Add script for docker events/metrics and support running TA outside of Splunk

* Add docker.sh and docker_metric.sh for collecting docker events/metrics
* Add helper script to extra/ to run the TA commands on systems without
  a Splunk forwarder. The commands can be sent to a syslog server.
  This script is useful for systems with small or read-only filesystems that
  cannot support a Universal Forwarder.
* Add syslog_inputs_nix_ta app to extra/ for ingesting the data from syslog

default/app.conf

@@ -17,7 +17,7 @@ docs_section_override = AddOns:released
 
 [launcher]
 author = Michael Erdely
-version = 9.2.0.4
+version = 9.2.0.5
 description = Technical Add-on for Unix and Linux
 
 #[package]
@@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux
 
 [id]
 name = TA-unix
-version = 9.2.0.4
+version = 9.2.0.5
 

default/eventtypes.conf

@@ -8,7 +8,7 @@
 search = NOT *
 
 [nix_ta_data]
-search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
+search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (docker_metric, vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, docker, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
 
 ###### Globals ######
 [nix_security]
@@ -112,6 +112,10 @@ search = sourcetype=time
 [usersWithLoginPrivs]
 search = sourcetype=usersWithLoginPrivs
 
+[docker]
+search = sourcetype=docker
+#tags = performance os avail unix report docker
+
 [vmstat]
 search = sourcetype=vmstat
 #tags = performance os avail unix report vmstat resource success memory

default/inputs.conf

@@ -4,6 +4,12 @@
 ##
 ##
 
+[script://./bin/docker_metric.sh]
+sourcetype = docker_metric
+source = docker
+interval = 60
+disabled = 1
+
 [script://./bin/vmstat_metric.sh]
 sourcetype = vmstat_metric
 source = vmstat
@@ -44,6 +50,12 @@ disabled = 1
 ############### Event Inputs ###################
 ################################################
 
+[script://./bin/docker.sh]
+interval = 60
+sourcetype = docker
+source = docker
+disabled = 1
+
 [script://./bin/vmstat.sh]
 interval = 60
 sourcetype = vmstat

default/props.conf

@@ -91,6 +91,15 @@ FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
 ## Scripted Metric Inputs
 #########################
 
+[docker_metric]
+SHOULD_LINEMERGE=false
+LINE_BREAKER = ([\r\n]+)
+KV_MODE = json
+NO_BINARY_CHECK = true
+TRUNCATE=1000000
+TRANSFORMS-docker-metric-dimensions=eval_dimensions
+METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_docker
+
 [vmstat_metric]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
@@ -506,6 +515,14 @@ TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT
 KV_MODE=multi
 
+[docker]
+SHOULD_LINEMERGE=false
+LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
+TRUNCATE=1000000
+KV_MODE = json
+FIELDALIAS-dest_for_docker = host as dest
+FIELDALIAS-src_for_docker = host as src
+
 [vmstat]
 LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
 TRUNCATE=1000000

default/transforms.conf

@@ -183,6 +183,9 @@ REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s
 # Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
 INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
 
+#[extract_docker_metrics]
+#INGEST_EVAL= CPUPct=CPUPct,MemUsage=MemUsage,MemTotal=MemTotal,MemPct=MemPct,NetRX=NetRX,RXps=RXps,NetTX=NetTX,TXps=TXps,BlockRead=BlockRead,BRps=BRps,BlockWrite=BlockWrite,BWps=BWps,Pids=Pids
+
 [extract_df_metrics]
 INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
 
@@ -208,6 +211,10 @@ METRIC-SCHEMA-BLACKLIST-DIMS= OSName
 METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
 METRIC-SCHEMA-BLACKLIST-DIMS= OSName
 
+[metric-schema:extract_metrics_docker]
+METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_version
+METRIC-SCHEMA-BLACKLIST-DIMS= OSName
+
 [metric-schema:extract_metrics_df]
 METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
 METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address