I would like to separate these logs into units (ie - etcd.service, kube-apiserver.service, kube-controller-manager.service, etc)
I'd then like to send those different logs to Splunk.
Do I have to force these logs to a file first, then move them?
Since splunk can't read the default binary format of journal , you should write to a text file and then forward (don't remember but read it somewhere)
There is a blog which talks about this in detail for different flavors, might be useful for you .
View solution in original post
This got me a long way to the answer, thanks!!!
This is a terrible answer. Splunk should put this into the TA for NIX. expecting each customer to figure out some crap method of this is BS.