You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -808,5 +809,47 @@ $ SPLUNK_PASSWORD=<password> docker-compose up -d
808
809
809
810
Then, visit SplunkWeb on your browser with the root endpoint in the URL, such as `http://localhost:8000/splunkweb`.
810
811
812
+
## Create sidecar forwarder
813
+
<details><summary>k8s-sidecar.yml</summary><p>
814
+
815
+
```
816
+
apiVersion: v1
817
+
kind: Pod
818
+
metadata:
819
+
name: example
820
+
spec:
821
+
containers:
822
+
- name: splunk-uf
823
+
image: splunk/universalforwarder:latest
824
+
env:
825
+
- name: SPLUNK_START_ARGS
826
+
value: --accept-license
827
+
- name: SPLUNK_PASSWORD
828
+
value: helloworld
829
+
- name: SPLUNK_CMD
830
+
value: add monitor /var/log/
831
+
- name: SPLUNK_STANDALONE_URL
832
+
value: splunk.company.internal
833
+
volumeMounts:
834
+
- name: shared-data
835
+
mountPath: /var/log
836
+
- name: my-app
837
+
image: my-app
838
+
volumeMounts:
839
+
- name: shared-data
840
+
mountPath: /app/logs/
841
+
volumes:
842
+
- name: shared-data
843
+
emptyDir: {}
844
+
```
845
+
</p></details>
846
+
847
+
Execute the following to bring up your deployment:
848
+
```
849
+
$ kubectl apply -f k8s-sidecar.yml
850
+
```
851
+
852
+
After your pod is ready, the universal forwarder will be reading the logs generated by your app via the shared volume mount. In the ideal case, your app is generating the logs while the forwarder is reading them and streaming the output to a separate Splunk instance located at splunk.company.internal.
853
+
811
854
## More
812
855
There are a variety of Docker compose scenarios in the `docker-splunk` repo [here](https://github.com/splunk/docker-splunk/tree/develop/test_scenarios). Please feel free to use any of those for reference in terms of different topologies!
0 commit comments