K
Q

Mapping custom sourcetype from splunk connect for k8s plugin to existing pretrained sourcetype

4/29/2020

We are attempting to configure our Kubernetes cluster with the splunk connect for kubernetes plugin (https://github.com/splunk/splunk-connect-for-kubernetes). We see events being sent to the indexer and everything is working as expected.

The splunk connect configuration by default either configures the sourcetype of events as kube:container:[container-name] or you can override the sourcetype using k8s annotations. Our one pod has logs created by log4j, so we'd like to use this sourcetype. When we attempt to configure the annotation on the pod as splunk.com/sourcetype = log4j, it changes the sourcetype to kube:log4j which is expected based on the documentation. We want to be able to have the event automatically formatted using the log4j pretrained sourcetype, though.

Is there a way to map a custom sourcetype in splunk like kube:container:[container-name] to format as log4j automatically? Is our only option to modify the fluentd filter configuration within the splunk connect configmap?

-- Jeff Coe
containers
java
kubernetes
logging
splunk

Similar Questions

Pulling image from Harbor registry takes long time and retries some layers
SpringBoot's bootBuildImage with Kaniko instead of a Docker daemon
Connection to MongoDB ReplicaSet on Kubernetes
Google PubSub. Communication From AppEngine to Kubernetes pod and from one Kubernetes pod to another Kubernetes pod

0 Answers