Hello!
I'm using splunk to monitor kubernetes pod log files. Which sit on the nodes, the file name is as follows:
podname_namespace_dockername.log
Within the input.conf file, I would like to dynamically label the log file before sending it up to Splunk cloud. I'd like to use the podname field as the hostname, then the namespace as the second field.
I can easily get the host section, but I'm having difficulty getting the regex match on the second part of the file name. I went through the doco and used some regex (PCRE) validators and they advised I'm doing it right.
Any help would be greatly appreciated.
My attempt:
watch all files in
[monitor:///var/log/containers/*.log]
extract host from the first group in the filename
host_regex = /var/log/containers/(.*)_.*_.*\.log
extract namespace from the first group in the filename
namespace = /var/log/containers/.*_(.*)_.*\.log
... View more