I have a Docker application which push Docker logs to Splunk. The Docker app use json-file log driver. The logs are read by the Universal Forwarder and pushed to Splunk.
The logs appears like this:
{
"log": "json here",
"stream": "stdout",
"time": "time here"
}
The problem is that when Docker produces logs very fast, Splunk is not able to parse it and then all the logs will appear like raw in Splunk.
Do you have any idea which parameter might I tune?
... View more