgazda-splunk force-pushed the user/mgazda/ADDON-82127-Allow-using-contentctl-to-send-data-trough-EP-with-hec branch from 46f2b67 to ebe18b1 Compare July 10, 2025 19:16
@mgazda-splunk mgazda-splunk requested a review from Copilot July 10, 2025 19:16
Copilot AI reviewed Jul 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables specifying separate HTTP Event Collector (HEC) endpoints distinct from Splunk server addresses, both in configuration and detection-testing workflows.

  • Introduces hec_instance_address field in the Infrastructure model and propagates it through test-server parsing.
  • Adds hec_server_overrides to allow semicolon-delimited HEC address overrides for test instances.
  • Updates the hec_raw_replay logic to prefer hec_instance_address when constructing the target URL.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
contentctl/objects/config.py Added hec_instance_address and hec_server_overrides, updated parsing logic to apply overrides.
contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py Modified replay URL builder to use hec_instance_address when present.
Comments suppressed due to low confidence (3)

contentctl/objects/config.py:1267

  • Consider using a List[str] type for hec_server_overrides instead of a semicolon-delimited string to leverage Pydantic’s native list parsing and provide clearer type safety.
    hec_server_overrides: Optional[str] = Field(

contentctl/objects/config.py:1296

  • [nitpick] Rename split_hec_server_overrides to something like hec_override_list to better convey that it holds the parsed override addresses.
        split_hec_server_overrides = []

contentctl/objects/config.py:1299

  • Filter out empty strings after splitting (e.g., hec_server_overrides.split(";") if s) to avoid indexing errors when trailing semicolons are present.
            split_hec_server_overrides = hec_server_overrides.split(";")

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
if self.infrastructure.instance_address.strip().lower().startswith("https://"):
address_with_scheme = self.infrastructure.instance_address.strip().lower()
elif self.infrastructure.instance_address.strip().lower().startswith("http://"):
hec_instance_address = (
Copy link

Copilot AI Jul 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Normalize hec_instance_address once (e.g., addr = hec_instance_address.strip().lower()) before the if/elif/else to avoid repeated calls and improve readability.

Copilot uses AI. Check for mistakes.
contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
)
else:
address_with_scheme = f"https://{self.infrastructure.instance_address}"
address_with_scheme = f"https://{hec_instance_address}"
Copy link

Copilot AI Jul 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Apply .strip().lower() to hec_instance_address in the else branch to ensure consistent normalization, e.g., f"https://{hec_instance_address.strip().lower()}".

Suggested change
address_with_scheme = f"https://{hec_instance_address}"
address_with_scheme = f"https://{hec_instance_address.strip().lower()}"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pyth0n1c pyth0n1c Awaiting requested review from pyth0n1c

@spanchal-crest spanchal-crest Awaiting requested review from spanchal-crest

@lplonka-splunk lplonka-splunk Awaiting requested review from lplonka-splunk

+1 more reviewer

@asaste-splunk asaste-splunk asaste-splunk approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@pyth0n1c pyth0n1c

@mgazda-splunk mgazda-splunk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mgazda-splunk @asaste-splunk @pyth0n1c