Kruno Tomola Fabro

This > [ktff](https://github.com/ktff) requested review from [StephenWakely](https://github.com/StephenWakely) and removed request for [tobz](https://github.com/tobz) and [bruceg](https://github.com/bruceg) 2 minutes ago seams like a github bug, since I don't even have the permission to...

> It's not a full syslog message (it won't parse correctly with parse_syslog, and even if it did, you wouldn't get the remainder to pass to parse_cef). That is an...

Thanks @sim0nx @hhromic. Then we can add two following modifications: * When parsing discard everything up to `CEF:Version`. -- As @sim0nx said, with this parsing will just work regardless if...

@hhromic that seems like really rare for CEF and a bit hacky way to transmit an array, so I'm not sure if it should be supported. While just silently dropping...

@hhromic `parse_key_value` and `parse_query_string` are different beasts, they don't have any key set so they need to be generic as possible. While, as @fuchsnj mentioned, when parsing valid CEF we...

> I'm looking at the CEF v26 specification from here: https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.3/pdfdoc/cef-implementation-standard/cef-implementation-standard.pdf > > I'm not very familiar with this format, but the documentation seems to imply the most common format...

Building on top of what has been said. ## Design Add a feature for distributing requests between multiple hosts/endpoints. Following options would be added to `elasticsearch` sink config: ``` #...

Retry across Elasticsearch instances is doable in both cases. ~~In main case an additional retry layer can be added on top of this, while in alternative to reuse existing retry...

> I think ARC would behave similarly to if it was just a single-load balanced endpoint so this is probably ok (i.e. if Vector was pointed at a load balancer...

@bruceg it would be good to get your thoughts on this.