Splunk Logging

Introduction To Splunk Logging

Splunk is a software that enables one to monitor, search, visualize and also to analyze machine-generated data (best example are application logs, data from websites, database logs for a start) to big-data using a web style interface. It is advanced software that indexes and searches log files stored on a system or the like, alongside that, it is a scalable and potent software. Splunk bridges the gaps which a single simple log management software or a security information product or a single event management product can manage all by themselves.

Splunk `logging` with Java (with an example)

In order to look at the various possibilities of logging examples, let us configure Splunk on to a Java project environment and check how we can leverage the use of Splunk. In order for us to achieve this, there a set of steps that we need to complete – and assuming that everything is complete, we will continue to look into a Java example and test our application with various combinations of logging with Splunk.

Do you want to become a certified splunk Professional? Then enroll in "Splunk Certification Training"Course. This course will help you to achieve excellence in this domain.

Steps to integrate Splunk with a Java project

  • Add Splunk logging to your Java project
  • Choose amongst the available options and add the logging library
  • Open a TCP input on your Splunk instance to log your events to
  • Configure your logging system
  • Finally, use SplunkCimLogEvent class to generate the log entries in a presentable manner

Considering that you are able to configure Splunk logging to your Java projects or any other programming languages that you intend to use Splunk with, we will proceed with the logging examples. This topic briefs you on the best possible ways as does when you create events for Splunk Software to index.

As per the steps mentioned above, the article in the time of its writings has chosen Logback as its logging library and provides the necessary artifacts to get yourself UP and Running with a working example in Java. Considering that your Splunk Enterprise is running on your localhost and on the default port of 15000, let us now configure a TCPAppender to Logback as it doesn’t ship one on its own. Below configuration shows the necessary configuration on the first hand to get yourself going.

logback.xml
<configuration>
<appender name="socket" class="com.splunk.logging.TcpAppender">
<RemoteHost>127.0.0.1</RemoteHost>
<Port>15000</Port>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%date{ISO8601} [%thread] %level: %msg%n</pattern>
</layout>
</appender>
<logger name="my.splunk.logger" additivity="false" level="INFO">
<appender-ref ref="socket"/>
</logger>
<root level="INFO">
<appender-ref ref="socket"/>
</root>
</configuration>
 

This configuration that has been provided above, will ensure that you create yourself with a log back library enabled logging on your Java project with the name my.splunk.logger which logs starting from your INFO messages to the highest level of ERROR messages.

Now we can create our own logging class by importing com.splunk.logging.SplunkCimLogEvent and use that class to create events for logging the necessary information at your will.

Frequently Asked Splunk Interview Questions & Answers

Use of key-value pairs:

Log.debug(“orderStatus=error, errorcode=546, userId=%d, orderId=%s”, userId, orderId)

This is one of the best possible ways to add your debug details to your application log via Splunk or any other logging framework. For Splunk’s usage, it is highly recommended that you log information in meaningful key and value pairs as Splunk can put in its own set of features like Reporting in use to provide meaningful details on analyzing the same. It becomes very easy for any to use a simple search (for example, orderStatus=error) to get the details all at once. Alongside that, if you want to use Splunk’s Reporting feature to grab a report based on the order status, then it gets very easy (example, success=96%, error=3%, cancelled=1%).

One of the best possible ways to add key/value pairs to your logging is as shown below, the same example that is considered above has been modified for better understanding.

logger.info(new SplunkCimLogEvent(“KeyValuePairEvent”, “keyValuePairEventID”) {{
addField(“orderStatus”,”error”);
addField(“errorcode”,”546”);
}});

 MindMajix YouTube Channel

Use of stack-traces for your exceptions:

Cases and scenarios where you expect that there can be exceptions, you can always rely on the stack trace of the exception to debug the errored out scenario well. There is a way that you can achieve this using Splunk to add the stack-trace related details along with the key/value pairs as shown in the above example. But for now, we will concentrate on adding the necessary exception’s stack-trace in our logging source. 

[Related Page: What Are Splunk Apps And Add-ons And Its Benefits?]

Using the addThrowableWithStacktrace() method formats the exception and adds it to your logging source.

logger.info(new SplunkCimLogEvent(“StacktraceEvent”, “stacktraceEventID”) {{
addThrowableWithStacktrace(exceptionObject);
}});

Use of auth-actions:

Cases when you want to log and check the authentication-related activities, or even trace back all the activities done by a specific user on your application – this comes into perfect usage. Use the setAuthAction() method to specify the action performed on the resource. Let us see an example of its usage:

logger.info(new SplunkCimLogEvent(“AuthActionEvent”, “AuthActionEventID”) {{
setAuthAction(“LoggedIn”);
setAuthAction(“LoggedOut”);
}});

Conclusion:

In this article, we have tried to demystify what Splunk can do as standalone software and where its usages can be. We have also tried to understand how to use Splunk logging feature to analyze your application logs.

Hope this article has provided all the necessary details for you to understand the concept altogether. If you are willing to look for more details on this topic, we suggest you go through the Splunk documentation.

Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers! Download Now!

 

Course Schedule
NameDates
Splunk TrainingOct 12 to Oct 27View Details
Splunk TrainingOct 15 to Oct 30View Details
Splunk TrainingOct 19 to Nov 03View Details
Splunk TrainingOct 22 to Nov 06View Details
Last updated: 03 Apr 2023
About Author

 

Madhuri is a Senior Content Creator at MindMajix. She has written about a range of different topics on various technologies, which include, Splunk, Tensorflow, Selenium, and CEH. She spends most of her time researching on technology, and startups. Connect with her via LinkedIn and Twitter .

read less