github.com/vieux/docker@v0.6.3-0.20161004191708-e097c2a938c7/docs/admin/logging/splunk.md (about) 1 <!--[metadata]> 2 +++ 3 aliases = ["/engine/reference/logging/splunk/"] 4 title = "Splunk logging driver" 5 description = "Describes how to use the Splunk logging driver." 6 keywords = ["splunk, docker, logging, driver"] 7 [menu.main] 8 parent = "smn_logging" 9 +++ 10 <![end-metadata]--> 11 12 # Splunk logging driver 13 14 The `splunk` logging driver sends container logs to 15 [HTTP Event Collector](http://dev.splunk.com/view/event-collector/SP-CAAAE6M) 16 in Splunk Enterprise and Splunk Cloud. 17 18 ## Usage 19 20 You can configure the default logging driver by passing the `--log-driver` 21 option to the Docker daemon: 22 23 dockerd --log-driver=splunk 24 25 You can set the logging driver for a specific container by using the 26 `--log-driver` option to `docker run`: 27 28 docker run --log-driver=splunk ... 29 30 ## Splunk options 31 32 You can use the `--log-opt NAME=VALUE` flag to specify these additional Splunk 33 logging driver options: 34 35 | Option | Required | Description | 36 |-----------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 37 | `splunk-token` | required | Splunk HTTP Event Collector token. | 38 | `splunk-url` | required | Path to your Splunk Enterprise or Splunk Cloud instance (including port and scheme used by HTTP Event Collector) `https://your_splunk_instance:8088`. | 39 | `splunk-source` | optional | Event source. | 40 | `splunk-sourcetype` | optional | Event source type. | 41 | `splunk-index` | optional | Event index. | 42 | `splunk-capath` | optional | Path to root certificate. | 43 | `splunk-caname` | optional | Name to use for validating server certificate; by default the hostname of the `splunk-url` will be used. | 44 | `splunk-insecureskipverify` | optional | Ignore server certificate validation. | 45 | `splunk-format` | optional | Message format. Can be `inline`, `json` or `raw`. Defaults to `inline`. | 46 | `splunk-verify-connection` | optional | Verify on start, that docker can connect to Splunk server. Defaults to true. | 47 | `splunk-gzip` | optional | Enable/disable gzip compression to send events to Splunk Enterprise or Splunk Cloud instance. Defaults to false. | 48 | `splunk-gzip-level` | optional | Set compression level for gzip. Valid values are -1 (default), 0 (no compression), 1 (best speed) ... 9 (best compression). Defaults to [DefaultCompression](https://golang.org/pkg/compress/gzip/#DefaultCompression). | 49 | `tag` | optional | Specify tag for message, which interpret some markup. Default value is `{{.ID}}` (12 characters of the container ID). Refer to the [log tag option documentation](log_tags.md) for customizing the log tag format. | 50 | `labels` | optional | Comma-separated list of keys of labels, which should be included in message, if these labels are specified for container. | 51 | `env` | optional | Comma-separated list of keys of environment variables, which should be included in message, if these variables are specified for container. | 52 53 If there is collision between `label` and `env` keys, the value of the `env` takes precedence. 54 Both options add additional fields to the attributes of a logging message. 55 56 Below is an example of the logging option specified for the Splunk Enterprise 57 instance. The instance is installed locally on the same machine on which the 58 Docker daemon is running. The path to the root certificate and Common Name is 59 specified using an HTTPS scheme. This is used for verification. 60 The `SplunkServerDefaultCert` is automatically generated by Splunk certificates. 61 62 docker run --log-driver=splunk \ 63 --log-opt splunk-token=176FCEBF-4CF5-4EDF-91BC-703796522D20 \ 64 --log-opt splunk-url=https://splunkhost:8088 \ 65 --log-opt splunk-capath=/path/to/cert/cacert.pem \ 66 --log-opt splunk-caname=SplunkServerDefaultCert 67 --log-opt tag="{{.Name}}/{{.FullID}}" 68 --log-opt labels=location 69 --log-opt env=TEST 70 --env "TEST=false" 71 --label location=west 72 your/application 73 74 ### Message formats 75 76 By default Logging Driver sends messages as `inline` format, where each message 77 will be embedded as a string, for example 78 79 ``` 80 { 81 "attrs": { 82 "env1": "val1", 83 "label1": "label1" 84 }, 85 "tag": "MyImage/MyContainer", 86 "source": "stdout", 87 "line": "my message" 88 } 89 { 90 "attrs": { 91 "env1": "val1", 92 "label1": "label1" 93 }, 94 "tag": "MyImage/MyContainer", 95 "source": "stdout", 96 "line": "{\"foo\": \"bar\"}" 97 } 98 ``` 99 100 In case if your messages are JSON objects you may want to embed them in the 101 message we send to Splunk. By specifying `--log-opt splunk-format=json` driver 102 will try to parse every line as a JSON object and send it as embedded object. In 103 case if it cannot parse it - message will be send as `inline`. For example 104 105 106 ``` 107 { 108 "attrs": { 109 "env1": "val1", 110 "label1": "label1" 111 }, 112 "tag": "MyImage/MyContainer", 113 "source": "stdout", 114 "line": "my message" 115 } 116 { 117 "attrs": { 118 "env1": "val1", 119 "label1": "label1" 120 }, 121 "tag": "MyImage/MyContainer", 122 "source": "stdout", 123 "line": { 124 "foo": "bar" 125 } 126 } 127 ``` 128 129 Third format is a `raw` message. You can specify it by using 130 `--log-opt splunk-format=raw`. Attributes (environment variables and labels) and 131 tag will be prefixed to the message. For example 132 133 ``` 134 MyImage/MyContainer env1=val1 label1=label1 my message 135 MyImage/MyContainer env1=val1 label1=label1 {"foo": "bar"} 136 ``` 137 138 ## Advanced options 139 140 Splunk Logging Driver allows you to configure few advanced options by specifying next environment variables for the Docker daemon. 141 142 | Environment variable name | Default value | Description | 143 |--------------------------------------------------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------| 144 | `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_FREQUENCY` | `5s` | If there is nothing to batch how often driver will post messages. You can think about this as the maximum time to wait for more messages to batch. | 145 | `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_BATCH_SIZE` | `1000` | How many messages driver should wait before sending them in one batch. | 146 | `SPLUNK_LOGGING_DRIVER_BUFFER_MAX` | `10 * 1000` | If driver cannot connect to remote server, what is the maximum amount of messages it can hold in buffer for retries. | 147 | `SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE` | `4 * 1000` | How many pending messages can be in the channel which is used to send messages to background logger worker, which batches them. |