Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fields column in Splunk Hec output plugin is not working . #505

Closed
saiinuganti opened this issue Jun 23, 2020 · 1 comment · Fixed by #527
Closed

fields column in Splunk Hec output plugin is not working . #505

saiinuganti opened this issue Jun 23, 2020 · 1 comment · Fixed by #527
Labels
bug Something isn't working priority-low

Comments

@saiinuganti
Copy link

saiinuganti commented Jun 23, 2020
edited

Describe the bug:
fields column in Splunk Hec output plugin is not converting as per fluentd spec in fluentd.conf in secret file

Expected behaviour:

kind: ClusterOutput
metadata:
 name: splunk-output
spec:
 splunkHec:
    hec_host: http-inputs-
    hec_port: 443
    hec_token: 
        valueFrom:
           secretKeyRef:
              name:  splunk-token
              key: SplunkHecToken
    index: qa_main
    fields: 
      dummy: " "
    format:
      type: single_value 
      message_key: MESSAGE

expected config in fluentd.conf ( in secrets)

 <fields>
     dummy
 </fileds>

what i get is
fields {"dummy":" "}

so logging operator cannot separate dummy from original message to an indexed field.

Steps to reproduce the bug:

kind: ClusterOutput
metadata:
 name: splunk-output
spec:
 splunkHec:
    hec_host: http-inputs-
    hec_port: 443
    hec_token: 
        valueFrom:
           secretKeyRef:
              name:  splunk-token
              key: SplunkHecToken
    index: qa_main
    fields: 
      dummy: " "
    format:
      type: single_value 
      message_key: MESSAGE

Additional context:
the main idea is to separate dummy from the original message to an indexed field in Splunk. But when using above config there is no change in the original message. but when I edited secrets to change fluentd.conf to

 <fields>
     dummy
 </fileds>

instead of fields {"dummy":" "} then I could see the change in my Splunk output . So I doubt that Splunk output plugin in logging operator is not writing the correct format to underlying fluentd.conf
Environment details:

  • Kubernetes version (v1.15.11):
  • Cloud-provider/provisioner ( EKS):
  • logging operator version : 3.2.0-rc1
  • Install method (static manifests):
  • Resource definition (possibly in YAML format) that caused the issue, without sensitive data:
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
 name: splunk-output
spec:
 splunkHec:
    hec_host: http-splunkcloud.com
    hec_port: 443
    hec_token:
        valueFrom:
           secretKeyRef:
              name:  splunk-token
              key: SplunkHecToken
    index: qa_main
    fields:
       dummy: " "
    format:
      type: single_value
      message_key: MESSAGE
      add_newline: true

/kind bug
@saiinuganti saiinuganti added the bug Something isn't working label Jun 23, 2020
@2020testuser
Copy link

@ahma and @saiinuganti - Is this issue resolved? I'm facing a similar issue except I don't have any filtering enabled.
I'm unable to see any of my container logs when I perform my index search in Splunk dashboard.
However, I see the below error message. Am I missing any info. Could you please shed some light on this issue?

Thanks in advance.

Error Msg:
failed to create model: failed to create configured output splunk-flow-output: no plugin config available for output

ahma added a commit that referenced this issue Jul 17, 2020
@ahma
fields column in Splunk Hec output plugin is not working . #505
41d6a45
@ahma ahma mentioned this issue Jul 17, 2020
Merged
3 tasks
ahma added a commit that referenced this issue Jul 17, 2020
@ahma
fields column in Splunk Hec output plugin is not working . #505
acd091b
@ahma ahma closed this as completed in #527 Jul 20, 2020
ahma added a commit that referenced this issue Jul 20, 2020
@ahma
fields column in Splunk Hec output plugin is not working . #505 (#527)
b461887
simonkey007 pushed a commit to simonkey007/logging-operator that referenced this issue Mar 11, 2021
@ahma
fields column in Splunk Hec output plugin is not working . kube-loggi…
4685a45 
…ng#505 (kube-logging#527)
EppO pushed a commit to EppO/logging-operator that referenced this issue Apr 21, 2021
@ahma @EppO
fields column in Splunk Hec output plugin is not working . kube-loggi…
20f7398 
…ng#505 (kube-logging#527)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working priority-low
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fields column in Splunk Hec output plugin is not working . #505 kube-logging/logging-operator
3 participants
@ahma @2020testuser @saiinuganti