Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Send a hostname tag via universalforwarder using D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Send a hostname tag via universalforwarder using Docker-Compose
Hi.
I'm configuring a docker-compose responsible to start a cluster of an application and then Splunk and the universalforwarder.
It is working, but I don't have any tag to inform from which container the log came.
Is there any way to add a tag with the hostname?
Scenario:
I have the docker-compose below, and I'll scale myapp to 3 instances.
Each instance will receive a random hostname by docker-compose, but the path of the log for all instances is the same.
How can I add the myapp hostname as a tag to Splunk?
Because using the universalforwarder, the value of the field hostname for all logs is the hostname of the universalforwarder container, in my case splunkforwarder.
myapp:
image: myapp/myapp:latest
environment:
- LOG_PATH=/opt/myapp/logs
ports:
- "8080"
volumes:
- log_volume_splunk:/opt/myapp/logs
splunk:
image: splunk/splunk:8.0
hostname: splunk
container_name: splunk
environment:
- SPLUNK_START_ARGS=--accept-license
- SPLUNK_USER=root
- SPLUNK_ENABLE_LISTEN=9997
- SPLUNK_PASSWORD=password
ports:
- "8000:8000"
splunkforwarder:
image: splunk/universalforwarder:8.0
hostname: splunkforwarder
container_name: splunkforwarder
environment:
- SPLUNK_START_ARGS=--accept-license --answer-yes
- SPLUNK_STANDALONE_URL=splunk:9997
- SPLUNK_USER=root
- SPLUNK_ADD=monitor /opt/myapp/logs
- SPLUNK_PASSWORD=password
restart: always
depends_on:
- splunk
volumes:
- log_volume_splunk:/opt/myapp/logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vikramyadav .
Thanks for the help but unfortunately it is not working.
As you can see I'm using docker-compose and using the scale strategy of docker-compose.
Doing that docker-compose will add automatically a random hostname to my containers, but the problem is that the hostname field in my Splunk is: splunkforwarder
splunkforwarder is the hostname of the container that I added for the image splunk/universalforwarder:8.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes we can change the host name for docker container.
Can you try to run
docker run --hostname=value OR docker run -h value
In place of value you can specify your hostname.
--------------------------------------------------------
If this helps you your like will be appreciated 😀
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
