Splunk Driver for docker only logs as source stdou...

Splunk Search

I have a problem using the Splunk Logging Driver for Docker.

The Java Application within the container produces messages to stdout and stderr with a different level of detail for different audiences. In Splunk however all recieved messages are labled with source=stdout.

Idealy I would like to get the source tag correct as used by the java App and then use it to diferentiate between both types of logs in Splunk queries. Is there something I can do to get the correct source?

Splunk log driver configuration in docker-compose:

logging:
    driver: splunk
    options:
        splunk-url: https://splunkhf:8088
        splunk-token: [TOKEN]
        splunk-index: splunk_index
        splunk-insecureskipverify: "true"
        splunk-sourcetype: log4j
        splunk-format: "json"
        tag: "{{.Name}}/{{.ID}}"

Example log message sent to splunk:

{
   line: 2021-01-12 11:37:49,191;10718;INFO ;[Thread-1];Logger; ;Executed all shutdown events. 
   source: stdout 
   tag: service_95f2bac29286/582385192fde 
}

Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community, We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...