Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk

Monitoring Kubernetes

Splunk fields extraction for container logs

For container logs forwarded by collectord, it is possible to specify field extraction rules specific to image names, container names, or a combination of them.

All container logs have a source format that includes the container ID, container name, image name, pod name, namespace, and stream.

/kubernetes/{kubernetes_container_id}/{kubernetes_container_name}/{kubernetes_image_name}/{kubernetes_pod_name}/{kubernetes_namespace}.{docker_stream}

Using this knowledge, you can create field extraction rules for a specific image or container, including glob patterns using wildcards and ... for skipping multiple parts of the path.

As an example, you can specify field extraction for an nginx container in props.conf using wildcard characters for the container ID, container name, and docker stream. This field extraction applies to all containers created from the gcr.io/google_containers/nginx-ingress-controller image.

[source::/kubernetes/*/*/gcr.io/google_containers/nginx-ingress-controller:*/*/*]
EXTRACT-nginx-ingress-controller-http = ^(?P&lt;remote_addr&gt;[^ ]+)\s+\-\s+\[(?P&lt;proxy_add_x_forwarded_for&gt;[^\]]+)\]\s+\-\s+(?P&lt;remote_user&gt;[^ ]+)\s+\[(?P&lt;time_local&gt;[^\]]+)[^"\n]*"(?P&lt;request&gt;[^"]+)"\s+(?P&lt;status&gt;\d+)\s+(?P&lt;body_bytes_sent&gt;\d+)\s+"(?P&lt;http_referer&gt;[^"]+)"\s+"(?P&lt;http_user_agent&gt;[^"]+)"\s+(?P&lt;request_length&gt;\d+)\s+(?P&lt;request_time&gt;[^ ]+)\s+\[(?P&lt;proxy_upstream_name&gt;[^\]]+)]\s+(?P&lt;upstream_addr&gt;[^\s]+)\s+(?P&lt;upstream_response_length&gt;\d+)\s+(?P&lt;upstream_response_time&gt;[^\s]+)\s+(?P&lt;upstream_status&gt;\d+)$</code></pre>

You can also override source and source type with annotations. See Splunk Indexes.


About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all container environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and easy-to-deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and help operators keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.