CLM application log forwarding to Splunk

Description

A CLM cluster can forward application logs to a remote Splunk server using the Splunk HEC, or HTTP Event Collector. During CLM deployment, you can enable the log forwarding by configuring the Splunk forwarding parameters in the nsp—modules—logging—forwarding—applicationLogs—splunk section of the CLM configuration file.

When log forwarding to Splunk is enabled, you can use the CLM cluster address as a Splunk query criterion for the CLM application logs. The address to use is one of the following values in the platform—ingressApplications—ingressController section of the config.yml file on the local CLM deployer host:

In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection:

• if configured, the advertised value

• otherwise, the virtualIp value

For example:

index="k8s_log" and nspHost="cluster_address"

where

cluster_address is the advertised client address in the CLM configuration file described above

k8s_log is the Splunk HEC index

For information about setting up Splunk HEC, see the Splunk documentation.