Our app's modular input is writing its logs into $SPLUNK_HOME/var/log/$APP_NAME/$LOG_NAME.log - this conforms to the Appinspect check Operating system standards - Check that applications only write to the following directories.
However, when we try to add the default/inputs.conf with the monitor stanza to ingest the modular input logs into _internal index, we get the failure - Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.
So one check suggests to use $SPLUNK_HOME/var/log/$APP_NAME while the other check suggests $SPLUNK_HOME/var/log/splunk instead. So it is not clear what directory has to be used for the custom app modular input logs.
As suggested by alacercogitatus on splunk-usergroups:
you should write to
var/log/splunk/<appname>/modinput.log
, and include aDiag.py
so that you can dosplunk diag --collect app:<appname>
and only get your own files, and not the whole system
As suggested by alacercogitatus on splunk-usergroups:
you should write to
var/log/splunk/<appname>/modinput.log
, and include aDiag.py
so that you can dosplunk diag --collect app:<appname>
and only get your own files, and not the whole system