Kubernetes/OpenShift Splunk Connect: How to send logs from specific namespace to an index?

catherinelam — Thu, 28 Jan 2021 17:45:13 GMT

I have a Splunk Connect instance on my OpenShift cluster that's currently sending all logs to a logging index. There's no special configuration and the only tweeking done after installation is pointing to the right Splunk instance / applying the HEC token value.

Is there a way to set the config map such that all logs from a namespace (i.e. 'specificApplication') goes to an index?

Here's a snippet of what the current config map for logging looks like - not sure if this would shed insight as I'm not too familiar with Splunk:

@type splunk_hec

protocol http

hec_host "xx.x.xx.xx"

hec_port 8088

hec_token "#{ENV['SPLUNK_HEC_TOKEN']}"

index_key index

#insecure_ssl true

host "#{ENV['K8S_NODE_NAME']}"

source_key source

sourcetype_key sourcetype

Re: Kubernetes/OpenShift Splunk Connect: How to send logs from specific namespace to an index?

mattymo — Sun, 28 Feb 2021 14:17:30 GMT

Yes, connect for Kubernetes supports the use of annotations to route data. Please ensure to use the latest, currently 1.4.6 at time of writing this.

https://github.com/splunk/splunk-connect-for-kubernetes#managing-sck-log-ingestion-by-using-annotations

topic Re: Kubernetes/OpenShift Splunk Connect: How to send logs from specific namespace to an index? in Splunk Dev

Kubernetes/OpenShift Splunk Connect: How to send logs from specific namespace to an index?

Re: Kubernetes/OpenShift Splunk Connect: How to send logs from specific namespace to an index?