We have a splunkforwarder DaemonSet in Kubernetes, which is forwarding node logs to our splunk server.
We want to take the STDOUT logs from each container, located in /var/log/containers/*.log, and index by the namespace specified in the filename. Is there a way to do this?
Filenames look as follows:
/var/log/containers/<pod-name>_<namespace>_<some-hash>.log
We'd like to set the index in inputs.conf by extracting the middle namespace from these files. I know there is a host_regex that will dynamically set the host, but I haven't found an equivalent for index.
... View more