Motivation
I have a use case for utilizing the http_output facility to log directly to a Splunk HEC (HTTP Event Collector) endpoint, which requires a JSON container schema with some host information, an authorization header, and including the resulting event. My initial approach was to introduce the concept of a formatting strategy for http_open so a user could simply specify http_output with a formatter of splunk_hec, an additional configuration to allow for http headers to be added for an authorization token, and the HEC endpoint. If this approach sounds like a good one, I'm happy to contribute the code to implement it.

Feature

Introduction of formatting strategies for http_output, including a splunk_hec json container formatter, as well as an arbitrary http header configuration and subsequent injection into the curl options to support the necessary authorization.

Alternatives

While it's possible to utilize another process to re-format the http_output messages, it would be ideal to have this functionality baked into to falco itself to reduce the need for an additional logging

Additional context

This would support use cases like #1346, and somewhat implemented here #1322