logspout-splunk's Introduction

logspout-splunk

Simple logspout module to forward Docker logstreams to a Splunk TCP input.

This is work in progress and not tested at scale. Use at own risk.

Splunk

Put this in your Splunk "inputs.conf" (or add a new TCP input via the web UI):

[tcp://1234]
sourcetype = my_source_type

Build the logspout-splunk container

Run ./build.sh:

Sending build context to Docker daemon
...
Step 0 : FROM gliderlabs/logspout:master
...
Successfully built b356b141ddc2

Start the logspout-splunk container

sudo docker run --env DEBUG=1 --name="logspout" \
	--volume=/var/run/docker.sock:/tmp/docker.sock \
	--publish=0.0.0.0:8002:80 b356b141ddc2

(use container id from above)

Add a route for your applications

curl http://localhost:8002/routes -d '{
	"adapter": "splunk",
	"filter_sources": ["stdout" ,"stderr"],
	"address": "my-splunk-host:1234"
}'

Add a route for a specific container name only

curl http://localhost:8002/routes -d '{
	"id": "unicorn",
	"adapter": "splunk",
	"filter_name": "*unicorn*",
	"filter_sources": ["stdout" ,"stderr"],
	"address": "my-splunk-host:1234"
}'

logspout-splunk's People

Contributors

Stargazers

Watchers

logspout-splunk's Issues

Endless writing of ...Wrote to Splunk

I tried to start a container from the image using the suggested command:

docker run --env DEBUG=1 --name="logspout" \
    --volume=/var/run/docker.sock:/tmp/docker.sock \
    --publish=0.0.0.0:8002:80 b356b141ddc2

(obviously with the correct image name), but it won't start unless I specify a route in the docker run command, otherwise I just get it stopping immediately with:

# logspout v3.1-dev-custom by gliderlabs
# adapters: splunk
# options : persist:/mnt/routes
# jobs    : http[logs,routes]:80 pump
# routes  : none
2016/05/02 00:19:57  ended: %!s(<nil>)

I thus start it with a route added to the docker run command of splunk://172.17.0.1:1514 , which works, however it writes vast numbers of "...Wrote " entries to the port. I turned off --env DEBUG=1 but that doesn't seem to help.

Any ideas? (And does starting logspout without a route work for you?)

routes not being set

I set it up following the steps in the readme.

Looks like it is not parsing the input for the route properly?
It adds a route but with only an id.

curl http://127.0.0.1:8020/routes
[]

curl http://127.0.0.1:8020/routes -X POST -d '{ "adapter": "splunk","filter_sources": ["stdout" ,"stderr"],"address":"127.0.0.1:1234"}'
{
  "id": "26e166160e0d",
  "target": {
    "type": "",
    "addr": ""
  }
}

curl http://127.0.0.1:8020/routes
[
  {
    "id": "26e166160e0d",
    "target": {
      "type": "",
      "addr": ""
    }
  }
]

Recommend Projects