splunk-connect-for-kubernetes: Last event is not pushed to Splunk until new event occurs

What happened: Last log event is not pushed to splunk What you expected to happen: Everything should be pushed to Splunk How to reproduce it (as minimally and precisely as possible): This is my filter in output.conf <filter tail.containers.var.log.containers.sb-*.log> @type concat key log timeout_label @SPLUNK stream_identity_key stream multiline_start_regexp /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}|^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}|^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s-\s-/ multiline_end_regexp /\\n$/ separator "" flush_interval 2s use_first_timestamp true </filter> Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):1.15.5
  • Ruby version (use ruby --version):
  • OS (e.g: cat /etc/os-release):NAME=“Red Hat Enterprise Linux Server” VERSION=“7.7 (Maipo)”
  • Splunk version:7.3.3
  • Others:

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

one user have tried it with it https://github.com/splunk/splunk-connect-for-kubernetes/issues/243 but it didn’t change anything. but i think this concat fix you developed fixed the flow.

+1
rockb1017 on May 21, 2020

https://github.com/splunk/splunk-connect-for-kubernetes/pull/369

+1
rockb1017 on May 8, 2020
Read more comments on GitHub
← splunk-connect-for-kubernetes: Failed parsing container metadata
splunk-connect-for-kubernetes: Logging does not successfully use hec_ca_file for cert verification by default →