Hi ,
In my kubernetes host generating logfile for the docker container, the logs are coming to Splunk in the following notation.
{ [-]
log: 2017-01-06 19:37:54,851 - application-library-rest-api - DEBUG - 140176312547072 - app - bundle_ids - http://172.16.88.14:5000/bundleids
stream: stderr
time: 2017-01-06T19:37:54.852272882Z
}
But my Splunk search log should be like following format
2017-01-06 19:27:30,846 - application-library-rest-api - DEBUG - 140252463982336 - app - bundle_ids - http://172.16.88.13:5000/bundleids?bid=com.jhml2.ringtone
This is my conf files
inputs.conf
[monitor:///var/log/containers/*.log]
disabled = 0
sourcetype = kubernetes
cat transforms.conf
[kubernetes-log-filename]
REGEX = /var/log/containers/(?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?(POD|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*))-(?[0-9a-f]+).log
SOURCE_KEY = source
[kubernetes-log-row]
REGEX = [0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3} - (?(\w|-)+) - (?(\w|-)+) - (?\d+) - (?(\w|-)+) - (?(\w|-)+) - (?.*)
[kubernetes-log-row2]
REGEX = \[?[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} \+[0-9]{4}\]?( \[[0-9]+\] )?\[(?\w+)\](?.*)
cat props.conf
[kubernetes]
#INDEXED_EXTRACTIONS = JSON
#FIELDALIAS-kubelog = log as _raw
TRANSFORMS-kube = kubernetes-log-filename, kubernetes-log-row, kubernetes-log-row2
please advise me how does it work, and what's the wrong in my code?
-thanks
↧