K
Q

fluentd splunk-http-eventcollector plugin Bad Request 400 when using format json

3/29/2018

I am trying to push the logs to splunk from Kubernetes using fluentd as a daemonset.

When I set format none and push to splunk it works. But I want to add kubernetes_metadata so I updated to format json and added the kubernetes_metadata filter.

Then, I get a 400 Bad Request

{"text": "Invalid data format", "code": 6, "invalid-event-number": 0 }

Here is my fluent.conf file

# Ignore fluentd log messages
<match fluent.**>
  @type null
</match>

<source>
  @type tail
  path /var/log/containers/*.log
  pos_file /fluentd/log/docker-containers.log.pos
  tag kubernetes.*
  format json
  read_from_head true
</source>

<filter kubernetes.**>
  @type kubernetes_metadata
</filter>

<match kubernetes.**>
  @type splunk-http-eventcollector
  server <host>:8088
  protocol https
  verify false
  token ***
  source fluentd-kube-containers
  sourcetype _json
  host "#{ENV['HOSTNAME']}"
  buffer_chunk_limit 700k
  batch_size_limit 1000000
  buffer_type file
  buffer_path /fluentd/log/fluentd-buffer
  flush_interval 10s
</match>
-- anupshrestha
fluentd
kubernetes
plugins
splunk

Similar Questions

What is the purpose of the capacity parameter on a Persistent Volume that is in ReadOnlyMany mode?
Kubernetes Mounting Hostpath to specific location within container
New AKS cluster unreachable via network (including dashboard)
How to produce and consume message to/from kafka using .net client

1 Answer

3/30/2018

It was me being stupid, my source was not of json format, so splunk didn't like it, my assumption that I need to set format json on source to get the kubernetes metadata was wrong, so when I set format none and added all_items true to splunk-http-eventcollector it worked.

-- anupshrestha
Source: StackOverflow