Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to monitor a application log path present inside a container in kubernetes?

deepak_babu
Engager
‎01-24-2020 07:21 AM

Currently I'm using Splunk connect for kubernetes to index console logs. Is there a way to index logs that is present inside without without using a sidecar container?
If sidecar is the only option, is there any documentation on how to implement it?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-29-2020 08:23 AM

Hi!

One option is to define an emptyDir( https://kubernetes.io/docs/concepts/storage/volumes/#emptydir ) for your pod to log to, which you then mount into the logging pod. This allows you to simply update the configMap to add a new file input to fluentd. emptydir logs are usually at /var/lib/kubeleton the node, I believe, so you would add a new tail_in and filters as necessary.

One thing I will say...if you logs dont come out of the container runtime (stdout/stderr) and are very high volume (ie, 4000K+ eps) then I would look at the UF docker image instead, and deploy once UF per node for high volume non docker/containerd logging. While Connect for K8s is better at shaping the data for Splunk, the UF whips it in perf. So depends on what the constraints/requirements are.

Will try and post a blog on this and update here....

- MattyMo
Reply

DukeScottWu
New Member
‎02-18-2022 01:49 PM

@mattymo  we just have the question related to non-container logging issue.  We planned to use UF as sidecar in our service following https://github.com/splunk/docker-splunk/blob/develop/docs/SETUP.md  but want to know which URL and UID/pwd shall be used. The document just gives a blur information.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎02-18-2022 02:37 PM

Hi, the UF does not have a UI. What exact image are you trying to use? Splunk/splunk or splunk/universalforwarder?

 

https://github.com/splunk/docker-splunk/blob/develop/docs/ADVANCED.md#runtime-configuration



 

 

- MattyMo
0 Karma
Reply

DukeScottWu
New Member
‎02-18-2022 02:40 PM

Hey @mattymo 

 

we have deployed Splunk Enterprise 8 and now want to deploy the UF as a sidecar with our service container to ship the logs to splunk server. so my original question is how to configure the UF in docker? and is there any special configuration required in the splunk enterprise side?

btw: appreciated for your quick response 🙂

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎02-18-2022 02:44 PM

No special config needed on splunk side..configuration of the docker image is all done via environment variables or default.yml that passes to ansible. Also you can load splunk apps in as well to handle splunk specific configs. See the advanced document I linked.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...