Skip to content

[standalone-logging-docs-6.3] OBSDOCS-1808: Honor splunk Event metadata keys #101766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 5, 2025
Merged

[standalone-logging-docs-6.3] OBSDOCS-1808: Honor splunk Event metadata keys #101766

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion configuring/configuring-log-forwarding.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,14 @@ include::modules/enabling-multi-line-exception-detection.adoc[leveloffset=+2]

include::modules/cluster-logging-collector-log-forward-gcp.adoc[leveloffset=+1]

include::modules/logging-forward-splunk.adoc[leveloffset=+1]
[id="forwarding-logs-to-splunk_{context}"]
== Forwarding logs to Splunk

Splunk is a log aggregation service that has a well defined API to make use of its feature set. You can forward logs to Splunk from the `ClusterLogForwarder` Custom Resource (CR).

include::modules/logging-forward-splunk.adoc[leveloffset=+2]

include::modules/default-splunk-metadata-key-values.adoc[leveloffset=+2]

include::modules/logging-http-forward.adoc[leveloffset=+1]

Expand Down
75 changes: 75 additions & 0 deletions modules/default-splunk-metadata-key-values.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
:_newdoc-version: 2.18.4
:_template-generated: 2025-10-09
:_mod-docs-content-type: REFERENCE

[id="default-splunk-metadata-key-values_{context}"]
= Default Splunk metadata key values

{clo} sets default values for some Splunk metadata keys if you do not configure them in the `spec.output.splunk.source` field of the `ClusterLogForwarder` Custom Resource (CR).

The following table describes the default value that will be used for Splunk metadata, depending on `log_type` and `log_source` attributes.

.Default metadata key values
[cols="1,1,1,1,1"]
|====
|Key
a|Infrastructure Journal

* log_type:infrastructure
* log_source:node

a|Infrastructure or application container

* log_type: infrastructure, application

* log_source:container

a|Audit

* log_type:audit
* log_source: auditd, ovn, openshiftAPI
, kubeAPI

|Note



|`index`
|
|
|
|Not configured by default.


|`source`
|SYSLOG_IDENTIFIER
|ns_name_podName_containerName
|.log_source
|

|`indexedFields`
|
|
|
|Not configured by default.


|`sourceType`
|`_json` or `generic_single_line`
|`_json` or `generic_single_line`
|`_json` or `generic_single_line`
|Determined automatically based on the type of the final event payload.


|`host`
|`.hostname`
|`.hostname`
|`.hostname`
|Not configurable.

|`payloadKey`
|
|
|
|Not configured by default.
|====
14 changes: 9 additions & 5 deletions modules/logging-forward-splunk.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
// * configuring/configuring-log-forwarding.adoc

:_mod-docs-content-type: PROCEDURE
[id="logging-forward-splunk_{context}"]
= Forwarding logs to Splunk
[id="logging-forward-splunk-http-event-collector_{context}"]
= Forwarding logs to Splunk HTTP Event Collector

You can forward logs to the Splunk HTTP Event Collector (HEC).

Expand Down Expand Up @@ -63,9 +63,13 @@ spec:
<4> Specify the name of the secret that contains your HEC token.
<5> Specify the URL, including port, of your Splunk HEC.
<6> Specify the name of the index to send events to. If you do not specify an index, the default index of the splunk server configuration is used. This is an optional field.
<7> Specify the source of events to be sent to this sink. You can configure dynamic per-event values. This field is optional.
<8> Specify the fields to be added to the Splunk index. This field is optional.
<9> Specify the record field to be used as the payload. This field is optional.
<7> Specify the source of events to be sent to this sink. You can configure dynamic per-event values. This field is optional. If you do not specify a value, the value of the field will be determined by the `log_type` and `log_source` values. For example, see link:https://docs.redhat.com/en/documentation/red_hat_openshift_logging/6.3/html-single/configuring_logging/index#default-splunk-metadata-key-values_configuring-log-forwarding[Default Splunk metadata key values].
<8> Specify the fields to be added to the Splunk index. This field is optional. The values are stored directly in the index alongside the raw event data, allowing for faster search performance on those fields.
However, `indexed_fields` fields increase storage use. Use them only for high-value fields that provide significant search benefits, for example, large datasets with frequent queries on specific fields.
You can use complex and nested fields as indexed fields. These are automatically transformed to meet Splunk's requirements.
<9> Specify the record field to be used as the payload.
By default, the `payloadKey` field is not set, which means the complete log record is forwarded as the payload.
Use the `payloadKey` field carefully. Selecting a single field as the payload may cause other important information in the log to be dropped, potentially leading to inconsistent or incomplete log events.
<10> Specify the compression configuration, which can be either `gzip` or `none`. The default value is `none`. This field is optional.
<11> Specify the input names.
<12> Specify the name of the output to use when forwarding logs with this pipeline.
Expand Down