OBSDOCS-3446: Document Splunk sourceType configuration#114511
OBSDOCS-3446: Document Splunk sourceType configuration#114511johnwilkins wants to merge 1 commit into
Conversation
Enhancement allows users forwarding logs to Splunk to specify the sourceType with custom values or Splunk's pretrained source types. Changes: - Updated logging-forward-splunk.adoc: Added sourceType field documentation with examples and important note about validation - Updated default-splunk-metadata-key-values.adoc: Updated sourceType row to reflect configurable behavior when payloadKey is defined - Created logging-splunk-sourcetype-pod-labels.adoc: New procedure showing how to configure sourceType dynamically using pod labels Key points documented: - sourceType field is optional - Requires payloadKey to be set when using sourceType - Accepts both templated and static values - Default behavior: _json (or generic_single_line with payloadKey) - Collector has no logic to interpret sourceType from payload - Colon characters allowed in sourceType but not in pod label values Vale results: 0 errors, 0 warnings Signed-off-by: John Wilkins <jowilkin@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@johnwilkins: This pull request references OBSDOCS-3446 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
🤖 Wed Jul 01 19:57:14 - Prow CI generated the docs preview: https://114511--ocpdocs-pr.netlify.app/ |
|
@johnwilkins: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
Summary
Documents the new configurable
sourceTypefield for Splunk outputs in ClusterLogForwarder.Enhancement allows users to specify Splunk source types (pretrained or custom) for better log parsing and categorization.
Changes
Modified Modules
sourceTypefield documentation with examples and validation warningsourceTyperow to reflect configurable behaviorNew Module
sourceTypedynamically using pod labelsKey Features Documented
✅ Optional field - defaults to
_jsonwhen not set✅ Requires payloadKey - can only be set when
payloadKeyis also defined✅ Templating support - static values or dynamic per-event values
✅ Default behavior -
_jsonorgeneric_single_linedepending on payload structure✅ Important limitation - collector does not validate or interpret source type
✅ Colon character handling - allowed in
sourceTypebut not in pod label valuesExamples Provided
sourceType: 'log4j'sourceType: '{.kubernetes.labels."splunk/sourcetype"||"generic_single_line"}'Testing
Related
Signed-off-by: John Wilkins jowilkin@redhat.com