I am new to configuring splunk, I have just installed an instance locally. I have an application which uses log4net to output its logs and I am trying to make the complete logs, with all properties, go to splunk over UDP.
I see that splunk supports a a source type log4net_xml
, which I would assume corresponds to log4net's XmlLayout
. I have therefore created a UDP data source in splunk selecting log4net_xml
as the source type.
I have also added an appender to the log4net.config
file of my application:
<appender name="UdpAppender" type="log4net.Appender.UdpAppender">
<identity value="Logging" />
<layout type="log4net.Layout.XmlLayout" />
<remoteAddress value="127.0.0.1" />
<remotePort value="514" />
</appender>
Events from my application show up in Splunk search fine, formatted as XML strings similar to this one:
<log4net:message>Hello world!</log4net:message><log4net:properties><log4net:data name="Subject" value="Site ERROR" /><log4net:data name="log4net:UserName" value="kamil" /></log4net:properties>
Given that splunk gives an impression of supporting this format, I would expect it to extract fields such as message
, Subject
and UserName
from these strings but this does not happen. The only fields are splunk's built-in ones, plus a couple random ones where splunk found some substrings of the format XYZ=ABC
within these logs.
I tried using the log4j
source type (faked with with log4net's XmlLayoutSchemaLog4j
layout) but this did not work either.
Does what I'm trying to do make sense? Or am I too naive in my approach?