K
Q

Fluentd sending to Splunk HEC: Want to set sourcetype to the namespace

5/4/2018

Is it possible to programatically set the sourcetype to be the namespace from where the logs were generated? I am using the fluentd plugin to send data to the Splunk http event collector. Elsewhere, it was recommended to use ${record['kubernetes']['namespace_name'] to set the index name to be the namespace name. When I do this for sourcetype, that actual text just shows up in Splunk rather than translating to the specific namespace names.

@include systemd.conf
@include kubernetes.conf

<match kubernetes.var.log.containers.fluentd**>
  type null
</match>

<match **>
  type splunk-http-eventcollector
  all_items true
  server host:port
  token ****
  index kubernetes
  protocol https
  verify false
  sourcetype ${record['kubernetes']['namespace_name']
  source kubernetes
  buffer_type memory
  buffer_queue_limit 16
  chunk_limit_size 8m
  buffer_chunk_limit 150k
  flush_interval 5s
</match>
-- trouphaz
fluentd
kubernetes
splunk

Similar Questions

using mongodb+srv to connect to mongodb deployed as a statefulset
minikube error - scp: /usr/local/bin/localkube: No space left on device
kubernetes ingress on GKE timeout and 502 during deployment
Scrape metrics of kubernetes containers with prometheus for HTTP and HTTPS ports
what k8s-app label represent ? and how to use it?

0 Answers