I deployed Splunk Forwarder in my kubernetes cluster using this blog
http://jasonpoon.ca/2017/04/03/kubernetes-logging-with-splunk/
I have 4 files at
> /opt/splunk/etc/apps/splunkclouduf/default
1. inputs.conf
2. fields.conf
3. limits.conf
4. outputs.conf
my inputs.conf looks like this.
# watch all files in
[monitor:///var/log/containers/*.log]
# extract `host` from the first group in the filename
host_regex = /var/log/containers/(.*)_.*_.*\.log
# set source type to Kubernetes
sourcetype = kubernetes
index = testindex
_meta = env::test
But I got logs on my main index not on testindex. Even I specified index. I don't know what's wrong.
↧