Getting Data In

docker splunk-url format error

New Member

With docker run cmd, I used: --log-opt splunk-url=https://mysplunkexample.com:8088/services/collector
docker cmd: docker run --log-driver=splunk --log-opt splunk-url=https://mysplunkexample.com:8088/services/collector ... other options ... image:tag

which gives following error:
docker: Error response from daemon: Failed to initialize logging driver: splunk: expected format scheme://dns_name_or_ip:port for splunk-url.

Splunk Enterprise path is: https://mysplunkexample.com:8088/services/collector
and not: https://mysplunkexample.com:8088

I would appreciate any solution to this issue.

0 Karma

Loves-to-Learn Lots

I confirm that this is not working today. At least for trial versions in splunk cloud. The certificate at port 8088 is not valid and docker can't run

0 Karma

Loves-to-Learn Lots

I was able to run the trial version using the argument in the docker run

--log-opt splunk-insecureskipverify=true

 It would be nice to operate with verificated certificates in trial versions.

0 Karma

Ultra Champion

I assume you've seen this link, but adding it in case it helps in our discussion:
https://docs.docker.com/engine/admin/logging/splunk/

From what I can tell in the docs, you should be using just the scheme, host, and port but no URI. So that means in your example, I would assume this should work: docker run --log-driver=splunk --log-opt splunk-url=https://mysplunkexample.com:8088
The logging driver in docker will resolve what endpoint to post to.

Let us know how you make out?

0 Karma

New Member

Burch, thank you for your response.

I tried just with scheme, host, and port as well,
but that gave different error

docker cmd: docker run --log-driver=splunk --log-opt splunk-token=abcd --log-opt splunk-url=https://mysplunkexample.com:8088 ... other options ... image:tag
gives following error
docker: Error response from daemon: Failed to initialize logging driver: x509: certificate is valid for SplunkServerDefaultCert, not vlmmk301

The splunk-token I used is correct and tested with curl to successfully send event message.

0 Karma

Ultra Champion

The message implies SSL certificate stuff. Check the options on https://docs.docker.com/engine/admin/logging/splunk/#splunk-options for things like the splunk-caname and so forth.

0 Karma

Explorer

Burch,

Per our conversation here is the curl command that we've both used to test things out. Both myself and Prabin have used it to send it to our dev environment:

curl -k https://:8088/services/collector -H 'Authorization: Splunk ,' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'

Thanks,
Burch

0 Karma

Ultra Champion

Did you spot the difference? You tested with a curl command, for which you had to specify the URI. But the docker logging driver implies that you only need to list the schema://hostname:port and it will resolve the URI. See my answer above for an example and let me know how that works out in the docker instance.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!