Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ppierson
ppierson
New Member
Member since:
11-05-2016
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-05-2016 |
Activity Feed
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 02:37 PM
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 10:42 AM
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 10:19 AM
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 08:00 AM
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 07:25 AM
- Posted Re: Container name for host using splunk universal forwarder on Deployment Architecture. 11-08-2016 07:02 AM
- Posted Container name for host using splunk universal forwarder on Deployment Architecture. 11-05-2016 10:04 PM
- Tagged Container name for host using splunk universal forwarder on Deployment Architecture. 11-05-2016 10:04 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
11-08-2016
02:37 PM
It looks like if I run the regex ("(Name)":"((\"|[^"])*)") on the config.v2.json file it name is listed but I now have to figure out how to get splunk universal forwarder to use that instead.
... View more
11-08-2016
10:42 AM
Oh very interesting. I took a look at /host/containers/
root@splunkuniversalforwarder:/opt/splunk# ls -lah /host/containers/
total 36K
drwx------. 9 root root 4.0K Nov 8 18:14 .
drwxr-xr-x 3 root root 24 Nov 8 18:14 ..
drwx------ 3 root root 4.0K Nov 8 18:37 0bda263c181e2d5b36d4a66c97dbf227f0aeb8f5708bc75469c5776e7cb1ab0d
drwx------ 3 root root 4.0K Nov 8 18:37 0fb22ca44d6a781dd3005d3972f1986928266eb0d0d5584f835d11799d220c27
drwx------ 3 root root 4.0K Nov 8 18:37 526edb07ef9255307dba4b841891f33125f4d3fd81667565229232a5debc901f
drwx------ 3 root root 4.0K Nov 8 18:37 710257a95c0c6c71ef88f508d0110211de86908b4886ca47828664ca91d2021b
drwx------ 3 root root 4.0K Nov 8 18:37 738ea4b1ca161c6c2f80698c8249e31565f6fed4e47da163c47ec68c25bc3c07
drwx------ 3 root root 4.0K Nov 8 18:37 753b3561356f0475216da4221797f038a1b3a79e340e260fbf7b390d166b1e3c
drwx------ 3 root root 4.0K Nov 8 18:37 c76778c03115dc5b3ca350729b8a137b33d636ee47366061d3c3acf3a3631f57
And then picked one and ran:
ls -lah /host/containers/c76778c03115dc5b3ca350729b8a137b33d636ee47366061d3c3acf3a3631f57/
which returned:
total 40K
drwx------ 3 root root 4.0K Nov 8 18:37 .
drwx------. 9 root root 4.0K Nov 8 18:14 ..
-rw-r----- 1 root root 0 Nov 8 18:14 c76778c03115dc5b3ca350729b8a137b33d636ee47366061d3c3acf3a3631f57-json.log
-rw-rw-rw- 1 root root 3.3K Nov 8 18:37 config.v2.json
-rw-rw-rw- 1 root root 1.1K Nov 8 18:37 hostconfig.json
-rw-r--r-- 1 root root 13 Nov 8 18:37 hostname
-rw-r--r-- 1 root root 150 Nov 8 18:37 hosts
-rw-r--r-- 1 root root 76 Nov 8 18:37 resolv.conf
-rw-r--r-- 1 root root 71 Nov 8 18:37 resolv.conf.hash
drwx------ 2 root root 4.0K Nov 8 18:14 shm
Lastly I cat'd the hostname file in that folder and it shows the 12 digit container id c76778c03115
... View more
11-08-2016
10:19 AM
Hope this helps? Thanks for the input.
Added to pastebin because it was too long for the amount of characters available. http://pastebin.com/C30iLrDv
... View more
11-08-2016
08:00 AM
from what I understand (again I am fairly new to Splunk) Splunk Universal Forwarder is pulling the docker logs via the location that docker saves them to on the host and pushes them to Splunk.
... View more
11-08-2016
07:25 AM
Not really sure what you mean? the containers are properly named. SUF doesnt look at that though because it is pulling the logs that docker posts in json format on the host.
... View more
11-08-2016
07:02 AM
Splunk universal forwarder (SUF) isnt installed on each container. SUF is running as a container and is collecting the logs of each container from the stdout log of each container.
... View more
11-05-2016
10:04 PM
I am using the universal forwarder to collect logs from docker hosts however when i see the docker containers it has collected logs from it only shows the shortened version of their docker container id. The universal forwarder is listed correctly but the rest are not. Does anyone know how to correct this?
The output looks like so:
Host Count Last Update
0c3344bac2fe Quick Report 76 11/6/16 4:55:30.000 AM
3708dc8f8aff Quick Report 4 11/6/16 4:55:30.000 AM
9efb179e4653 Quick Report 13 11/6/16 4:55:30.000 AM
a043ad123e05 Quick Report 5 11/6/16 4:55:30.000 AM
dcbb531a48a0 Quick Report 166 11/6/16 4:55:30.000 AM
e3a71cd5188e Quick Report 34 11/6/16 4:55:30.000 AM
f93768a45cba Quick Report 84 11/6/16 4:55:30.000 AM
splunkuniversalforwarder Quick Report 5,831 11/6/16 5:05:15.000 AM
As you can see above only splunkuniversalforwarder is named correctly.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
