All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is splunk-connect-for-kubernetes search by namespace=mynamespace missing results?

fazie
New Member
‎03-27-2020 01:31 AM

Hi,
We use splunk-connect-for-kubernetes to send logs to splunk via HEC mechanism. Sending logs to splunk is fine, but searching is not.
When we search for

namespace=mynamespace "*Exception*"

There is lots of missing logs, very few is returned.
But, when I search like that:

namespace=*mynamespace* "*Exception*"

All is fine, all logs are returned

Any suggestions?

OUtput part of fluentd configuration:

  <match **>
    @type copy
    deep_copy true
    <store>
      @type splunk_hec
      protocol https
      hec_host "#{ENV['SPLUNK_HOST']}"
      hec_port "#{ENV['SPLUNK_PORT']}"
      hec_token "#{ENV['SPLUNK_TOKEN']}"
      host "#{ENV['NODE_NAME']}"
      source_key source
      sourcetype_key sourcetype
      <fields>
        pod
        namespace
        container_name
        container_id
        cluster_env
        cluster_name
      </fields>
      <buffer>
        @type memory
        chunk_limit_records 100000
        chunk_limit_size 200m
        flush_interval 5s
        flush_thread_count 1
        overflow_action block
        retry_max_times 3
        total_limit_size 600m
      </buffer>
      <format>
        @type single_value
        message_key log
        add_newline false
      </format>
    </store>
    <store>
      @type prometheus
      <metric>
        (...)
      </metric>
    </store>
  </match>
Labels (1)
Labels
0 Karma
Reply

RDumbeck
Explorer
‎05-03-2023 01:06 PM

Try using namespace::mynamespace

I cannot remember why though.

0 Karma
Reply

RDumbeck
Explorer
‎11-30-2022 10:17 AM

any luck with this. I have the same problem.

0 Karma
Reply

efloss
Engager
‎12-12-2022 07:54 AM

Ran into this recently, putting them together in a fields.conf file on the search head will make them searchable without needing the wildcards since they're metadata fields.

[k8s.cluster.name]
INDEXED=true

[k8s.container.name]
INDEXED=true

[k8s.namespace.name]
INDEXED=true

[k8s.node.name]
INDEXED=true

[k8s.pod.name]
INDEXED=true

[k8s.pod.uid]
INDEXED=true

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...