Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logging multiple sources from Docker with HEC: Are multiple sourcetypes possible?

twinspop
Influencer
‎06-26-2017 01:51 PM

We have a group using HEC to deliver logs from Docker, but there are many different types of logs in the stream. It appears that any logs they want included in the HEC stream are written to STDOUT, but that means they all show as one sourcetype. Am I missing something? I've got app logs, error logs with stack traces, and web access logs. Each has their own log style as well as time format.

Am I stuck with overriding sourcetypes with a transform, or is there a better way?

Thanks!

Reply

lguinn2
Legend
‎06-28-2017 04:45 AM

If you can't use multiple tokens, then you can still parse the data stream into multiple sourcetypes. You will need to use transforms on the indexers (or heavy forwarders) where the HEC runs.

0 Karma
Reply

lguinn2
Legend
‎06-26-2017 05:20 PM

If each type of data is sent to the stream with a different token, then the HEC can easily separate out the different types of data.
This is a good reference: Set up and use HTTP Event Collector
http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

The section "Create an Event Collector token" shows how to create multiple tokens.

0 Karma
Reply

twinspop
Influencer
‎06-26-2017 06:20 PM

This would be grand if you can start up docker with multiple tokens. AFAIK, you cannot. Did I miss one of the Splunk driver options?

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-26-2017 04:13 PM

Do they have control over how the data is getting to the HEC? If so, then they can set index, sourcetype, etc. in the HTTP request to the HEC. That would likely be the best way.

If they don't have control, then it would likely be best to use transforms in the indexers.

0 Karma
Reply

twinspop
Influencer
‎06-26-2017 06:21 PM

They control the docker instance, if that's what you mean. But I don't see a way to classify different sources coming from 1 docker container as different sourcetypes.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...