Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split logs in more indexes with Splunk OTEL Collector for Kubernetes and Splunk Cloud

giacomomiceli
New Member
‎10-02-2023 01:17 AM

Hello,
We are investigating if we can install with helm Splunk OpenTelemetry Collector for Kubernetes to collect and ingest our logs to Splunk Cloud.
We would like to split the system log from the other logs into two different indexes. Reading the documentation I saw that it is possible to indicate the index as an annotation in the namespaces or pods, but in the values.yaml of the helm the index field is required, but it seems to be usable for only one index.
In summary we will want to use two different indexes, setting one as default and the other using namespace annotations.
Could you kindly show me a configuration for our problem?

Labels (2)
0 Karma
Reply

tscroggins
Influencer
‎10-08-2023 07:52 PM

Hi,

Ingest actions may be the simplest solution.

For each source type, e.g. kube:container:container1, create an ingest action with a "Set Index" rule and set the value to the target index.

tscroggins_0-1696819762429.png

If you need to route events with the same source type to different indexes, you can add a regular expression or eval-based condition to match content within the events and chain together multiple Set Index rules.

More information is available at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/DataIngest#Set_index.

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...