Getting Data In

Modular input log file and its ingestion for Appinspect

mtroianovskyi
Explorer

Our app's modular input is writing its logs into $SPLUNK_HOME/var/log/$APP_NAME/$LOG_NAME.log - this conforms to the Appinspect check Operating system standards - Check that applications only write to the following directories.

However, when we try to add the default/inputs.conf with the monitor stanza to ingest the modular input logs into _internal index, we get the failure - Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.

So one check suggests to use $SPLUNK_HOME/var/log/$APP_NAME while the other check suggests $SPLUNK_HOME/var/log/splunk instead. So it is not clear what directory has to be used for the custom app modular input logs.

0 Karma
1 Solution

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

View solution in original post

0 Karma

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...