Outcold Solutions LLC

Monitoring Docker - Version 5

Splunk Indexes

By default collectorfordocker forwards all the events to the default index specified for HTTP Event Collector Token. Every HTTP Event Collector Token has a list of indexes, where this specific Token can write data. One of the indexes from this list is also used as a default index when the sender of the data does not specify target index. The application assumes that you are writing data to the indexes, which are searchable by default by your Splunk Role. As an example, the main index is searchable by default.

If you use a different index, which isn't searchable by default by your Splunk Role, you would not see data on the dashboards.

To fix that, you can include this index to the Indexes searched by default for your role under Settings - Access Control - Roles

Splunk - Indexes searched by default

Or you can change Search Macros we use in the application and include a list of indexes you use for the Monitoring Docker events. You can find search macros in Splunk Web UI under Settings - Advanced search - Search macros (or by overriding $SPLUNK_HOME/etc/apps/monitoring-docker/default/macros.conf with $SPLUNK_HOME/etc/apps/monitoring-docker/local/macros.conf).

Monitoring Docker - Macros

Starting from version 5.10 we include a base macro macro_docker_base, where you can include the list of indexes only once, all other macros will deliver this configuration. For example

macro_docker_base = (index=docker_stats OR index=docker_logs)

If you want to have more precise configurations, you can modify specific macros.

macro_docker_stats = (index=docker_stats sourcetype=docker_stats)

You need to update macros

  • macro_docker_events - all the docker events.
  • macro_docker_host_logs - host logs.
  • macro_docker_logs - container logs.
  • macro_docker_proc_stats - proc metrics.
  • macro_docker_net_stats - network metrics.
  • macro_docker_net_socket_table - network socket tables.
  • macro_docker_mount_stats - container runtime storage usage metrics.
  • macro_docker_stats - system and container metrics.

Using dedicated indexes for different types of data

Considering the application access patterns and the content of the events, we recommend to split logs with metrics and use dedicated indexes. For example docker_logs for events, container and host logs and docker_stats for proc and system metrics. You can also specify dedicated index for every type of the data collector forwards.

Using dedicated indexes allows you also to specify different retention policies for logs and the metrics.

You can override indices with the configuration for collector. Read Collector Configuration for how to apply these changes.

[input.system_stats]
index = docker_stats

[input.proc_stats]
index = docker_stats

[input.net_stats]
index = docker_stats

[input.net_socket_table]
index = docker_stats

[input.mount_stats]
index = docker_stats

[input.files]
index = docker_logs

[input.app_logs]
index = docker_logs

[input.files::syslog]
index = docker_logs

[input.files::logs]
index = docker_logs

[input.docker_events]
index = docker_logs

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.