Split kubernetes opentelemetry logs to differents ...

Ivansplunk · ‎04-22-2022

Hi,

With have some applications running on kubernetes.
All the logs produced by the application are sent to the standard output of the pod instance.

On those logs, we would like to be able to extract them (based on a pattern for exemple) and send them to a specific index. The others logs would go to a "by default" index.

Can we acheive this with splunk OTEL for kubernetes?
do you have some hints where i should start first ?

thank you

VatsalJagani · ‎04-22-2022

@Ivansplunk - You can dynamically change metadata (including Index) at the parsing phase of data ingestion.

You can decide based on source, host, raw event content, write regex upon it, and update the index accordingly.

# transforms.conf

[<transforms stanza name>]
SOURCE_KEY = MetaData:Host OR MetaData:Sourcetype OR if you don't add this attribute regex will apply on _raw event data
REGEX = <write regex>
DEST_KEY = _MetaData:Index
FORMAT = Use $1, $2 from regex group to extract dynamic values, otherwise use static string of index name

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Transformsconf

- https://community.splunk.com/t5/Splunk-Search/How-to-dynamically-set-an-index-based-on-a-string-in-e...

- https://community.splunk.com/t5/Dashboards-Visualizations/How-to-set-an-index-dynamically/m-p/262562