Getting Data In

Send a hostname tag via universalforwarder using Docker-Compose

juliofalbo
Engager

 

Hi.

I'm configuring a docker-compose responsible to start a cluster of an application and then Splunk and the universalforwarder.

It is working, but I don't have any tag to inform from which container the log came.

 

Is there any way to add a tag with the hostname?

 

Scenario:

I have the docker-compose below, and I'll scale myapp to 3 instances.

Each instance will receive a random hostname by docker-compose, but the path of the log for all instances is the same.

 

How can I add the myapp hostname as a tag to Splunk?

 

Because using the universalforwarder, the value of the field hostname for all logs is the hostname of the universalforwarder container, in my case splunkforwarder.

 

 

myapp:
    image: myapp/myapp:latest
    environment:
      - LOG_PATH=/opt/myapp/logs
    ports:
      - "8080"
    volumes:
      - log_volume_splunk:/opt/myapp/logs
splunk:
    image: splunk/splunk:8.0
    hostname: splunk
    container_name: splunk
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_USER=root
      - SPLUNK_ENABLE_LISTEN=9997
      - SPLUNK_PASSWORD=password
    ports:
      - "8000:8000"
splunkforwarder:
    image: splunk/universalforwarder:8.0
    hostname: splunkforwarder
    container_name: splunkforwarder
    environment:
      - SPLUNK_START_ARGS=--accept-license --answer-yes
      - SPLUNK_STANDALONE_URL=splunk:9997
      - SPLUNK_USER=root
      - SPLUNK_ADD=monitor /opt/myapp/logs
      - SPLUNK_PASSWORD=password
    restart: always
    depends_on:
      - splunk
    volumes:
      - log_volume_splunk:/opt/myapp/logs

 

 

 

 

 

 

 

 

Labels (1)

juliofalbo
Engager

Hi @vikramyadav .

 

Thanks for the help but unfortunately it is not working.

As you can see I'm using docker-compose and using the scale strategy of docker-compose.

Doing that docker-compose will add automatically a random hostname to my containers, but the problem is that the hostname field in my Splunk is: splunkforwarder

 

splunkforwarder is the hostname of the container that I added for the image splunk/universalforwarder:8.0

0 Karma

vikramyadav
Contributor

Yes we can change the host name for docker container.

Can you try to run

docker run --hostname=value OR docker run -h value

In place of value you can specify your hostname.

--------------------------------------------------------

If this helps you your like will be appreciated 😀

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>