-
Epic
-
Resolution: Won't Do
-
Normal
-
None
-
None
-
Auto Extract Spluk Timestamp
-
Product / Portfolio Work
-
False
-
-
False
-
Not Selected
-
NEW
-
Administer, API
-
In Progress
-
OBSDA-1185 - Feature to enable "auto_extract_timestamp=true" from Red hat logging operator to splunk
-
-
NEW
-
0% To Do, 0% In Progress, 100% Done
-
Enhancement
-
S
Goals
- Allow administrators to configure Splunk outputs to forward logs with the expectation Splunk will auto extract the timestamp from the event message
Non-Goals
Motivation
- The event provided by the forwarder may not match the timestamp in the event message:
1. Container log timestamp is sourced from CRIO format
2. Certain audit logs we make no attempt to source a date
Alternatives
- Do nothing
- Modify the missing audit log logic to attempt to parse a date
Acceptance Criteria
- Verify logs are forwarded to Splunk with the auto_timestamp_feature enabled when spec'd by the administrator
- Verify the default behavior of Splunk outputs is for the auto_timesamp feature to be disabled
Risk and Assumptions
Documentation Considerations
- API Updates
- Splunk output updates to identify feature availability
Open Questions
Additional Notes
- relates to
-
LOG-7888 Timestamp from kube and openshift audit logs is not set to the value in the event
-
- New
-
- links to