Compatibility APIs
HeliosLogs speaks several push protocols so you can repoint an existing shipper or pipeline at it without reconfiguring the rest. If you're starting fresh, prefer Native NDJSON — these endpoints exist mainly to ease migration.
All compatibility endpoints accept the same env / index / source targeting (query params or X-Helios-Env / X-Helios-Index headers), honor ingest tokens, and return 429 when the writer queue is full so shippers back off and retry. The whole class can be turned off in Admin → Data Ingestion → Sources (HTTP ingestion endpoints).
Elasticsearch bulk
Endpoints: POST /_bulk, POST /api/es/_bulk
Standard ES bulk NDJSON — an action line followed by a source line. Supported actions: index, create, update (the { "doc": {...} } wrapper is unwrapped), and delete (skipped). The action's _index routes per document, falling back to the index parameter. The response is a minimal ES bulk body so Filebeat, Logstash, and Vector's elasticsearch sink treat it as success.
OpenTelemetry logs
Endpoints: POST /v1/logs, POST /api/otlp/v1/logs
OTLP/HTTP logs in both application/x-protobuf (the OTel default) and application/json. HeliosLogs flattens resourceLogs[].scopeLogs[].logRecords[], merging resource and record attributes, and maps:
body→messagetimeUnixNano(orobservedTimeUnixNano) →timestampseverityText→severitytraceId/spanId→ fields of the same name
Attribute keys keep their dotted names (service.name, http.status_code). See the OTel Collector config on the Shippers page.
Loki push
Endpoint: POST /loki/api/v1/push (JSON)
Each stream's labels are attached to every line as fields. A line that is a JSON object is shredded into fields; otherwise it becomes a message. The tuple timestamp (nanoseconds) becomes timestamp, and an optional third tuple element (structured metadata) is merged in. The event's own fields win over a same-named label. Success returns 204 No Content. (Snappy-compressed protobuf is not yet accepted — send JSON.)
Splunk HEC
Endpoints: POST /services/collector, POST /services/collector/event, GET /services/collector/health
HEC envelopes (JSON objects, whitespace-separated). An event key is unwrapped (a string event becomes a message); fields are merged; time becomes timestamp; host / source / sourcetype are copied; index routes the document. Present a token with the Authorization: Splunk <token> scheme. The response uses HEC codes ({ "text": "Success", "code": 0 }).
Migrating off these
The compatibility APIs are a bridge, not a destination. Once a shipper is sending to HeliosLogs, consider switching its output to Native NDJSON for the most direct path and full control over env/index targeting.