I would like to separate these logs into units (ie - etcd.service, kube-apiserver.service, kube-controller-manager.service, etc)
I'd then like to send those different logs to Splunk.
Do I have to force these logs to a file first, then move them?
Since splunk can't read the default binary format of journal , you should write to a text file and then forward (don't remember but read it somewhere)
There is a blog which talks about this in detail for different flavors, might be useful for you .
http://blogs.splunk.com/2015/04/30/integrating-splunk-with-docker-coreos-and-journald/
Since splunk can't read the default binary format of journal , you should write to a text file and then forward (don't remember but read it somewhere)
There is a blog which talks about this in detail for different flavors, might be useful for you .
http://blogs.splunk.com/2015/04/30/integrating-splunk-with-docker-coreos-and-journald/
This got me a long way to the answer, thanks!!!
This is a terrible answer. Splunk should put this into the TA for NIX. expecting each customer to figure out some crap method of this is BS.
Agreed... I'm going through these older journald posts for other reasons, but it looks like no one has updated responses here that there's better ways now? Starting in Splunk 8.1 there is native journald input support (separate from any TA for *NIX):
https://docs.splunk.com/Documentation/Splunk/latest/Data/CollecteventsfromJournalD