We are using Rancher and are able to successfully send logs to Splunk. On the rancher end, fluentd is the main monitor of logs.
The docker container is monitored by fluentd which, after adding some metadata, sends it out to Splunk HEC.
Fluentd reads docker container's stream, timestamp and log in JSON format. The issue with fluentd is that it does not process multiline logs at all so every java stacktrace generates 100 events which are then sent to Splunk.
Is there a way to either replace fluentd completely in Rancher with Splunk (the built-in Splunk forwarder is used AFTER fluentd has its way with the log payloads) or replace the built-in system fluentd to handle multilines?