Solved: Using custom indices to retrieve docker container ...

nanduni · ‎04-11-2017

Hi all,

I want to retrieve the event logs of a docker container with a custom index that I created using the Splunk web interface.

Details about the custom index
Name: abc
App: app-docker
Home Path: $SPLUNK_DB/abc/db

When I use this index to get container logs, I cannot find the container running in Docker Overview dashboard (Logs by Container - Splunk Logging Driver, https://docs.docker.com/engine/admin/logging/splunk/). I can only find containers which uses main index.

How can I retrieve container logs that use tokens referencing to this custom index?

Thank you.

MuS · ‎04-11-2017

Have you tried to search this: index=abc earliest=0 ?

View solution in original post

MuS · ‎04-11-2017

Have you tried to search this: index=abc earliest=0 ?

nanduni · ‎04-11-2017

Thank you very much.

You are right, I am getting the event outputs for index=abc earliest=0. So why do you think that container not appears in the Docker Overview dashboard.

MuS · ‎04-11-2017

change the indexes that are searched by default for your role. Most likely the dashboard searches are created without a specific index name. See the docs for more details to change the by default searched indexes http://docs.splunk.com/Documentation/Splunk/6.5.3/Security/Aboutusersandroles

I will convert this to an answer, feel free to accept it

Hope this helps ...

cheers, MuS

Using custom indices to retrieve docker container logs

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation