Splunk 日志驱动程序

splunk 日志驱动程序将容器日志发送到 HTTP 事件收集器在 Splunk Enterprise 和 Splunk Cloud 中。

用法

您可以配置Docker日志记录以默认使用splunk驱动程序，或者基于每个容器进行配置。

要使用splunk驱动程序作为默认的日志记录驱动程序，请在daemon.json配置文件中将log-driver和log-opts键设置为适当的值，并重新启动Docker。例如：

{
  "log-driver": "splunk",
  "log-opts": {
    "splunk-token": "",
    "splunk-url": "",
    ...
  }
}

daemon.json 文件位于 Linux 主机上的 /etc/docker/ 或 Windows Server 上的 C:\ProgramData\docker\config\daemon.json。有关使用 daemon.json 配置 Docker 的更多信息，请参阅 daemon.json。

注意
log-opts 配置文件中的配置选项在 daemon.json 配置文件中必须以字符串形式提供。因此，布尔值和数值（例如 splunk-gzip 或 splunk-gzip-level 的值）必须用引号括起来（"）。

要为特定容器使用splunk驱动程序，请使用命令行标志--log-driver和log-opt与docker run一起使用：

$ docker run --log-driver=splunk --log-opt splunk-token=VALUE --log-opt splunk-url=VALUE ...

Splunk 选项

以下属性允许您配置Splunk日志驱动程序。

要在Docker环境中配置splunk驱动程序，请使用键"log-opts": {"NAME": "VALUE", ...}编辑daemon.json。
要为单个容器配置splunk驱动程序，请使用docker run并带上标志--log-opt NAME=VALUE ...。

Option	Required	Description
`splunk-token`	required	Splunk HTTP Event Collector token.
`splunk-url`	required	Path to your Splunk Enterprise, self-service Splunk Cloud instance, or Splunk Cloud managed cluster (including port and scheme used by HTTP Event Collector) in one of the following formats: `https://your_splunk_instance:8088`, `https://input-prd-p-XXXXXXX.cloud.splunk.com:8088`, or `https://http-inputs-XXXXXXXX.splunkcloud.com`.
`splunk-source`	optional	Event source.
`splunk-sourcetype`	optional	Event source type.
`splunk-index`	optional	Event index.
`splunk-capath`	optional	Path to root certificate.
`splunk-caname`	optional	Name to use for validating server certificate; by default the hostname of the `splunk-url` is used.
`splunk-insecureskipverify`	optional	Ignore server certificate validation.
`splunk-format`	optional	Message format. Can be `inline`, `json` or `raw`. Defaults to `inline`.
`splunk-verify-connection`	optional	Verify on start, that Docker can connect to Splunk server. Defaults to true.
`splunk-gzip`	optional	Enable/disable gzip compression to send events to Splunk Enterprise or Splunk Cloud instance. Defaults to false.
`splunk-gzip-level`	optional	Set compression level for gzip. Valid values are -1 (default), 0 (no compression), 1 (best speed) ... 9 (best compression). Defaults to DefaultCompression.
`tag`	optional	Specify tag for message, which interpret some markup. Default value is `{{.ID}}` (12 characters of the container ID). Refer to the 日志标签选项文档 for customizing the log tag format.
`labels`	optional	Comma-separated list of keys of labels, which should be included in message, if these labels are specified for container.
`labels-regex`	optional	Similar to and compatible with `labels`. A regular expression to match logging-related labels. Used for advanced 日志标签选项.
`env`	optional	Comma-separated list of keys of environment variables, which should be included in message, if these variables are specified for container.
`env-regex`	optional	Similar to and compatible with `env`. A regular expression to match logging-related environment variables. Used for advanced 日志标签选项.

如果label和env键之间存在冲突，env的值将优先。这两个选项都会向日志消息的属性添加额外的字段。

以下是为Splunk Enterprise实例指定的日志记录选项的示例。该实例安装在运行Docker守护程序的同一台机器上。

根证书和通用名称的路径使用HTTPS方案指定。这用于验证。SplunkServerDefaultCert是由Splunk证书自动生成的。

$ docker run \
    --log-driver=splunk \
    --log-opt splunk-token=176FCEBF-4CF5-4EDF-91BC-703796522D20 \
    --log-opt splunk-url=https://splunkhost:8088 \
    --log-opt splunk-capath=/path/to/cert/cacert.pem \
    --log-opt splunk-caname=SplunkServerDefaultCert \
    --log-opt tag="{{.Name}}/{{.FullID}}" \
    --log-opt labels=location \
    --log-opt env=TEST \
    --env "TEST=false" \
    --label location=west \
    your/application

托管在Splunk Cloud上的Splunk实例的splunk-url格式类似于https://http-inputs-XXXXXXXX.splunkcloud.com，并且不包含端口指定符。

消息格式

有三种日志驱动消息格式：inline（默认）、json和raw。

默认格式是 inline，其中每条日志消息都作为字符串嵌入。例如：

{
  "attrs": {
    "env1": "val1",
    "label1": "label1"
  },
  "tag": "MyImage/MyContainer",
  "source": "stdout",
  "line": "my message"
}

{
  "attrs": {
    "env1": "val1",
    "label1": "label1"
  },
  "tag": "MyImage/MyContainer",
  "source": "stdout",
  "line": "{\"foo\": \"bar\"}"
}

要将消息格式化为json对象，请设置--log-opt splunk-format=json。驱动程序尝试将每一行解析为JSON对象并作为嵌入对象发送。如果无法解析消息，则将其作为inline发送。例如：

{
  "attrs": {
    "env1": "val1",
    "label1": "label1"
  },
  "tag": "MyImage/MyContainer",
  "source": "stdout",
  "line": "my message"
}

{
  "attrs": {
    "env1": "val1",
    "label1": "label1"
  },
  "tag": "MyImage/MyContainer",
  "source": "stdout",
  "line": {
    "foo": "bar"
  }
}

要将消息格式化为raw，请设置--log-opt splunk-format=raw。属性（环境变量和标签）和标签会附加到消息前面。例如：

MyImage/MyContainer env1=val1 label1=label1 my message
MyImage/MyContainer env1=val1 label1=label1 {"foo": "bar"}

高级选项

Splunk日志驱动程序允许您通过为Docker守护程序设置环境变量来配置一些高级选项。

Environment variable name	Default value	Description
`SPLUNK_LOGGING_DRIVER_POST_MESSAGES_FREQUENCY`	`5s`	The time to wait for more messages to batch.
`SPLUNK_LOGGING_DRIVER_POST_MESSAGES_BATCH_SIZE`	`1000`	The number of messages that should accumulate before sending them in one batch.
`SPLUNK_LOGGING_DRIVER_BUFFER_MAX`	`10 * 1000`	The maximum number of messages held in buffer for retries.
`SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE`	`4 * 1000`	The maximum number of pending messages that can be in the channel used to send messages to background logger worker, which batches them.