You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
2.8 KiB
66 lines
2.8 KiB
[journald://<name>]
|
|
* This is the systemd-journald input component for Splunk
|
|
|
|
|
|
* A list of fields to retrieve is controlled by "journalctl-include-fields" and "journalctl-exclude-fields"
|
|
* parameters. For most fields, they will be selected if they are in one of include-fields AND not in exclude-fields.
|
|
* The exceptions are MESSAAGE, CURSOR and _REALTIME_TIMESTAMP, that are treated specially by the system.
|
|
* An empty journalctl-include-fields setting will be treated as a direction to emit include all fields. If you want
|
|
* all fields except XYZ, you can keep journalctl-include-fields empty, and set journalctl-exclude-fields=XYZ
|
|
*
|
|
* If the param is not explicitly specified, default value will be used
|
|
* we will retrieve MESSAGE,__REALTIME_TIMESTAMP,PRIORITY,_SYSTEMD_UNIT,
|
|
* _SYSTEMD_CGROUP,_TRANSPORT,_PID,_UID,_MACHINE_ID,_GID,_COMM,_EXE
|
|
* If the param is explicitly specified, its value will overwrite default fields, but fields
|
|
* MESSAGE, __REALTIME_TIMESTAMP, __CURSOR will be always retrieved, but __REALTIME_TIMESTAMP and __CURSOR will
|
|
* be used internally and never sent to Splunk as fields.
|
|
* Fields __MONOTONIC_TIMESTAMP and __SOURCE_REALTIME_TIMESTAMP should always be suppressed to decrease
|
|
cardinality of data. Use Splunk event time instead.
|
|
journalctl-include-fields = <string>
|
|
|
|
* Once journalctl-include-fields are retrieved, you can filter which fields to send to Splunk using
|
|
* the journalctl-exclude-fields parameter. This filter is more expensive than journalctl-output-fields,
|
|
* as it is not natively supported by API and requires post-processing
|
|
journalctl-exclude-fields = <string>
|
|
|
|
|
|
* The following config parameters will be directly mapped to journalctl switches, see journalctl documentation.
|
|
|
|
* the "matches" concept in journalctl
|
|
* for example, _SYSTEMD_UNIT=avahi-daemon.service _PID=28097 + _SYSTEMD_UNIT=dbus.service
|
|
* will show all messages from Avahi service process with PID 28097 plus all messages
|
|
* from the D-Bus service
|
|
* www.freedesktop.org/software/systemd/journalctl.html
|
|
journalctl-filter = <string>
|
|
|
|
* -u, show messages for the specified systemd unit
|
|
journalctl-unit = <string>
|
|
|
|
* -t, show messages for the specified syslog identifier SYSLOG_IDENTIFIER
|
|
journalctl-identifier = <string>
|
|
|
|
* -p, filter output by message priorities or priority ranges.
|
|
journalctl-priority = <string>
|
|
|
|
* -b, messages from a specific boot
|
|
journalctl-boot = <string>
|
|
|
|
* --facility, syslog facility
|
|
journalctl-facility = <string>
|
|
|
|
* -g, filter output to entries where the MESSAGE= field matches the specified regular expression.
|
|
journalctl-grep = <string>
|
|
|
|
* --user-unit, show messages for the specified user session unit.
|
|
journalctl-user-unit = <string>
|
|
|
|
* -k, show only kernel messages.
|
|
journalctl-dmesg = <string>
|
|
|
|
* -q, suppresses all informational messages
|
|
journalctl-quiet = <string>
|
|
|
|
* reserved for future use
|
|
journalctl-freetext = <string>
|
|
|