From 3f02306257371a1190aab804a1cba4ddbf9368d1 Mon Sep 17 00:00:00 2001 From: "@vladimir.kopso" Date: Mon, 16 Mar 2026 16:47:47 +0100 Subject: [PATCH] trivial: Fix X-Splunk-Request-Channel header logic in batch requests - Only add X-Splunk-Request-Channel header for raw endpoint requests (/raw) - Remove header from JSON endpoint requests (/event) to prevent HEC rejection - Add missing uuid import to fix undefined name error - Maintain consistency with send_one() function behavior Fixes critical logic error where batch JSON requests were incorrectly receiving the raw endpoint header. --- Backend/event_generators/shared/hec_sender.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Backend/event_generators/shared/hec_sender.py b/Backend/event_generators/shared/hec_sender.py index 30c67f6..d456ee4 100644 --- a/Backend/event_generators/shared/hec_sender.py +++ b/Backend/event_generators/shared/hec_sender.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 """Send logs from vendor_product generators to SentinelOne AI SIEM (Splunk‑HEC) one‑by‑one.""" -import argparse, json, os, time, random, requests, importlib, sys +import argparse, json, os, time, random, requests, importlib, sys, uuid import gzip, io, threading, queue from datetime import datetime from typing import Callable, Tuple, Optional @@ -794,7 +794,11 @@ def _send_batch(lines: list, is_json: bool, product: str): # Use fast compression (level 1) for high throughput - trades compression ratio for speed # Level 1 is ~10x faster than default level 9, with only ~10% larger output gz = gzip.compress(body, compresslevel=1) - headers = {**headers_auth, "Content-Type": "text/plain", "Content-Encoding": "gzip"} + # Add headers based on endpoint type + if is_json: + headers = {**headers_auth, "Content-Type": "text/plain", "Content-Encoding": "gzip"} + else: + headers = {**headers_auth, "Content-Type": "text/plain", "Content-Encoding": "gzip", "X-Splunk-Request-Channel": str(uuid.uuid4())} if is_json: # JSON products to /event endpoint