Getting Data In

Modular input log file and its ingestion for Appinspect

mtroianovskyi
Explorer

Our app's modular input is writing its logs into $SPLUNK_HOME/var/log/$APP_NAME/$LOG_NAME.log - this conforms to the Appinspect check Operating system standards - Check that applications only write to the following directories.

However, when we try to add the default/inputs.conf with the monitor stanza to ingest the modular input logs into _internal index, we get the failure - Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.

So one check suggests to use $SPLUNK_HOME/var/log/$APP_NAME while the other check suggests $SPLUNK_HOME/var/log/splunk instead. So it is not clear what directory has to be used for the custom app modular input logs.

0 Karma
1 Solution

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

View solution in original post

0 Karma

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...