https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139018#M2240 <P>I am working on a standards document for my team. It will define how best to use Splunk in regards to error handling. </P> <P>I've started with the Splunk Logging Best Practices. <A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6">http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6</A></P> <P>Is there any other documentation that anyone has created for this purpose? Mine will be directed towards our Java Development team. Although our Application Administrators (DEVOPS) will also be relying on it. </P> <P>Notifications are a major topic I'm looking for advice on. Today we use some 'Alerts' that send email but they could be improved. Is there a best practice for creating logs that key alerts? </P> <P>What about severity levels? Is this entirely application specific? Do you use a certain key=value that identifies the type of failure and write Alerts based on this data?</P> <P>Thanks!</P> Tue, 22 Apr 2014 19:33:25 GMT cwcoleman 2014-04-22T19:33:25Z https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139018#M2240 <P>I am working on a standards document for my team. It will define how best to use Splunk in regards to error handling. </P> <P>I've started with the Splunk Logging Best Practices. <A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6">http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6</A></P> <P>Is there any other documentation that anyone has created for this purpose? Mine will be directed towards our Java Development team. Although our Application Administrators (DEVOPS) will also be relying on it. </P> <P>Notifications are a major topic I'm looking for advice on. Today we use some 'Alerts' that send email but they could be improved. Is there a best practice for creating logs that key alerts? </P> <P>What about severity levels? Is this entirely application specific? Do you use a certain key=value that identifies the type of failure and write Alerts based on this data?</P> <P>Thanks!</P> Tue, 22 Apr 2014 19:33:25 GMT https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139018#M2240 cwcoleman 2014-04-22T19:33:25Z https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139019#M2241 <P>You want : </P> <OL> <LI>a timestamp on the first line.</LI> <LI>key=values or key="value on a sentence" fields (easier to be automatically detected) </LI> <LI>fit in the defaults event parsing limits : </LI> </OL> <UL> <LI>10000 characters per line, and 255 lines per multiline events for the defaults</LI> <LI> Otherwise, define a custom sourcetype with larger limits.</LI> </UL> <P>for severity, you can use the basic syslog DEBUG/INFO/WARN/ERROR/FATAL ...<BR /> or use an integers scale (that are easier to filter with a simple condition severity&gt;2)</P> Tue, 22 Apr 2014 22:21:41 GMT https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139019#M2241 yannK 2014-04-22T22:21:41Z https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139020#M2242 <P>Great. These are all helpful items. I'll be adding each to my specification.</P> Wed, 23 Apr 2014 17:26:51 GMT https://community.splunk.com/t5/Alerting/Defining-standards-for-using-Splunk-as-an-Error-Handling-tool/m-p/139020#M2242 cwcoleman 2014-04-23T17:26:51Z