I guess this is the confirmation I was looking for, so docker container logs should be ingested into SPlunk via the raw endpoint if we want to parse them at Splunk end.
... View more
Yes, I am trying to collect events via HEC. Splunk is smartly formatting the timestamp, issue is that each exception form docker is getting posted as a separate event on a new line preceded by a containerid. My main doubt is that does props.conf on HF get picked up for HEC collector/event endpoint? I read on my other answers on this forum that /event endpoint doesn't pickup props and transforms processing.
... View more
Hi mvagionakis,
This should solve your issue:
SHOULD_LINEMERGE=false
TIME_FORMAT=%d/%m/%Y %H:%M:%S:%f
TIME_PREFIX=^\d+
Your TIME_PREFIX is incorrect
... View more