Solved: Why is Docker Splunk UF sending logs with 2 differ...

eddiemashayev · ‎05-01-2018

Docker-compose

splunkuf:
    image: splunk/universalforwarder:7.0.2
    network_mode: host
    environment:
      SPLUNK_START_ARGS: --accept-license --answer-yes
      SPLUNK_USER: root
      SPLUNK_CMD: install app /tmp/splunkclouduf.spl -auth admin:changeme
      SPLUNK_DEPLOYMENT_SERVER: XXXX.cloud.splunk.com:8089
      SPLUNK_ADD_1: monitor /docker/log
      SPLUNK_ADD_2: monitor /mnt/logs/postgres
    volumes:
      - /opt/splunk/etc
      - /opt/splunk/var
      - /var/log:/docker/log
      - $DATA_DIR/logs/postgres:/mnt/logs/postgres
      - $DATA_DIR/certs/splunkclouduf.spl:/tmp/splunkclouduf.spl

The container is running in Ubuntu instance. In Splunk cloud I can see 2 hostnames for the same instance:

ubuntu
The real hostname

Any reason why it happens?

eddiemashayev · ‎05-03-2018

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

View solution in original post

eddiemashayev · ‎05-03-2018

Removing TRANSFORMS = syslog-host property from syslog source type in Splunk Cloud solved the issue

Why is Docker Splunk UF sending logs with 2 different hostnames?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability