All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Why is splunk-connect-for-kubernetes search by...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is splunk-connect-for-kubernetes search by namespace=mynamespace missing results?
fazie
New Member
03-27-2020
01:31 AM
Hi,
We use splunk-connect-for-kubernetes to send logs to splunk via HEC mechanism. Sending logs to splunk is fine, but searching is not.
When we search for
namespace=mynamespace "*Exception*"
There is lots of missing logs, very few is returned.
But, when I search like that:
namespace=*mynamespace* "*Exception*"
All is fine, all logs are returned
Any suggestions?
OUtput part of fluentd configuration:
<match **>
@type copy
deep_copy true
<store>
@type splunk_hec
protocol https
hec_host "#{ENV['SPLUNK_HOST']}"
hec_port "#{ENV['SPLUNK_PORT']}"
hec_token "#{ENV['SPLUNK_TOKEN']}"
host "#{ENV['NODE_NAME']}"
source_key source
sourcetype_key sourcetype
<fields>
pod
namespace
container_name
container_id
cluster_env
cluster_name
</fields>
<buffer>
@type memory
chunk_limit_records 100000
chunk_limit_size 200m
flush_interval 5s
flush_thread_count 1
overflow_action block
retry_max_times 3
total_limit_size 600m
</buffer>
<format>
@type single_value
message_key log
add_newline false
</format>
</store>
<store>
@type prometheus
<metric>
(...)
</metric>
</store>
</match>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDumbeck
Explorer
05-03-2023
01:06 PM
Try using namespace::mynamespace
I cannot remember why though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RDumbeck
Explorer
11-30-2022
10:17 AM
any luck with this. I have the same problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
efloss
Engager
12-12-2022
07:54 AM
Ran into this recently, putting them together in a fields.conf file on the search head will make them searchable without needing the wildcards since they're metadata fields.
[k8s.cluster.name]
INDEXED=true
[k8s.container.name]
INDEXED=true
[k8s.namespace.name]
INDEXED=true
[k8s.node.name]
INDEXED=true
[k8s.pod.name]
INDEXED=true
[k8s.pod.uid]
INDEXED=true
Get Updates on the Splunk Community!
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
