Solved: Modular input log file and its ingestion for Appin...

mtroianovskyi · ‎05-21-2019

Our app's modular input is writing its logs into $SPLUNK_HOME/var/log/$APP_NAME/$LOG_NAME.log - this conforms to the Appinspect check Operating system standards - Check that applications only write to the following directories.

However, when we try to add the default/inputs.conf with the monitor stanza to ingest the modular input logs into _internal index, we get the failure - Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.

So one check suggests to use $SPLUNK_HOME/var/log/$APP_NAME while the other check suggests $SPLUNK_HOME/var/log/splunk instead. So it is not clear what directory has to be used for the custom app modular input logs.

mtroianovskyi · ‎05-24-2019

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

View solution in original post

mtroianovskyi · ‎05-24-2019

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

View solution in original post

Modular input log file and its ingestion for Appinspect

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >

Modular input log file and its ingestion for Appinspect

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn $50 in Amazon cash! Full Details! >

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >