6d61726b760a/splunkcloud_hec_stanza.spl

## splunkcloud_hec_stanza.spl
| rest splunk_server=local /services/data/inputs/http
```
some fields may not be populated so
we try to come up with sane defaults
```
| eval allowQueryStringAuth = if(isnull(allowQueryStringAuth), "false", allowQueryStringAuth)
| eval useACK = if(isnull(useACK), "false", useACK)
| eval indexes = if(isnull(indexes), index, mvjoin(indexes, " "))
| fillnull value="" sourcetype
| rex field=title ".*\/\/(?<x_description>[^\$]+)"
| eval description = if(isnull(description), x_description, description)
| eval newline = "
"
```
and create our stanza
```
| eval stanza = "[" . title . "]" . newline .
"description = " . description . newline .
"token = " . token . newline .
"indexes = " . indexes . newline .
"index = " . index . newline .
"sourcetype = " . sourcetype . newline .
"useAck = " . useACK . newline .
"allowQueryStringAuth = " . allowQueryStringAuth
| fields stanza
	\| rest splunk_server=local /services/data/inputs/http
	```
	some fields may not be populated so
	we try to come up with sane defaults
	```
	\| eval allowQueryStringAuth = if(isnull(allowQueryStringAuth), "false", allowQueryStringAuth)
	\| eval useACK = if(isnull(useACK), "false", useACK)
	\| eval indexes = if(isnull(indexes), index, mvjoin(indexes, " "))
	\| fillnull value="" sourcetype
	\| rex field=title ".*\/\/(?<x_description>[^\$]+)"
	\| eval description = if(isnull(description), x_description, description)
	\| eval newline = "
	"
	```
	and create our stanza
	```
	\| eval stanza = "[" . title . "]" . newline .
	"description = " . description . newline .
	"token = " . token . newline .
	"indexes = " . indexes . newline .
	"index = " . index . newline .
	"sourcetype = " . sourcetype . newline .
	"useAck = " . useACK . newline .
	"allowQueryStringAuth = " . allowQueryStringAuth
	\| fields stanza