https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/527507#M88960 <P>Hello,</P><P>when catching up source at props.conf stanza you have to use two colons instead of equal sign. Like</P><P>[source::http:docker]</P><P>For regex I would use capturing group, for example</P><P>REGEX = security_level\":\"([^"]*)<BR />DEST_KEY = _MetaData:Index<BR />FORMAT = $1</P><P>When event goes to xx -index.&nbsp;Or as hard coded&nbsp;</P><P>REGEX = security_level\":\"xx\"<BR />DEST_KEY = _MetaData:Index<BR />FORMAT = xx_index</P><P>Event ends up to&nbsp;xx_index -index.</P> Mon, 02 Nov 2020 11:48:31 GMT juhatamminen 2020-11-02T11:48:31Z https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/523847#M88454 <P>Hi Splunkers,</P><P>I have start using Splunk Logging Driver to get my docker logs into Splunk. I am using Splunk Enterprice 8.0.1.</P><P>Problem is that indexer does not parse docker logs. I have tried with json and raw formats but either seems not to be noticed by indexer.</P><P>Current setup. HEC token used has source type _raw and all indexes allowed.</P><P>Docker startup</P><P>&nbsp;</P><LI-CODE lang="markup">docker run \ &gt; --log-driver=splunk \ &gt; --log-opt splunk-token=xxxx \ &gt; --log-opt splunk-url=http://xxxxx:8088 \ &gt; --log-opt splunk-format=raw \ &gt; --log-opt tag="{{.Name}}/{{.FullID}}" \ &gt; --log-opt labels=location \ &gt; --log-opt env=TEST \ &gt; --env "TEST=false" \ &gt; --label location=xxxxx \ &gt; containerId</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[source=http:docker] INDEXED_EXTRACTIONS=JSON KV_MODE = none AUTO_KV_JSON= false TRANSFORMS-class_to_xx_index = route_to_xx_index</LI-CODE><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[route_to_xx_index] REGEX = .*\"xx\":\"xx\".* DEST_KEY = _MetaData:Index FORMAT = xx_index</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>All logs are going to default index. I have double checked that regex pattern matches and same pattern is working for universal forwarder, which logs are parsed and indexed correctly.</P><P>Input I get to default index is one line</P><P>&nbsp;</P><LI-CODE lang="markup">containerName/container location=xx TEST=false {"message":"User xxx does xxx","priority":6,"priorityName":"INFO","sessionId":"xxx","action":"auth/login","application":"xx","environment":"development","security_level":"xx","info":"xxx"}</LI-CODE><P>&nbsp;</P><P>which does not get parsed and index.</P><P>&nbsp;If I try with with _json token input to Splunk is "line" format and with same content and logs are also not parsed.</P><P>Any idea what I am doing wrong here. How to get json formatted logs to be parsed?</P> Fri, 09 Oct 2020 05:38:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/523847#M88454 ps 2020-10-09T05:38:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/524327#M88522 <P>up</P> Tue, 13 Oct 2020 06:45:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/524327#M88522 ps 2020-10-13T06:45:51Z https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/527507#M88960 <P>Hello,</P><P>when catching up source at props.conf stanza you have to use two colons instead of equal sign. Like</P><P>[source::http:docker]</P><P>For regex I would use capturing group, for example</P><P>REGEX = security_level\":\"([^"]*)<BR />DEST_KEY = _MetaData:Index<BR />FORMAT = $1</P><P>When event goes to xx -index.&nbsp;Or as hard coded&nbsp;</P><P>REGEX = security_level\":\"xx\"<BR />DEST_KEY = _MetaData:Index<BR />FORMAT = xx_index</P><P>Event ends up to&nbsp;xx_index -index.</P> Mon, 02 Nov 2020 11:48:31 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-logging-driver-logs-not-parsed-by-indexer/m-p/527507#M88960 juhatamminen 2020-11-02T11:48:31Z