Splunk Logging Driver: Message Formats and Advanced Options

--log-opt splunk-url=https://splunkhost:8088 \ --log-opt splunk-capath=/path/to/cert/cacert.pem \ --log-opt splunk-caname=SplunkServerDefaultCert \ --log-opt tag="{{.Name}}/{{.FullID}}" \ --log-opt labels=location \ --log-opt env=TEST \ --env "TEST=false" \ --label location=west \ your/application ``` The `splunk-url` for Splunk instances hosted on Splunk Cloud is in a format like `https://http-inputs-XXXXXXXX.splunkcloud.com` and does not include a port specifier. ### Message formats There are three logging driver messaging formats: `inline` (default), `json`, and `raw`. {{< tabs >}} {{< tab name="Inline" >}} The default format is `inline` where each log message is embedded as a string. For example: ```json { "attrs": { "env1": "val1", "label1": "label1" }, "tag": "MyImage/MyContainer", "source": "stdout", "line": "my message" } ``` ```json { "attrs": { "env1": "val1", "label1": "label1" }, "tag": "MyImage/MyContainer", "source": "stdout", "line": "{\"foo\": \"bar\"}" } ``` {{< /tab >}} {{< tab name="JSON" >}} To format messages as `json` objects, set `--log-opt splunk-format=json`. The driver attempts to parse every line as a JSON object and send it as an embedded object. If it can't parse the message, it's sent `inline`. For example: ```json { "attrs": { "env1": "val1", "label1": "label1" }, "tag": "MyImage/MyContainer", "source": "stdout", "line": "my message" } ``` ```json { "attrs": { "env1": "val1", "label1": "label1" }, "tag": "MyImage/MyContainer", "source": "stdout", "line": { "foo": "bar" } } ``` {{< /tab >}} {{< tab name="Raw" >}} To format messages as `raw`, set `--log-opt splunk-format=raw`. Attributes (environment variables and labels) and tags are prefixed to the message. For example: ```console MyImage/MyContainer env1=val1 label1=label1 my message MyImage/MyContainer env1=val1 label1=label1 {"foo": "bar"} ``` {{< /tab >}} {{< /tabs >}} ## Advanced options The Splunk logging driver lets you configure a few advanced options by setting environment variables for the Docker daemon. | Environment variable name | Default value | Description | | :----------------------------------------------- | :------------ | :--------------------------------------------------------------------------------------------------------------------------------------- | | `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_FREQUENCY` | `5s` | The time to wait for more messages to batch. | | `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_BATCH_SIZE` | `1000` | The number of messages that should accumulate before sending them in one batch. | | `SPLUNK_LOGGING_DRIVER_BUFFER_MAX` | `10 * 1000` | The maximum number of messages held in buffer for retries. | | `SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE` | `4 * 1000` | The maximum number of pending messages that can be in the channel used to send messages to background logger worker, which batches them. |

This section details the three message formats supported by the Splunk logging driver: `inline` (default, message embedded as a string), `json` (driver attempts to parse each line as a JSON object), and `raw` (attributes and tags are prefixed to the message). It provides examples for each format. The section then outlines advanced configuration options settable via Docker daemon environment variables, including `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_FREQUENCY` (batch wait time), `SPLUNK_LOGGING_DRIVER_POST_MESSAGES_BATCH_SIZE` (batch size), `SPLUNK_LOGGING_DRIVER_BUFFER_MAX` (retry buffer size), and `SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE` (pending message channel size).