Solved: Re: Why is Docker Splunk UF sending logs with 2 di...

eddiemashayev · ‎05-01-2018

Docker-compose

splunkuf:
    image: splunk/universalforwarder:7.0.2
    network_mode: host
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_USER: root
      SPLUNK_CMD: install app /tmp/splunkclouduf.spl -auth admin:changeme
      SPLUNK_DEPLOYMENT_SERVER: XXXX.cloud.splunk.com:8089
      SPLUNK_ADD_1: monitor /docker/log
      SPLUNK_ADD_2: monitor /mnt/logs/postgres
    volumes:
      - /opt/splunk/etc
      - /opt/splunk/var
      - /var/log:/docker/log
      - $DATA_DIR/logs/postgres:/mnt/logs/postgres
      - $DATA_DIR/certs/splunkclouduf.spl:/tmp/splunkclouduf.spl

The container is running in Ubuntu instance. In Splunk cloud I can see 2 hostnames for the same instance:

ubuntu
The real hostname

Any reason why it happens?

eddiemashayev · ‎05-03-2018

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

View solution in original post

eddiemashayev · ‎05-03-2018

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

Why is Docker Splunk UF sending logs with 2 different hostnames?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation