Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sending logs from kubernetes to on prem Splunk Enterprise?

nmsvuuk
Engager
‎03-21-2023 02:01 AM

Hi

Trying to figure out how best to send the logs (at least kubernetes logs+ possibly application logs) from on prem Kubernetes cluster to on prem Splunk Enterprise.

I have gone through a long list of options such as 'Splunk app for infrastructure' (EOL),  Splunk connect for kubernetes ( EOL Jan 2024) ,  Splunk Operators v1 and 2  etc

Splunk OpenTelemetry Collector for Kubernetes would look promising but if I understood correctly this only works with observatility (cloud) and not meant to work/ supported  with with Splunk Enterprise.

 

My question is what is the best way to ship logs from Splunk to Splunk enterprise (both on prem) ? Currently the Logging , Metrics , Traces etc have not yet been configured on Kubernetes clluster I am building. Since we use Splunk for certalized log collection, what ever solution it is needs to work with Splunk enterprise but also ideally be more futureproof than many of solutions seen previously.

 

 

 

 

Labels (3)
0 Karma
Reply

durga-hp
New Member
yesterday

 Hello Team,

We are seeing some weirdness when are sending logs to splunk enterprise on-prem. Prior we used to use splunk OTEL Java agent V1 and things were fine, Once the migration to Splunk OTEL Java agent V2 was done, we started seeing logs being duplicated like below

durgahp_0-1737343914828.png



The below is what started showing up

durgahp_1-1737343993326.png



Can you please help how to we stop the kubernetes source?

The actual source which we used to observe is as below

durgahp_2-1737344079675.png



Please let me know if you need any more information. I would really appreciate any insights into this and arresting the logs from source kubernetes. Thanks!




0 Karma
Reply

Gr0und_Z3r0
Contributor
‎03-28-2023 03:25 AM

hi @nmsvuuk 

You can do so by installing the Splunk Universal forwarder on the master of the cluster and configure the /var/log path for cluster master logs and  for any application related logs, you can use HTTP Event Collector to ship logs to Splunk. 

0 Karma
Reply

nmsvuuk
Engager
‎03-31-2023 12:05 AM

Hi

I was first thinking there must be a solution to be deployed directly to the Kubernetes as deployment/pods but if installing standard Splunk forwarder on OS level and shipping logs to Splunk enterprise  is a good solution for Kubernetes logs, I  may just try that out . 

I will have a look at the HTTPS collector to see how well it addresses the application side logging.

 

Thanks for your help!

 

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...