Splunk Connect for Docker is a Docker logging plugin that allows docker containers to send their logs directly to Splunk Enterprise or a Splunk Cloud deployment.
Hello and please forgive me if this is not the appropriate place to ask this question. I would like to know if it's possible to add configuration to the daemon.json file to completely remove the value of the 'source' field from the event because I would like to let Splunk automatically set the source at index time. Reading the documentation, I see there is an optional flag 'splunk-source' where I can change the value. But I don't want to change the value, I would like to completely remove it from the POST body. Is there way to do this in the configuration file? It seems all the doc examples show a value for that field.
Here's what our current Splunk config looks like. I'm not the app developer here, so this information was provided to me when I requested the configuration. All the variables are defined and the event is being indexed as I would expect. I just want to remove the source field from the POST body.
"logConfiguration": {
"logDriver": "splunk",
"options": {
"splunk-url": "${splunk_url}",
"splunk-index": "${splunk_index}",
"splunk-insecureskipverify": "true",
"splunk-sourcetype": "${splunk_sourcetype}",
"splunk-format": "json"
},
Hello and please forgive me if this is not the appropriate place to ask this question. I would like to know if it's possible to add configuration to the daemon.json file to completely remove the value of the 'source' field from the event because I would like to let Splunk automatically set the source at index time. Reading the documentation, I see there is an optional flag 'splunk-source' where I can change the value. But I don't want to change the value, I would like to completely remove it from the POST body. Is there way to do this in the configuration file? It seems all the doc examples show a value for that field.
Here's what our current Splunk config looks like. I'm not the app developer here, so this information was provided to me when I requested the configuration. All the variables are defined and the event is being indexed as I would expect. I just want to remove the source field from the POST body. "logConfiguration": { "logDriver": "splunk", "options": { "splunk-url": "${splunk_url}", "splunk-index": "${splunk_index}", "splunk-insecureskipverify": "true", "splunk-sourcetype": "${splunk_sourcetype}", "splunk-format": "json" },
Thanks in advance.