Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

splunk-kubernetes-logging - allow pod and container exclusion

See original GitHub issue

Hi everybody,

first off: Great work. This is really easy to use!

What would you like to be added:

I’d like to be able to limit the collected pod logs, in order to limit what is send to Splunk. Currently I am doing the following:

global:
  fluentd:
    # path of logfiles, default /var/log/containers/*.log
    path: /var/log/containers/*.log
    # paths of logfiles to exclude. object type is array as per fluentd specification:
    # https://docs.fluentd.org/input/tail#exclude_path
    exclude_path:
     - /var/log/containers/prometheus*.log
     - /var/log/containers/istio*.log
     - /var/log/containers/kube*.log

This works if I want to exclude pods (even though it is cumbersome), but this won’t affect side car containers. So for Istio for example, I might only be interested in the logs of my apps, but not of the istio-proxy sidecar.

Why is this needed:

Limit the input into Splunk and increase visibility

Issue Analytics

State:
Created 4 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

chaitanyaphalakcommented, Aug 16, 2019

Hey @stiller-leser, thanks for the kudos. I think that you might be able to add an exclude path for the pods you dont want. For example, if your app’s pod name is “my-awesome-pod-xxxxxxx” I think you would be able to ignore logs for that using “/var/log/containers/my-awesome-pod*.log”. I agree that this approach is cumbersome. But I think if you really want it, you could do a pull request for us in the following way: Approach A)

In values.yaml file take a list of pod names you want to ignore
Then add a function to https://github.com/splunk/splunk-connect-for-kubernetes/blob/develop/helm-chart/splunk-kubernetes-logging/templates/_helpers.tpl file to check for pod_name and check if its in the ignore list, if yes drop the record.

Approach B)

use a custom filter https://github.com/splunk/splunk-connect-for-kubernetes/blob/develop/helm-chart/splunk-kubernetes-logging/values.yaml#L355 to drop the records using a similar logic/using another plugin.

Please try out some other ideas too, if you want and let me know if you need help. I would be happy to review a PR for the implementation.

Thanks, Happy Friday.

0reactions

PrabuddhaRajcommented, Sep 9, 2020

HI @chaitanyaphalak : i am using exclude_path to remove logs of the sidecar pod running in my kubernetes cluster. But it doesnt work. i tried annotating the pod with splunk.com/exclude=true but that also doesnt work as i am facing issue in restarting the pod and secondly i am suing kubectl to annotate. it should be done via script such values.yaml file. I only want logs of my application pod any help is appreciated

Top Results From Across the Web

Kubernetes Logging: Introduction & Challenges - Splunk

It does do things like delete log data from containers once their logs exceed 10 megabytes in size, but that doesn't help as...

Monitor Kubernetes apps with Splunk - Part 1 - Darumatic

logging, To collect container logs. ... Allow connection from kubernetes to Splunk on HEC port 8088; Access to Dockerhub to pull images or ......

kubernetes audit log filtering with fluentd and forwarding to ...

Instead of excluding all get, list and watch actions except for secrets I opted to exclude the objects that cause the most events, ......

Install Vector on Kubernetes

Built-in Pod and container exclusion rules · The exclude_paths_glob_patterns option enables you to exclude Kubernetes log files by filename and path. · The ......

Route logs to supported destinations - Google Cloud

The permissions contained in these roles allow you to create, delete, ... To exclude Google Kubernetes Engine container and pod logs for GKE...