Blog

Splunk Logging

  • (5.0)
  •   |   971 Ratings

Introduction:

Splunk is a software that enables one to monitor, search, visualize and also to analyze machine generated data (best example are application logs, data from websites, database logs for a start) to big-data using a web style interface. It is an advanced software that indexes and searches log files stored on a system or the like, alongside to that, it is a scalable and potent software. Splunk bridges the gaps which a single simple log management software or a security information product or a single event management product can manage all by themselves.
Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free Splunk Training Demo!

Splunk `logging` with Java (with an example):

In order to look at the various possibilities of logging examples, let us configure Splunk on to a Java project environment and check how we can leverage the use of Splunk. In order for us to achieve this, there a set of steps that we need to complete – and assuming that everything is complete, we will continue to look into a Java example and test our application with various combinations of logging with Splunk.

Steps to integrate Splunk with a Java project:

Add Splunk logging to your Java project
Choose amongst the available options and add the logging library
Open a TCP input on your Splunk instance to log your events to
Configure your logging system
Finally, use SplunkCimLogEvent class to generate the log entries in a presentable manner
 
Considering that you are able to configure Splunk logging to your Java projects or any other programming languages that you intend to use Splunk with, we will proceed with the logging examples. This topic briefs you on the best possible ways as do’s when you create events for Splunk Software to index.
 
As per the steps mentioned above, the article in the time of its writings has chosen Logback as its logging library and provides the necessary artifacts to get yourself UP and Running with a working example in Java. Considering that your Splunk Enterprise is running on your localhost and on the default port of 15000, let us now configure a TCPAppender to Logback as it doesn’t ship one on its own. Below configuration shows the necessary configuration on the first hand to get yourself going.
 
logback.xml
<configuration>
<appender name="socket" class="com.splunk.logging.TcpAppender">
<RemoteHost>127.0.0.1</RemoteHost>
<Port>15000</Port>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%date{ISO8601} [%thread] %level: %msg%n</pattern>
</layout>
</appender>
<logger name="my.splunk.logger" additivity="false" level="INFO">
<appender-ref ref="socket"/>
</logger>
<root level="INFO">
<appender-ref ref="socket"/>
</root>
</configuration>
 
This configuration that has been provided above, will ensure that you create yourself with a log back library enabled logging on your Java project with the name my.splunk.logger which logs starting from your INFO messages to the highest level of ERROR messages.
 
Now we can create our own logging class by importing com.splunk.logging.SplunkCimLogEvent and use that class to create events for logging the necessary information at your will.

Frequently Asked Splunk Interview Questions & Answers

Use of key-value pairs:

Log.debug(“orderStatus=error, errorcode=546, userId=%d, orderId=%s”, userId, orderId)
 
This is one of the best possible ways to add your debug details to your application log via Splunk or any other logging framework. For Splunk’s usage, it is highly recommended that you log information in meaningful key and value pairs as Splunk can put in its own set of features like Reporting in use to provide meaningful details on analyzing the same. It becomes very easy for any to use a simple search (example, orderStatus=error) to get the details all at once. Alongside to that, if you want to use Splunk’s Reporting feature to grab a report based on the order status, then it gets very easy (example, success=96%, error=3%, cancelled=1%).
 
One of the best possible ways to add key/value pairs to your logging is as shown below, the same example which is considered above has been modified for better understanding.
 
logger.info(new SplunkCimLogEvent(“KeyValuePairEvent”, “keyValuePairEventID”) {{

addField(“orderStatus”,”error”);

addField(“errorcode”,”546”);

}});

Use of stack-traces for your exceptions:

Cases and scenarios where you expect that there can be exceptions, you can always rely on the stack-trace of the exception to debug the errored out scenario well. There is a way that you can achieve this using Splunk to add the stack-trace related details along with the key / value pairs as shown in the above example. But for now, we will concentrate on adding the necessary exception’s stack-trace in our logging source. 
 
Using the addThrowableWithStacktrace() method formats the exception and adds it to your logging source.
 
logger.info(new SplunkCimLogEvent(“StacktraceEvent”, “stacktraceEventID”) {{

addThrowableWithStacktrace(exceptionObject);

}});

Use of auth-actions:

Cases when you want to log and check the authentication related activities, or even trace back all the activities done by a specific user on your application – this comes into perfect usage. Use the setAuthAction() method to specify the action performed on the resource. Let us see an example of its usage:
 
logger.info(new SplunkCimLogEvent(“AuthActionEvent”, “AuthActionEventID”) {{

setAuthAction(“LoggedIn”);

setAuthAction(“LoggedOut”);

}});

Conclusion:

In this article, we have tried to demystify what Splunk can do as a standalone software and where its usages can be. We have also tried to understand how to use Splunk logging feature to analyze your application logs.
 
Hope this article has provided all the necessary details for you to understand the concept altogether. If you are willing to look for more details on this topic, we suggest you go through the Splunk documentation.
Explore QlikView Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download Now!

 


Popular Courses in 2018

Get Updates on Tech posts, Interview & Certification questions and training schedules