Outcold Solutions LLC

Monitoring Docker - Version 3

You are looking at documentation for an older release. See the current release documentation.

Monitoring Docker. Configuring Splunk Indexes

By default collectorfordocker forwards all the events to the default index specified for HTTP Event Collector Token. Every HTTP Event Collector Token has a list of indexes, where this specific Token can write data. One of the indexes from this list is also used as a default index when the sender of the data does not specify target index. The application assumes that you are writing data to the indexes, which are searchable by default by your Splunk Role. As an example, the main index is searchable by default.

If you used the different index, which isn't searchable by default by your Splunk Role, you would not see data on the dashboards.

To fix that, you can include this index to the Indexes searched by default for your role under Settings - Access Control - Roles

Splunk - Indexes searched by default

Or you can change Search Macros we use in the application and include a list of indexes you use for the Monitoring Docker events. You can find search macros in Splunk Web UI under Settings - Advanced search - Search macros (or by overriding $SPLUNK_HOME/etc/apps/monitoring-docker/default/macros.conf with $SPLUNK_HOME/etc/apps/monitoring-docker/local/macros.conf).

Monitoring Docker - Macros

You need to modify macros definitions and add the indexes you use.

macro_docker_stats = (index=docker_stats sourcetype=docker_stats)

You need to update macros

  • macro_docker_events - all the docker events.
  • macro_docker_host_logs - host logs.
  • macro_docker_logs - container logs.
  • macro_docker_proc_stats - proc metrics.
  • macro_docker_stats - system and container metrics.

Using dedicated indexes for different types of data

Considering the application access patterns and the content of the events, we recommend to split logs with metrics and use dedicated indexes. For example docker_logs for events, container and host logs and docker_stats for proc and system metrics. You can also specify dedicated index for every type of the data collector forwards.

Using dedicated indexes allows you also to specify different retention policies for logs and the metrics.

You can do that by using Configuration Reference file and uncommenting highlighted lines with the values of the indexes you want to use as the destination.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
...

[input.system_stats]

...

# specify Splunk index
; index = 

...

[input.proc_stats]

...

# specify Splunk index
; index = 

...

[input.files]

...

# specify Splunk index
; index = 


[input.files::syslog]

...

# specify Splunk index
; index =

...


[input.files::logs]


...

# specify Splunk index
; index =

...


[input.docker_events]

...

# specify Splunk index
; index =

...

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.