What happened:
In the values.yaml for logging, the pod and container are specified as following with test-sys as the namespace, we call it part A:
aks-secrets-store-provider-azure:
from:
pod: test-sys/aks-secrets-store-provider-azure-
container: provider-azure-installer
multiline:
firstline: /^\w[0-1]\d[0-3]\d/
endline: / pod\=\".+\"/
separator: "\n"
flushInterval: 5
sourcetype: kube:secrets-store-provider-azure
The pod aks-secrets-store-provider-azure generates logs as following, we call it part B:
C1234 02:06:52.093686 1 provider.go:196] "objects string defined in secret provider class" objects=<
array: -
objectName: xyz-key objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
objectName: xyz-id
objectType: secret # object types: secret, key or cert objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
pod="kube-system/aks-cluster-compliance-rcg87"
What you expected to happen:
The above multiline log in part B should be displayed in one Splunk log event as the following, we call it part C
C1234 02:06:52.093686 1 provider.go:196] "objects string defined in secret provider class" objects=<
array: -
objectName: xyz-key objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
objectName: xyz-id
objectType: secret # object types: secret, key or cert objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
pod="kube-system/aks-cluster-compliance-rcg87"
But instead Splunk shows each line as a separate log event as the following, we call it part C:
How to reproduce it (as minimally and precisely as possible):
Using the above config for the AKS container in part A, and the input is the multiline log in part B,
Kubernetes version (use kubectl version): Kubernetes v1.26.3
Ruby version (use ruby --version): Not use Ruby at all
OS (e.g: cat /etc/os-release): Red Hat Enterprise Linux Server, VERSION="7.9 (Maipo)"
Splunk version:
Splunk Connect for Kubernetes helm chart version: Splunk connect for k8s 1.5.3
Others:
Please get back to me if you have further questions, or clarification. I am looking forward to your solutions and Thanks very much for your help in advance.
What happened: In the values.yaml for logging, the pod and container are specified as following with test-sys as the namespace, we call it part A: aks-secrets-store-provider-azure: from: pod: test-sys/aks-secrets-store-provider-azure- container: provider-azure-installer multiline: firstline: /^\w[0-1]\d[0-3]\d/ endline: / pod\=\".+\"/ separator: "\n" flushInterval: 5 sourcetype: kube:secrets-store-provider-azure
The pod aks-secrets-store-provider-azure generates logs as following, we call it part B:
array: -
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
objectName: xyz-id
objectType: secret # object types: secret, key or cert objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
What you expected to happen: The above multiline log in part B should be displayed in one Splunk log event as the following, we call it part C
array: -
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
objectName: xyz-id
objectType: secret # object types: secret, key or cert objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
But instead Splunk shows each line as a separate log event as the following, we call it part C:
23/05/2023 17:00:00.123 C1234 02:06:52.093686 1 provider.go:196] "objects string defined in secret provider class" objects=<
23/05/2023 17:00:00.124 array: 23/05/2023 17:00:00.125 - | 23/05/2023 17:00:00.126 objectName: xyz-key .... 23/05/2023 17:00:00.200 > pod="kube-system/aks-cluster-compliance-rcg87"
How to reproduce it (as minimally and precisely as possible): Using the above config for the AKS container in part A, and the input is the multiline log in part B,
Anything else we need to know?: I follow exactly the instructions in the Splunk connect for Kubernetes https://github.com/splunk/splunk-connect-for-kubernetes/issues?q=is%3Aissue+is%3Aclosed+multiline, and the multiline log is not shown as one Splunk log event. I do not know why, please help me to have the function working. Thanks very much for your help in advance.
Environment:
kubectl version
): Kubernetes v1.26.3ruby --version
): Not use Ruby at allcat /etc/os-release
): Red Hat Enterprise Linux Server, VERSION="7.9 (Maipo)"Please get back to me if you have further questions, or clarification. I am looking forward to your solutions and Thanks very much for your help in advance.