https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371449#M67428 <P>They control the docker instance, if that's what you mean. But I don't see a way to classify different sources coming from 1 docker container as different sourcetypes.</P> Tue, 27 Jun 2017 01:21:21 GMT twinspop 2017-06-27T01:21:21Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371445#M67424 <P>We have a group using HEC to deliver logs from Docker, but there are many different types of logs in the stream. It appears that any logs they want included in the HEC stream are written to STDOUT, but that means they all show as one sourcetype. Am I missing something? I've got app logs, error logs with stack traces, and web access logs. Each has their own log style as well as time format.</P> <P>Am I stuck with overriding sourcetypes with a transform, or is there a better way?</P> <P>Thanks!</P> Mon, 26 Jun 2017 20:51:20 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371445#M67424 twinspop 2017-06-26T20:51:20Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371446#M67425 <P>Do they have control over how the data is getting to the HEC? If so, then they can set index, sourcetype, etc. in the HTTP request to the HEC. That would likely be the best way.</P> <P>If they don't have control, then it would likely be best to use transforms in the indexers.</P> Mon, 26 Jun 2017 23:13:54 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371446#M67425 cpetterborg 2017-06-26T23:13:54Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371447#M67426 <P>If each type of data is sent to the stream with a different token, then the HEC can easily separate out the different types of data.<BR /> This is a good reference: Set up and use HTTP Event Collector<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector">http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector</A></P> <P>The section "Create an Event Collector token" shows how to create multiple tokens. </P> Tue, 27 Jun 2017 00:20:19 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371447#M67426 lguinn2 2017-06-27T00:20:19Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371448#M67427 <P>This would be grand if you can start up docker with multiple tokens. AFAIK, you cannot. Did I miss one of the Splunk driver options?</P> Tue, 27 Jun 2017 01:20:15 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371448#M67427 twinspop 2017-06-27T01:20:15Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371449#M67428 <P>They control the docker instance, if that's what you mean. But I don't see a way to classify different sources coming from 1 docker container as different sourcetypes.</P> Tue, 27 Jun 2017 01:21:21 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371449#M67428 twinspop 2017-06-27T01:21:21Z https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371450#M67429 <P>If you can't use multiple tokens, then you can still parse the data stream into multiple sourcetypes. You will need to use transforms on the indexers (or heavy forwarders) where the HEC runs.</P> Wed, 28 Jun 2017 11:45:26 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-multiple-sources-from-Docker-with-HEC-Are-multiple/m-p/371450#M67429 lguinn2 2017-06-28T11:45:26Z