- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to send logs from demo app that I built using the log4j-slf4j-impl library to Splunk Cloud instance.
I followed the instruction in http://dev.splunk.com/view/splunk-logging-java/SP-CAAAE7M
My code contains a Main class, log4j2.xml, and a pom file.
Main class:
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import com.splunk.logging.HttpEventCollectorLog4jAppender;
public class TestApp {
public static final Logger LOG = LogManager.getLogger("testApp");
public static void main(String[] args) {
LOG.info("This Will Be Printed On Info");
LOG.error("This Will Be Printed On Error");
LOG.fatal("This Will Be Printed On Fatal");
}
}
log4j2.xml is located in path: \src\main\resources\log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration xmlns="http://logging.apache.org/log4j/2.0/config">
<Appenders>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%-5p | %d{yyyy-MM-dd HH:mm:ss} | [%t] %C{2} (%F:%L) - %m%n" />
</Console>
<Http name="http" url="https://%URL%.cloud.splunk.com/services/collector" token="%TOKEN%" disableCertificateValidation="true">
<PatternLayout pattern="%-5p | %d{yyyy-MM-dd HH:mm:ss} | [%t] %C{2} (%F:%L) - %m%n" />
</Http>
</Appenders>
<Loggers>
<Logger name="testApp" level="debug" />
<Root level="info">
<AppenderRef ref="STDOUT" />
<AppenderRef ref="http"/>
</Root>
</Loggers>
</Configuration>
pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">;
<modelVersion>4.0.0</modelVersion>
<groupId>log4j-slf4j-impl-example</groupId>
<artifactId>log4j-slf4j-impl-example</artifactId>
<version>1.0-SNAPSHOT</version>
<repositories>
<repository>
<id>splunk-artifactory</id>
<name>Splunk Releases</name>
<url>http://splunk.jfrog.io/splunk/ext-releases-local</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.splunk.logging</groupId>
<artifactId>splunk-library-javalogging</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.3.0</version>
</dependency>
</dependencies>
</project>
The result of the app is:
INFO | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:9) - This Will Be Printed On Info
ERROR | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:10) - This Will Be Printed On Error
FATAL | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:11) - This Will Be Printed On Fatal
Which means that the app runs, and prints to console as in the appender, But the program continues to run,
in my opinion, it can't reach the URL address of my Splunk instance. I also checked my Splunk instance and no data reached the server.
Can any guide me on what is not configured correctly?
Thank you in advance
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnjonatan319 ,
Here are things to check for troubleshooting:
- Do you receive events from that host for the _internal index?
If not, then you probably do not have the forward setup to send data to SplunkCloud correctly: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/DataSplunkCloudcanindex
- Instead of writing to STDOUT, write to a file on disk, and then configure the forwarder to watch that file If this works, then it would be an issue with the way the app is processing STDOUT information. Maybe writing to disk would be a better option for troubleshooting and providing the ability to re-ingest missed events in the case of a network issue/error.
Let me know if this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnjonatan319 ,
Here are things to check for troubleshooting:
- Do you receive events from that host for the _internal index?
If not, then you probably do not have the forward setup to send data to SplunkCloud correctly: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/DataSplunkCloudcanindex
- Instead of writing to STDOUT, write to a file on disk, and then configure the forwarder to watch that file If this works, then it would be an issue with the way the app is processing STDOUT information. Maybe writing to disk would be a better option for troubleshooting and providing the ability to re-ingest missed events in the case of a network issue/error.
Let me know if this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your assistance.
The problem was that i used the cloud, When i installed a normal Splunk instance the problem diapered.
Thank you again
John
