feat(splunk_hec source): Allow content-type header if it includes application/json

[tot19]

Summary

Updated the Splunk HEC source to accept requests that contain the header content-type with any value containing "application/json," not the exact value of "application/json." This matches the behavior of a true Splunk HEC. Allows sources from AWS to successfully send events to the Splunk HEC source without additional proxying to update headers.

Change Type

• Bug fix
• New feature
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

How did you test this PR?

make check-fmt
make check-clippy
make check-component-docs

Against Vector before change ack disabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 04:28:13 GMT

The request's content-type is not supported

Against Vector after change ack disabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 400 Bad Request
content-type: application/json
content-length: 36
date: Sun, 11 May 2025 04:27:24 GMT

{"text":"Ack is disabled","code":14}

Against Splunk HEC:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 400 Bad Request
Date: Sat, 10 May 2025 16:02:24 GMT
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 36
Vary: Authorization
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Server: Splunkd

{"text":"ACK is disabled","code":14}

Against Vector after change ack enabled:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: application/json; profile=urn:splunk/event:1.0; charset=utf-8' --data '{"acks":[0]}' && echo
HTTP/1.1 200 OK
content-type: application/json
content-length: 20
date: Sun, 11 May 2025 04:29:17 GMT

{"acks":{"0":false}}

Against Vector before change bad header:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: random' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 02:50:05 GMT

The request's content-type is not supported

Against Vector after change bad header:

curl -i -X POST "$MY_SERVER" -H "Authorization: Splunk $MY_TOKEN" -H "X-Splunk-Request-Channel: $(uuidgen)" -H 'Content-Type: random' --data '{"acks":[0]}' && echo
HTTP/1.1 415 Unsupported Media Type
content-type: text/plain; charset=utf-8
content-length: 43
date: Sun, 11 May 2025 04:25:15 GMT

The request's content-type is not supported

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the "no-changelog" label to this PR.

Notes

• Please read our Vector contributor resources.
• Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
• The CI checks run only after we manually approve them.
  • We recommend adding a pre-push hook, please see this template.
  • Alternatively, we recommend running the following locally before pushing to the remote branch:
    • cargo fmt --all
    • cargo clippy --workspace --all-targets -- -D warnings
    • cargo nextest run --workspace (alternatively, you can run cargo test --all)
    • ./scripts/check_changelog_fragments.sh
• After a review is requested, please avoid force pushes to help us review incrementally.
  • Feel free to push as many commits as you want. They will be squashed into one before merging.
  • For example, you can run git merge origin master and git push.
• If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
  run cargo vdev build licenses to regenerate the license inventory and commit the changes (if any). More details here.

References

Closes #23023

[tot19]

Sorry, I clearly don't know how to read or make a title

[pront]

Hi @tot19, this changes makes sense to me. Some tests are failing though and will need to be fixed. Also, please include a changelog. The PR description has some great info, we can reuse those for the changelog.

[tot19]

Thanks for the review @pront!

Added the changelog in subsequent commit. I believe the other test failures came from the bad PR title.

[tot19]

Working on failed unit tests

[tot19]

Ok, all tests are passing now as well as formatting. I also added a new test to ensure the new behavior is enforced. Thanks again for your patience @pront.

test result: ok. 42 passed; 0 failed; 0 ignored; 0 measured; 1667 filtered out; finished in 1.74s

     Running tests/e2e/mod.rs (target/debug/deps/e2e-c30af9e2914aec99)

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

     Running tests/integration/lib.rs (target/debug/deps/integration-c9e1e841482720e5)

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

make check-fmt
cargo vdev check fmt

make check-clippy
cargo vdev check rust --clippy
    Checking vector v0.47.0 (/Users/tot19/git/vector)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 30.60s