I deployed the BanzaiCloud Logging Operator to send logs to Splunk using fluentd. Splunk interprets the source (host) as fluentd-0 but I want to have the $namespace.$pod as the host field. I tried to override the field with record_modifier which ends up in having a second host field.
...
spec:
filters:
- record_transformer:
records:
- host: ${namespace_name}.${pod_name}
...
I also tried the replace function of record_modifier - without success.
spec:
filters:
- record_modifier:
replaces:
- key: host
expression: /^fluentd-0$/
replace: ${namespace_name}.${pod_name}
I think the host field is not part of the "log payload" and therefore can't be manipulated using Record Modifier or Record Transformer
Can anyone tell me what I need to configure so the host field is replaced to namespace.pod?
Ok I found the solution: The host field is generated by the Output and not by the Flow. So changing it like that:
ended up in having the expected name as host instead of fluentd-0. Also host can be used instead of host_key, if it should be hard-coded.