(Trying to pull a few similar discussions together and recorded for posterity)
# Challenge
The current [Docker Logging Driver for Splunk][1] sends HTTP events to Splunk as single-line JSON events because Docker treats each line flushed to stdout / stderror as a separate event (thanks @halr9000). Example:
![json_event][2]
1. Notice that those ideally are our access_combined data but since the data is json, we can't get all the field parsing that comes with the out-of-the-box `access_combined`. This means that you're in a pickle trying to sourcetype the `line` payload.
2. Multi-line events, like java stack traces, arrive line by line with this implementation because the connection is not held open until the the event finishes (thanks @Michael Wilde).
[1]: https://docs.docker.com/engine/admin/logging/splunk/
[2]: /storage/temp/159225-json-event.png
**How can this be addressed to enjoy the power of my existing sourcetypes with this HTTP Event Collector payload from Docker?**
↧