but i'm asking if there is a default fields related to microservices in Splunk I understand that it is tempting to view Splunk as a unique data source. But in reality, Splunk data is what ...
See more...
but i'm asking if there is a default fields related to microservices in Splunk I understand that it is tempting to view Splunk as a unique data source. But in reality, Splunk data is what you collect in your business. Volunteers here has zero visibility of what fields are available in your_sourcetype that may or may not be related to microservices. In simple terms, no. There is no such a thing as default fields related to anything other than time. host, source, and sourcetype are usually mandatory in most deployments. You need to ask whoever is writing logs in your_sourcetype how to identify a microservice. They may have already put such in a key-value pair using either a delimiter or using a structured format such as JSON. Even if they haven't, Splunk can easily extract it as long as it is present in the data. However, Splunk itself cannot tell you where your developers placed such information. As @PickleRick suggested, you can also show some raw events (anonymize as needed) for volunteers to inspect and speculate. Still, the best is if you can also ask your developers to identify information themselves.