splunkPlatform.fieldNameConvention.renameFieldsSck doesn't cover journald units or extraFileLogs #682
Comments
|
I don't believe SCK really set any major fields for those sources...do you have examples of said fields? Also while i understand it makes cutting over easy, SCK wasn't exactly thinking long term about fields and formats, whereas OTel formats will be with us for the foreseeable future and beyond. In many cases it also has much better fields/info. so I'd caution staying married to anything SCK for the long term anyways.... would be interested to see what fields you are talking about as the sck config doesnt exactly do anything special with those sources that you can't do today in otel configs. |
|
I think only cluster_name is missing for extraLogsFiles. At least this is a field i'm using in dashboards for openshift audit logs to disinct the different clusters. Haven't checked if k8s.cluster.name is available. I personally don't mind if SCK fields go away. Problem is once we upgrade and don't have SCK fields available, any splunk dashboard built by appdevs will immediately stop working. I think we need to give them some time to transition to the new fields. They need to exist so they can "see them" and adjust their config. |
|
Ah yes, will check the pipeline that gets made for extraFilelogs, I was playing with this backward compatibility feature recently. Worst case I should be able to see what needs to be added to the filelog and journald pipeline to add it. |
atoulme
added
Splunk Platform
Up to now the cluster_name field was only set in `resource/logs`. This snippet was only included for the container logs, but not for host logs (files, journald). This change moves the cluster_name field to the `resource` snippet, which is according inline comment used for all things that pass through otel. Fixes signalfx#682
Up to now the cluster_name field was only set in `resource/logs`. This snippet was only included for the container logs, but not for host logs (files, journald). This change moves the cluster_name field to the `resource` snippet, which is according inline comment used for all things that pass through otel. Fixes signalfx#682
Up to now the cluster_name field was only set in `resource/logs`. This snippet was only included for the container logs, but not for host logs (files, journald). This change moves the cluster_name field to the `resource` snippet, which is according inline comment used for all things that pass through otel. Fixes signalfx#682
Up to now the cluster_name field was only set in `resource/logs`. This snippet was only included for the container logs, but not for host logs (files, journald). This change moves the cluster_name field to the `resource` snippet, which is according inline comment used for all things that pass through otel. Fixes #682
According to the SCK migration guide, it's possible to preserve the Splunk field names as used with SCK. Without this, we would need to rework all our custom Splunk Dashboards.
splunk-otel-collector-chart/docs/migration-from-sck.md
Lines 405 to 414 in ff1e1ff
Now I discovered that the setting only affects the
logspipeline but not thelogs/host. Theresource/logsis not included in thelogs/hostpipeline.splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/config/_otel-agent.tpl
Line 678 in ff1e1ff
Probably for journald and extraFileLogs only the
cluster_namefield is relevant.splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/config/_common.tpl
Lines 121 to 123 in ff1e1ff
The text was updated successfully, but these errors were encountered: