feat: Allow using contentctl to send data trough EP with hec (ADDON-82127) #428
Conversation
mgazda-splunk
requested review from
Copilot,
pyth0n1c,
spanchal-crest and
lplonka-splunk
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
mgazda-splunk
force-pushed
the
user/mgazda/ADDON-82127-Allow-using-contentctl-to-send-data-trough-EP-with-hec
branch
4 times, most recently
from
5d0f3e9 to
46f2b67
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
mgazda-splunk
force-pushed
the
user/mgazda/ADDON-82127-Allow-using-contentctl-to-send-data-trough-EP-with-hec
branch
from
46f2b67 to
ebe18b1
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR enables specifying separate HTTP Event Collector (HEC) endpoints distinct from Splunk server addresses, both in configuration and detection-testing workflows.
- Introduces
hec_instance_addressfield in theInfrastructuremodel and propagates it through test-server parsing. - Adds
hec_server_overridesto allow semicolon-delimited HEC address overrides for test instances. - Updates the
hec_raw_replaylogic to preferhec_instance_addresswhen constructing the target URL.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| contentctl/objects/config.py | Added hec_instance_address and hec_server_overrides, updated parsing logic to apply overrides. |
| contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py | Modified replay URL builder to use hec_instance_address when present. |
Comments suppressed due to low confidence (3)
contentctl/objects/config.py:1267
- Consider using a List[str] type for
hec_server_overridesinstead of a semicolon-delimited string to leverage Pydantic’s native list parsing and provide clearer type safety.
hec_server_overrides: Optional[str] = Field(
contentctl/objects/config.py:1296
- [nitpick] Rename
split_hec_server_overridesto something likehec_override_listto better convey that it holds the parsed override addresses.
split_hec_server_overrides = []
contentctl/objects/config.py:1299
- Filter out empty strings after splitting (e.g.,
hec_server_overrides.split(";") if s) to avoid indexing errors when trailing semicolons are present.
split_hec_server_overrides = hec_server_overrides.split(";")
| if self.infrastructure.instance_address.strip().lower().startswith("https://"): | ||
| address_with_scheme = self.infrastructure.instance_address.strip().lower() | ||
| elif self.infrastructure.instance_address.strip().lower().startswith("http://"): | ||
| hec_instance_address = ( |
There was a problem hiding this comment.
[nitpick] Normalize hec_instance_address once (e.g., addr = hec_instance_address.strip().lower()) before the if/elif/else to avoid repeated calls and improve readability.
Copilot uses AI. Check for mistakes.
| ) | ||
| else: | ||
| address_with_scheme = f"https://{self.infrastructure.instance_address}" | ||
| address_with_scheme = f"https://{hec_instance_address}" |
There was a problem hiding this comment.
[nitpick] Apply .strip().lower() to hec_instance_address in the else branch to ensure consistent normalization, e.g., f"https://{hec_instance_address.strip().lower()}".
| address_with_scheme = f"https://{hec_instance_address}" | |
| address_with_scheme = f"https://{hec_instance_address.strip().lower()}" |
Copilot uses AI. Check for mistakes.
This adds support for optionally specifying HEC servers being different than Splunk servers.
So instead:
contentctl -> HEC Splunk -> Search Splunk -> result
Will be:
contentctl -> HEC server (EP with SPL2 pipeline) -> EP sends data to Splunk with S2S/HEC -> Search Splunk -> result