How do I send Kubernetes Node name to Splunk?

catchaj88 · ‎12-14-2018

We are running a Kubernetes cluster and are shipping pod logs to Splunk Cloud.

Our current setup:
1. Universal forwarders are deployed as Daemonset, which monitors /var/log/containers/*. Sample from inputs.conf:
[monitor:///var/log/containers/kube*.log]
host_regex = /var/log/containers/(.*)_.*_.*\.log
sourcetype = kube-state
index = kepler-dev
2. The Universal forwarders send data to heavy forwards which applies some regex
3. Heavy forwarders send data to Splunk Cloud for indexing

I want to send the hostname of the worker node either as part of the host or a separate field. Is there a way I can achieve this?

outcoldman · ‎12-17-2018

I would highly suggest looking for the alternatives for forwarding Kubernetes logs to Splunk:

Open Source Free version of Splunk Connect for Kubernetes - this is a recommended by Splunk option for forwarding logs, built on top of FluentD.
Monitoring Kubernetes with Collectord by Outcold Solutions (I represent this company) - this is a proprietary software, takes 10 minutes to set up to forward logs and collect metrics. This is a complete solution for forwarding container, application, host logs, monitor performance of containers and health of the clusters.

How do I send Kubernetes Node name to Splunk?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms