This PR is for #16207

Updated OP's description to include the issue it fixes (so that it automatically closes it if this PR is merged)

Thanks very much for also implementing bash completion. That's really cool stuff!

@albers thank you for review! Just updated PR

Bash completion LGTM. Thanks for updating.

Didn't read the code, but I'm +1 for a splunk driver since we already have many similar logging drivers.
I do have to state again the fact that it's unfortunate we have to compile all of these drivers in, and would prefer to have these as run-time Go plugins whenever they are ready. I understand having out-of-process logging plugins can be a significant performance hit.

ping @sdurrheimer zsh completion: new log-driver

@outcoldman Is there any easy way to test driver?

@LK4D4 it depends on the definition of "easy". I did all my tests manually. To test it we need to

1. Download Splunk
2. Extract it somewhere, in case if it will be inside docker container - we will need to have access to any mapped volume with supported file system.
3. The test scripts can preconfigure HTTP Event Collector and start Splunk.
4. After we can just send some logs to Splunk and verify that these events were indexed.

Do you think that we can perform first 2 steps? Do you have an example?

@outcoldman I mean test manually, not unit-tests. Yes, I thought maybe you have docker image with splunk.

Ah, I see, so you are asking for instructions how to test it manually. This make sense.

1. You can use my own Docker Image with Splunk (https://hub.docker.com/r/outcoldman/splunk/) - this is not officially supported by Splunk image, but will be good enough for testing. Or you can download Splunk directly in Docker Dev image in mapped volume, let's say at /opt/splunk, you can download it from http://www.splunk.com/en_us/download.html
2. You need to expose port 8000 for Web Interface and 8088 for HTTP Event Collector.
3. After you will start Splunk open 8000 to get access to the Web Interface, you will need to configure HTTP Event Collector, see http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/UsetheHTTPEventCollector (use port 8088 for HTTP Event Collector, it is a default port, you can use HTTP or HTTPS, if you want to use HTTPS - you will need to configure custom certificates or use ca certificate for Docker daemon to configure Splunk driver or just ignore verification).
4. I used these parameters for HTTP (let me know if you also want to test HTTPS) to start nginx container (replace path to your Splunk instance and token given to you by Splunk on previous step)

docker run --log-driver=splunk --log-opt splunk-token=176FCEBF-4CF5-4EDF-91BC-703796522D20 --log-opt splunk-url=http://splunk:8088  -d -p 80:80 nginx

1. After to test the driver I have send few curl requests to nginx container using

curl http://localhost:80/?justatest=hello

1. In Splunk Web Interface in search string just run "*" and you should see your events.

@outcoldman thanks, I'll try. Moving to code-review in the meantime.

btw need rebase, sorry :)

@LK4D4 np, rebased!

I would recommend accepting both username & password, as well as http event collector tokens.
As it is, I am unable to test this PR because I am using splunk cloud, which does not yet support the http event collector.
Also, anyone using a self-hosted splunk which is older than 6.3 won't be able to use them either.

Hi @phemmer

Thanks for the input. Event Collector is available in Splunk Cloud, but it needs to be enabled via a support request. There's no UI yet for self-service. But it is definitely available. Please contact Splunk Cloud support and they will get you up and running.

As to the username / password. Going forward we will encourage people not to use the REST API to send events as it requires a username and password that can potentially leak access to Splunk. Also EC has been designed in a more scalable / available fashion than the receiver endpoints. Event Collector tokens are not attached to user credentials, they are specifically designed just for logging events. It is a special endpoint that only allows sending data with a valid token. This makes it more secure from a Splunk perspective as using the token will not allow accessing any part of Splunk, you can't even authenticate to the management port (8089) with the token.

Does that make sense?

You are correct that it is only in Splunk 6.3, but you can stand up dedicated Event Collector instances within a 6.2 environment and they will work fine. EC can run anywhere, an indexer, a forwarder, etc.

Sweet!
On Fri, Oct 23, 2015 at 10:30 AM Sebastiaan van Stijn <
notifications@github.com> wrote:

@moxiegirl https://github.com/moxiegirl gave me a "LGTM" in person [image:
👍] waiting for Janky to finish

—
Reply to this email directly or view it on GitHub
#16488 (comment).

I'd recommend clarifying that one paragraph. Otherwise, LGTM

Oh, boy.. looks like this needs a rebase :'( sorry for that @outcoldman

edit: sorry for the wrong ping @mountkin, autocomplete hit me :(

@thaJeztah np, rebased!

Al green! merging \o/

@outcoldman @glennblock congrats!

Thank you all for helping! And my personal huge thank to the @LK4D4.
Docker folks, you are great!

Thanks for contributing @outcoldman open source FTW!

Yay!!!! This rocks!
On Fri, Oct 23, 2015 at 9:02 PM Sebastiaan van Stijn <
notifications@github.com> wrote:

Thanks for contributing @outcoldman https://github.com/outcoldman open
source FTW!

—
Reply to this email directly or view it on GitHub
#16488 (comment).

Thank you all! We are seeing a lot of interest in Docker in our Splunk
customer base. This is an awesome day!
On Sat, Oct 24, 2015 at 9:11 AM Glenn Block glenn.block@gmail.com wrote:

Yay!!!! This rocks!
On Fri, Oct 23, 2015 at 9:02 PM Sebastiaan van Stijn <
notifications@github.com> wrote:

Thanks for contributing @outcoldman https://github.com/outcoldman open
source FTW!

—
Reply to this email directly or view it on GitHub
#16488 (comment).

Keewl! =)

@thaJeztah Looks like this was missed and not cherry picked in. Any idea when 1.9.3 is going out?

@moxiegirl I dunno why you think it should be in a milestone. It's a new feature == shouldn't be in the minor release.

There was some confusion about the timing, but this PR was merged after the 1.9.0 code freeze (1.9.0-rc1 was released on October 14th).

This driver will be part of the 1.10 release. For people wanting to give it a spin before that, it is available in the "Experimental" or "Master" builds (not intended for production)

Our understanding was it was part of 1.10. Thanks for confirming.

On Thu, Dec 10, 2015 at 4:48 PM Sebastiaan van Stijn <
notifications@github.com> wrote:

There was some confusion about the timing, but this PR was merged after
the 1.9.0 code freeze (1.9.0-rc1 was released on October 14th
https://github.com/docker/docker/releases/tag/v1.9.0-rc1).

This driver will be part of the 1.10 release. For people wanting to give
it a spin before that, it is available in the "Experimental" or "Master"
builds (not intended for production)

—
Reply to this email directly or view it on GitHub
#16488 (comment).

Maybe the splunk driver could receive more than one host in "--log-opt splunk-url" for the cases splunk running in cluster ?

Thanks for the suggestion. With HEC the recommendation is always to have a load balancer in front of the HEC pool. Based on that I don't think we need clustering support. Also that will complicate the implementation.