Add changes to SCK migration doc after testing migration scenario (si…

…gnalfx#605) * Add changes to SCK migration doc after testing migration scenario * Update docs/migration-from-sck.md Co-authored-by: harshit-splunk <[email protected]> Co-authored-by: harshit-splunk <[email protected]>
omrozowicz-splunk · Dec 15, 2022 · 927ce97 · 927ce97
1 parent 6159f52
commit 927ce97
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/docs/migration-from-sck.md b/docs/migration-from-sck.md
@@ -335,3 +335,31 @@ To delete the SCK deployment, find the name of the deployment using the `helm ls
   * ```index="Your logs index"```
 * Check the metrics index to see if you are receiving metrics from your Kubernetes cluster
   * ```| mcatalog values(metric_name) WHERE index="Your metrics index"```
+
+## Differences between Splunk Connect for Kubernetes and Splunk OpenTelemetry Collector for Kubernetes
+
+### Read logs location
+
+Splunk Connect for Kubernetes by default read containers logs from `/var/log/containers/*`
+Splunk OpenTelemetry Collector for Kubernetes by default read containers logs from `/var/log/pods/*`
+Change is reflected in `source` filed for extracted logs.
+
+### Default `sourcetype` for containers logs
+
+Both Splunk Connect for Kubernetes and Splunk OpenTelemetry Collector for Kubernetes define `sourcetype` for container logs as `kube:container:<container_name>` by default. But, Splunk Connect for Kubernetes explicitly defines the sourcetype of Kubernetes core components as `kube:<container_name>`. They are defined [here](https://github.com/splunk/splunk-connect-for-kubernetes/blob/2cae9b12bbd6545c9ef09b23e619b9783d9ceb38/helm-chart/splunk-connect-for-kubernetes/values.yaml#L330-L408)
+`sourcetype` configuration can be changed by adding `logsCollection.containers.extraOperators` configuration.
+
+### Extracted fields for logs
+
+Splunk OpenTelemetry Collector for Kubernetes follows naming convention for OpenTelemetry for extracted fields. Table below present differences in filed names extracted by Splunk OpenTelemetry Collector for Kubernetes and Splunk Connect for Kubernetes
+
+| Splunk Connect for Kubernetes | Splunk OpenTelemetry Collector for Kubernetes |
+|-------------------------------|-----------------------------------------------|
+| container_id                  | container.id                                  |
+| container_image               | container.image.name and container.image.tag  |
+| container_name                | k8s.container.name                            |
+| cluster_name                  | k8s.cluster.name                              |
+| namespace                     | k8s.namespace.name                            |
+| pod                           | k8s.pod.name                                  |
+| pod_uid                       | k8s.pod_uid                                   |
+| label_app                     | k8s.pod.labels.app                            |