Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5888

Can not push logs to spunk when index template syntax include dot or slash

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • OBSDA-550 - Updated APIs for Logging 6.0
    • NEW
    • Release Note Not Required
    • Log Collection - Sprint 257

      Description of problem:

      if the index include dot or slash, the logs can not be pushed into splunk index.

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a pods include the labels below:
      labels:
      testlogging: logging-OCP-71035
      test-logging: logging-OCP-71035-dash
      test.logging: logging-OCP-71035-dot
      test/logging: logging-OCP-71035-slash
      test.logging.io/logging.qe-test-label: logging-OCP-71035-dash-dot-slash

      2. Create index in splunk server
      /bin/splunk add index logging-OCP-71035
      /bin/splunk add index logging-OCP-71035-dash
      /bin/splunk add index logging-OCP-71035-dot
      /bin/splunk add index logging-OCP-71035-slash
      /bin/splunk add index logging-OCP-71035-dash-dot-slash

      3. Forward logs to splunk using different template syntax.
      a) index: ' {.kubernetes.labels."testlogging"||""}'
      b) index: '{.kubernetes.labels."test-logging"||""}'
      c) index: '{.kubernetes.labels."test.logging"||""}'
      d) index: '{.kubernetes.labels."test/logging"||""}'
      e) index: '{.kubernetes.labels." test.logging.io/logging.qe-test-label"||""}'

      4.  Query record in Splunk

      Actual results:

      Can not find record if clf using index template syntax below which include dot or dash
      c) index: '{.kubernetes.labels."test.logging"||""} '
      d) index: '{.kubernetes.labels."test/logging"||""}'
      e) index: '{.kubernetes.labels." test.logging.io/logging.qe-test-label"||""}'

      Additional Info

      Vector.toml when  index: '{.kubernetes.labels."test.logging"||""}

       

      # Splunk Index
[transforms.output_splunk_aosqe_splunk_index]
type = "remap"
inputs = ["output_splunk_aosqe_timestamp"]
source = '''
  ._internal.output_splunk_aosqe_splunk_index = to_string!(.kubernetes.labels."test.logging"||"")
'''
[sinks.output_splunk_aosqe]
type = "splunk_hec_logs"
inputs = ["output_splunk_aosqe_splunk_index"]
endpoint = "http://default-http-0.e2e-test-vector-splunk-2bcxh.svc:8088"
compression = "none"
default_token = "SECRET[kubernetes_secret.splunk-secret-71035/hecToken]"
index = "{{ _internal.output_splunk_aosqe_splunk_index }}"
timestamp_key = "@timestamp"

      Vector.toml when  index: '{.kubernetes.labels."test/logging""||""}

       

       
# Splunk Index
[transforms.output_splunk_aosqe_splunk_index]
type = "remap"
inputs = ["output_splunk_aosqe_timestamp"]
source = '''
  ._internal.output_splunk_aosqe_splunk_index = to_string!(.kubernetes.labels."test/logging"||"")
'''[sinks.output_splunk_aosqe]
type = "splunk_hec_logs"
inputs = ["output_splunk_aosqe_splunk_index"]
endpoint = "http://default-http-0.e2e-test-vector-splunk-2bcxh.svc:8088"
compression = "none"
default_token = "SECRET[kubernetes_secret.splunk-secret-71035/hecToken]"
index = "{{ _internal.output_splunk_aosqe_splunk_index }}"
timestamp_key = "@timestamp"  

              vparfono Vitalii Parfonov
              rhn-support-anli Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: