All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Connect in OpenShift - Configuration with Wildcards for Legacy Logs

andrewcapuano
New Member
‎04-07-2021 12:01 PM

Hi Splunk Team,

 

I have deployed Splunk App for Infrastructure and it is working well (essentially it deploys SCK to my server). I have been trying to update my ConfigMap called "sck-rendered-splunk-kubernetes-logging" to setup my source.container.conf file as follows:

 

 

<source>
  @id containers.log
  @type tail
  @label @splunk
  tag tail.containers.*
  path /var/log/containers/*.log, /var/lib/kubelet/pods/*/volumes/kubernetes.io~empty-dir/emptydir*/.*/*.log
  exclude_path ["/var/log/containers/fluentd*"]
  pos_file /var/log/splunk-fluentd-containers.log.pos
  tag kubernetes.*
  path_key source
  read_from_head true
  <parse>
    @type regex
    expression /^(?<log>.*)$/ 
    time_key time
    time_type string
    time_format %Y-%m-%dT%H:%M:%SZ
  </parse>
</source>

 

 

Please take a look at the entry from the Path line above (copied here):   

/var/lib/kubelet/pods/*/volumes/kubernetes.io~empty-dir/emptydir*/.*/*.log

 

We are not correctly receiving legacy app logs in Splunk, which was the purpose of the above entry to the Path config.

 

To give some more info on our file structure, we have empty-dir mounted to legacy logging applications which is mounted to /opt/apps/weblogs on the pod and /var/lib/kubelet/pods on the Node (server) itself.

 

Here's an example of the absolute path to an application 's legacy logs that are hosted on a node:

/var/lib/kubelet/pods/e36c6c23-325b-4e1e-b11e-26ff5abffd17/volumes/kubernetes.io~empty-dir/emptydir-my-test-app-rd-mytestapp/mytestapp

 

Here's a look at the filesystem mounted inside of the pod:

sh-4.2$ cd /opt/apps/weblogs/
sh-4.2$ ls
andrew.log mytestapp
sh-4.2$ ls mytestapp
mytestapp.log  other_directory

 

With our current path (pasted once more below this), we are able to tail the file "andrew.log" in Splunk, but we are not able to tail log files from mytestapp/ and downwards through the filesystem . Can you give some advice on how to update our path in the conf file, or any other place (e.g. the regex) to help us effectively ingest logs from both andrew.log (ie /opt/apps/weblogs) + any .log file that lives in mytestapp or recursively below that (other_directory and beyond)?  

Labels (1)
Labels
Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...