Hi Splunkers, I have start using Splunk Logging Driver to get my docker logs into Splunk. I am using Splunk Enterprice 8.0.1. Problem is that indexer does not parse docker logs. I have tried with json and raw formats but either seems not to be noticed by indexer. Current setup. HEC token used has source type _raw and all indexes allowed. Docker startup docker run \
> --log-driver=splunk \
> --log-opt splunk-token=xxxx \
> --log-opt splunk-url=http://xxxxx:8088 \
> --log-opt splunk-format=raw \
> --log-opt tag="{{.Name}}/{{.FullID}}" \
> --log-opt labels=location \
> --log-opt env=TEST \
> --env "TEST=false" \
> --label location=xxxxx \
> containerId props.conf [source=http:docker]
INDEXED_EXTRACTIONS=JSON
KV_MODE = none
AUTO_KV_JSON= false
TRANSFORMS-class_to_xx_index = route_to_xx_index transforms.conf [route_to_xx_index]
REGEX = .*\"xx\":\"xx\".*
DEST_KEY = _MetaData:Index
FORMAT = xx_index All logs are going to default index. I have double checked that regex pattern matches and same pattern is working for universal forwarder, which logs are parsed and indexed correctly. Input I get to default index is one line containerName/container location=xx TEST=false {"message":"User xxx does xxx","priority":6,"priorityName":"INFO","sessionId":"xxx","action":"auth/login","application":"xx","environment":"development","security_level":"xx","info":"xxx"} which does not get parsed and index. If I try with with _json token input to Splunk is "line" format and with same content and logs are also not parsed. Any idea what I am doing wrong here. How to get json formatted logs to be parsed?
... View more
