from our ASP.NET MVC application we write XML log files in the event schema format by a trace listener contained in the .NET framework (System.Diagnostics.EventSchemaTraceListener from System.Core dll). Pretty standard in the .NET micro-cosmos...
I'm wondering if and how Splunk can handle this kind of (standard Windows) event schema? The trick is the "correlation" between related activities. This way I can group activities and sub-activities not only from a technical perspective but also from a business perspective (e.g. to log the whole business process). This is a sample "event" where the correlation come into play:
(1) First the configuration questions:
Does Splunk "understand" this kind of XML format out-of-the-box?
How to configure the "Data input"?
(2) Second the Search questions:
How can we query all messages from a logical activity?
And how to query all related (sub-) activities with the "parent" correlation token?
Thanks in advance.
Stefan, I haven't seen specific .net plug-ins (though clearly there is a potential following ;-), but Splunk will index your logs ok. Search xml in the splunk base for more. The following shows a few tweeks you may need to consider within the inputs. conf and props files using whitelists.
I'd be interested to see how it went...let us know.
I should add - xml with the tag data makes it eminently usable within Splunk, so less issues in respect of field identification even if you have to use regexes.
Tnx. Just to make it clear: The event schema is not .NET specific at all. It's the standard Windows Event Log format. See "Event Schema (Windows)" on MSDN for instance: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201