Routing logs to different indexes - Splunk Connect...

alanzchan · ‎06-26-2019

We just implemented Splunk Connect for Kubernetes on our performance environment. Since the data is coming into via HTTP Event Collector which is only configured to one index, how will we differentiate/route the various application logs to different indexes that are coming into the HEC? I have an idea in mind using props and transforms, but I prefer not doing this because of the performance hit.

Is anyone using Splunk Connect for Kubernetes and if so, how did you set up the configuration so that different application logs go to separate indexes?

fmvangari · ‎06-27-2019

If different apps are in different k8s namespaces, there is a setting in helm config to enable it and choose specific index for default namespace.

nikhils5501 · ‎07-31-2020

@fmvangari

Can you share some info on where I can find this helm config to route logs from a specific namespace to specific index ?

Thanks.

alanzchan · ‎06-28-2019

Unfortunately, we are not able to utilize the namespace to index routing feature because all of our applications are in one namespace. Is it a best practice to separate all application to an individual namespace? What if we have hundreds of applications?

Routing logs to different indexes - Splunk Connect for Kubernetes

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Routing logs to different indexes - Splunk Connect for Kubernetes

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud