feat(splunk_hec source): support second-stage framing and decoding

[thomasqueirozb]

Summary

Add optional framing and decoding configuration to the splunk_hec source. When set, the inner payload is decoded after the HEC envelope is parsed, with envelope metadata layered on top so decoder-produced fields win on conflict. Both endpoints supported; legacy behavior preserved when unset.

Vector configuration

JSON second-stage decode on the /event endpoint:

sources:
  hec:
    type: splunk_hec
    address: 0.0.0.0:8088
    valid_tokens: ["test-token"]
    event:
      decoding:
        codec: json

Per-token routing with a VRL decoder and store_hec_token:

sources:
  hec_in:
    type: splunk_hec
    address: 0.0.0.0:8088
    valid_tokens:
      - "token-team-a"
      - "token-team-b"
    store_hec_token: true
    event:
      decoding:
        codec: vrl
        vrl:
          source: |
            token = get_secret!("splunk_hec_token")

            if token == "token-team-a" {
              .team = "team-a"
              .environment = "production"
            } else if token == "token-team-b" {
              .team = "team-b"
              .environment = "staging"
            } else {
              abort
            }

sinks:
  out:
    type: console
    inputs: ["hec_in"]
    encoding:
      codec: json

Running the above config and:

curl -s -X POST http://localhost:8088/services/collector/event \
  -H "Authorization: Splunk token-team-a" \
  -H "Content-Type: application/json" \
  -d '{"event": {"message": "hello from team-a", "level": "info"}}'

curl -s -X POST http://localhost:8088/services/collector/event \
  -H "Authorization: Splunk token-team-b" \
  -H "Content-Type: application/json" \
  -d '{"event": {"message": "hello from team-b", "level": "warn"}}'

Produced correctly tagged output:

{"environment":"production","message":"{\"message\":\"hello from team-a\",\"level\":\"info\"}","source_type":"splunk_hec","team":"team-a","timestamp":"2026-04-29T19:02:35.378032Z"}
{"environment":"staging","message":"{\"message\":\"hello from team-b\",\"level\":\"warn\"}","source_type":"splunk_hec","team":"team-b","timestamp":"2026-04-29T19:02:37.838911Z"}

How did you test this PR?

• 12 new unit tests covering: string/object/array event decoding, decoder-wins precedence for host/channel/index/source/sourcetype, fallback timestamp on /event and /raw, decoder errors return HTTP 200, partial-decode requests do not return an ackId, InvalidEventNumber reports envelope index (not fan-out event index), and schema definition includes the codec's root.
• Full splunk_hec test suite (64 tests) green.
• make fmt, make check-clippy, make check-generated-docs pass.
• Manual smoke test with JSON codec and curl ... -d '{"event":"{\"foo\":\"bar\"}","host":"client-host"}'.
• Manual smoke test with store_hec_token: true and a VRL decoder that branches on get_secret!("splunk_hec_token") to tag events by team, confirmed both tokens produce correctly tagged output (see config above).

Change Type

• Bug fix
• New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

NA

[thomasqueirozb]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 530acc0c9f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[pront]

Codex Code Review Findings

1. Vector namespace decoded-path metadata writes to wrong keys

The schema declares %splunk_hec.channel, %splunk_hec.index, %splunk_hec.source, %splunk_hec.sourcetype
(src/sources/splunk_hec/mod.rs:3911-3931), and the no-decoder paths correctly write to those (src/sources/splunk_hec/mod.rs:1196, :1760).
But the decoder-mode paths use the CHANNEL / INDEX / SOURCE / SOURCETYPE constants, which are "splunk_channel", "splunk_index",
etc.:

• src/sources/splunk_hec/mod.rs:1294 writes %splunk_hec.splunk_channel
• src/sources/splunk_hec/mod.rs:1812 writes %splunk_hec.splunk_channel
• src/sources/splunk_hec/mod.rs:1672 concatenates metadata_key derived from those legacy paths, producing %splunk_hec.splunk_index /
  splunk_source / splunk_sourcetype

Downstream consumers reading the documented metadata paths will miss values whenever a decoder is configured. Use bare "channel", "index",
"source", "sourcetype" for Vector-namespace metadata; reserve the splunk_*-prefixed constants for legacy event fields.

2. VrlDeserializer::with_metadata_template overwrites entire metadata

At lib/codecs/src/decoding/format/vrl.rs:138:

*event.metadata_mut() = template.clone();

This replaces the freshly-created EventMetadata (including its newly-generated source_event_id) with a clone of the template. Every event
decoded with the same template will share the template's source_event_id. Fix by copying only the template's metadata value tree and secrets
into the event's existing metadata, preserving the per-event source_event_id.

3. Test coverage gaps

No runtime test asserts decoded Vector-namespace metadata paths. Recommend adding:

• A test with log_namespace: Some(true) and a decoder enabled, asserting the metadata lands at %splunk_hec.channel / index / source / sourcetype
  (covers finding #1).
• A test that decodes two frames through one VrlDeserializer + template, asserting the resulting source_event_ids differ (covers finding #2).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ea6e39173b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[drichards-87]

Left some feedback from Docs and approved the PR.

Note: It looks like the descriptions are repeated twice in the file? I only added suggestions to the first instance of a description.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5987d6f6c9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 27d87ead8c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[thomasqueirozb]

Thanks for the review @drichards-87. Most of the changed lines in the cue files are actually with regards to decoders, which get inadvertently copy and pasted into every component that adds them unfortunately. I will apply your suggestions in another PR since those changes are not actually in scope here.