Docker and Splunk Integration

Input and output integration overview

The Docker input plugin allows you to collect metrics from your Docker containers using the Docker Engine API, facilitating enhanced visibility and monitoring of containerized applications.

This output plugin facilitates direct streaming of Telegraf collected metrics into Splunk via the HTTP Event Collector, enabling easy integration with Splunk’s powerful analytics platform.

Integration details

Docker

The Docker input plugin for Telegraf gathers valuable metrics from the Docker Engine API, providing insights into running containers. This plugin utilizes the Official Docker Client to interface with the Engine API, allowing users to monitor various container states, resource allocations, and performance metrics. With options for filtering containers by names and states, along with customizable tags and labels, this plugin supports flexibility in monitoring containerized applications in diverse environments, whether on local systems or within orchestration platforms like Kubernetes. Additionally, it addresses security considerations by requiring permissions for accessing Docker’s daemon and emphasizes proper configuration when deploying within containerized environments.

Splunk

Use Telegraf to easily collect and aggregate metrics from many different sources and send them to Splunk. Utilizing the HTTP output plugin combined with the specialized Splunk metrics serializer, this configuration ensures efficient data ingestion into Splunk’s metrics indexes. The HEC is an advanced mechanism provided by Splunk designed to reliably collect data at scale via HTTP or HTTPS, providing critical capabilities for security, monitoring, and analytics workloads. Telegraf’s integration with Splunk HEC streamlines operations by leveraging standard HTTP protocols, built-in authentication, and structured data serialization, optimizing metrics ingestion and enabling immediate actionable insights.

Configuration

Docker

[[inputs.docker]]
  ## Docker Endpoint
  ##   To use TCP, set endpoint = "tcp://[ip]:[port]"
  ##   To use environment variables (ie, docker-machine), set endpoint = "ENV"
  endpoint = "unix:///var/run/docker.sock"

  ## Set to true to collect Swarm metrics(desired_replicas, running_replicas)
  ## Note: configure this in one of the manager nodes in a Swarm cluster.
  ## configuring in multiple Swarm managers results in duplication of metrics.
  gather_services = false

  ## Only collect metrics for these containers. Values will be appended to
  ## container_name_include.
  ## Deprecated (1.4.0), use container_name_include
  container_names = []

  ## Set the source tag for the metrics to the container ID hostname, eg first 12 chars
  source_tag = false

  ## Containers to include and exclude. Collect all if empty. Globs accepted.
  container_name_include = []
  container_name_exclude = []

  ## Container states to include and exclude. Globs accepted.
  ## When empty only containers in the "running" state will be captured.
  # container_state_include = []
  # container_state_exclude = []

  ## Objects to include for disk usage query
  ## Allowed values are "container", "image", "volume" 
  ## When empty disk usage is excluded
  storage_objects = []

  ## Timeout for docker list, info, and stats commands
  timeout = "5s"

  ## Whether to report for each container per-device blkio (8:0, 8:1...),
  ## network (eth0, eth1, ...) and cpu (cpu0, cpu1, ...) stats or not.
  ## Usage of this setting is discouraged since it will be deprecated in favor of 'perdevice_include'.
  ## Default value is 'true' for backwards compatibility, please set it to 'false' so that 'perdevice_include' setting
  ## is honored.
  perdevice = true

  ## Specifies for which classes a per-device metric should be issued
  ## Possible values are 'cpu' (cpu0, cpu1, ...), 'blkio' (8:0, 8:1, ...) and 'network' (eth0, eth1, ...)
  ## Please note that this setting has no effect if 'perdevice' is set to 'true'
  # perdevice_include = ["cpu"]

  ## Whether to report for each container total blkio and network stats or not.
  ## Usage of this setting is discouraged since it will be deprecated in favor of 'total_include'.
  ## Default value is 'false' for backwards compatibility, please set it to 'true' so that 'total_include' setting
  ## is honored.
  total = false

  ## Specifies for which classes a total metric should be issued. Total is an aggregated of the 'perdevice' values.
  ## Possible values are 'cpu', 'blkio' and 'network'
  ## Total 'cpu' is reported directly by Docker daemon, and 'network' and 'blkio' totals are aggregated by this plugin.
  ## Please note that this setting has no effect if 'total' is set to 'false'
  # total_include = ["cpu", "blkio", "network"]

  ## docker labels to include and exclude as tags.  Globs accepted.
  ## Note that an empty array for both will include all labels as tags
  docker_label_include = []
  docker_label_exclude = []

  ## Which environment variables should we use as a tag
  tag_env = ["JAVA_HOME", "HEAP_SIZE"]

  ## Optional TLS Config
  # tls_ca = "/etc/telegraf/ca.pem"
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key = "/etc/telegraf/key.pem"
  ## Use TLS but skip chain & host verification
  # insecure_skip_verify = false

Splunk

[[outputs.http]]
  ## Splunk HTTP Event Collector endpoint
  url = "https://splunk.example.com:8088/services/collector"

  ## HTTP method to use
  method = "POST"

  ## Splunk authentication token
  headers = {"Authorization" = "Splunk YOUR_SPLUNK_HEC_TOKEN"}

  ## Serializer for formatting metrics specifically for Splunk
  data_format = "splunkmetric"

  ## Optional parameters
  # timeout = "5s"
  # insecure_skip_verify = false
  # tls_ca = "/path/to/ca.pem"
  # tls_cert = "/path/to/cert.pem"
  # tls_key = "/path/to/key.pem"

Input and output integration examples

Docker

1. Monitoring the Performance of Containerized Applications: Use the Docker input plugin in order to track the CPU, memory, disk I/O, and network activity of applications running in Docker containers. By collecting these metrics, DevOps teams can proactively manage resource allocation, troubleshoot performance bottlenecks, and ensure optimal application performance across different environments.

2. Integrating with Kubernetes: Leverage this plugin to gather metrics from Docker containers orchestrated by Kubernetes. By filtering out unnecessary Kubernetes labels and focusing on key metrics, teams can streamline their monitoring solutions and create dashboards that provide insights into the overall health of microservices running within the Kubernetes cluster.

3. Capacity Planning and Resource Optimization: Use the metrics collected by the Docker input plugin to perform capacity planning for Docker deployments. Analyzing usage patterns helps identify underutilized resources and over-provisioned containers, guiding decisions on scaling up or down based on actual usage trends.

4. Automated Alerting for Container Anomalies: Set up alerting rules based on the metrics collected through the Docker plugin to notify teams of unusual spikes in resource usage or service disruptions. This proactive monitoring approach helps maintain service reliability and optimize the performance of containerized applications.

Splunk

1. Real-Time Security Analytics: Utilize this plugin to stream security-related metrics from various applications into Splunk in real-time. Organizations can detect threats instantly by correlating data streams across systems, significantly reducing detection and response times.

2. Multi-Cloud Infrastructure Monitoring: Integrate Telegraf to consolidate metrics from multi-cloud environments directly into Splunk, enabling comprehensive visibility and operational intelligence. This unified monitoring allows teams to detect performance issues quickly and streamline cloud resource management.

3. Dynamic Capacity Planning: Deploy the plugin to continuously push resource metrics from container orchestration platforms (like Kubernetes) into Splunk. Leveraging Splunk’s analytics capabilities, teams can automate predictive scaling and resource allocation, avoiding resource bottlenecks and minimizing costs.

4. Automated Incident Response Workflows: Combine this plugin with Splunk’s alerting system to create automated incident response workflows. Metrics collected by Telegraf trigger real-time alerts and automated remediation scripts, ensuring rapid resolution and maintaining high system availability.

Feedback

Thank you for being part of our community! If you have any general feedback or found any bugs on these pages, we welcome and encourage your input. Please submit your feedback in the InfluxDB community Slack.