Splunk Universal Forwarder as sidecar in kubernetes

5/1/2019

I am setting up a splunk universal forwarder as a sidecar with my application through a deployment spec. The splunk universal forwarder is setup as a different docker image where I copy custom inputs.conf and outputs.conf through docker COPY (shown below).

Effectively when I deploy my application, the sidecar is starting. In the current state, the indexer configuration is in the output.conf and which is taking effect.

*The issue comes here: I want to change the indexer server host and port dynamically based on the environment. *

Here is my dockerfile content of splunk universal forwarder.

FROM splunk/universalforwarder:latest

COPY configs/*.conf /opt/splunkforwarder/etc/system/local/

Built the docker images with name splunk-universal-forwarder:demo The configs folder have both files inputs.conf and outputs.conf.

The content of outputs.conf is

[tcpout]
defaultGroup = default-lb-group

[tcpout:default-lb-group]
server = ${SPLUNK_BASE_HOST}

[tcpout-server://host1:9997]

I want to pass the SPLUNK_BASE_HOST environment variable through the sidecar deployment like below.

  - name: universalforwarder
        image: splunk-universal-forwarder:demo
        imagePullPolicy: Always
        env:
          - name: SPLUNK_START_ARGS
            value: "--accept-license --answer-yes"
          - name: SPLUNK_BASE_HOST
            value: 123.456.789.000:9997
          - name: SPLUNK_USER
            valueFrom:
              secretKeyRef:
                name: credentials
                key: splunk.username
          - name: SPLUNK_PASSWORD
            valueFrom:
              secretKeyRef:
                name: credentials
                key: splunk.password
        volumeMounts:
        - name: container-logs
          mountPath: /var/log/splunk-fwd-myapp

I have a separate deployment.yaml per environment (dev, stage, uat, qa, prod) and I should be able to pass different indexer host and port SPLUNK_BASE_HOST based on these environments. If I hardcode the indexer host and port in outputs.conf, it will take the same value across all environments but I don't want that to happen.

The environment variable ${SPLUNK_BASE_HOST} in the outputs.conf is not referring to the value supplied in deployment yaml file.

-- guru
kubernetes
splunk

1 Answer

5/1/2019

You need to create an init script that should source the host name from environment variable and update the same in the output.conf using sed command. Finally launch slunk forwarder

-- P Ekambaram
Source: StackOverflow