Splunk Search

Splunk Driver for docker only logs as source stdout

mathias2021
New Member

I have a problem using the Splunk Logging Driver for Docker.

The Java Application within the container produces messages to stdout and stderr with a different level of detail for different audiences. In Splunk however all recieved messages are labled with source=stdout.

Idealy I would like to get the source tag correct as used by the java App and then use it to diferentiate between both types of logs in Splunk queries. Is there something I can do to get the correct source?

 

Splunk log driver configuration in docker-compose:

logging:
    driver: splunk
    options:
        splunk-url: https://splunkhf:8088
        splunk-token: [TOKEN]
        splunk-index: splunk_index
        splunk-insecureskipverify: "true"
        splunk-sourcetype: log4j
        splunk-format: "json"
        tag: "{{.Name}}/{{.ID}}"

Example log message sent to splunk:

{
   line: 2021-01-12 11:37:49,191;10718;INFO ;[Thread-1];Logger; ;Executed all shutdown events. 
   source: stdout 
   tag: service_95f2bac29286/582385192fde 
}
Labels (3)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!