All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is splunk-connect-for-kubernetes search by namespace=mynamespace missing results?

fazie
New Member
‎03-27-2020 01:31 AM

Hi,
We use splunk-connect-for-kubernetes to send logs to splunk via HEC mechanism. Sending logs to splunk is fine, but searching is not.
When we search for

namespace=mynamespace "*Exception*"

There is lots of missing logs, very few is returned.
But, when I search like that:

namespace=*mynamespace* "*Exception*"

All is fine, all logs are returned

Any suggestions?

OUtput part of fluentd configuration:

  <match **>
    @type copy
    deep_copy true
    <store>
      @type splunk_hec
      protocol https
      hec_host "#{ENV['SPLUNK_HOST']}"
      hec_port "#{ENV['SPLUNK_PORT']}"
      hec_token "#{ENV['SPLUNK_TOKEN']}"
      host "#{ENV['NODE_NAME']}"
      source_key source
      sourcetype_key sourcetype
      <fields>
        pod
        namespace
        container_name
        container_id
        cluster_env
        cluster_name
      </fields>
      <buffer>
        @type memory
        chunk_limit_records 100000
        chunk_limit_size 200m
        flush_interval 5s
        flush_thread_count 1
        overflow_action block
        retry_max_times 3
        total_limit_size 600m
      </buffer>
      <format>
        @type single_value
        message_key log
        add_newline false
      </format>
    </store>
    <store>
      @type prometheus
      <metric>
        (...)
      </metric>
    </store>
  </match>
Labels (1)
Labels
0 Karma
Reply

RDumbeck
Explorer
‎05-03-2023 01:06 PM

Try using namespace::mynamespace

I cannot remember why though.

0 Karma
Reply

RDumbeck
Explorer
‎11-30-2022 10:17 AM

any luck with this. I have the same problem.

0 Karma
Reply

efloss
Engager
‎12-12-2022 07:54 AM

Ran into this recently, putting them together in a fields.conf file on the search head will make them searchable without needing the wildcards since they're metadata fields.

[k8s.cluster.name]
INDEXED=true

[k8s.container.name]
INDEXED=true

[k8s.namespace.name]
INDEXED=true

[k8s.node.name]
INDEXED=true

[k8s.pod.name]
INDEXED=true

[k8s.pod.uid]
INDEXED=true

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...