Getting Data In

Modular input log file and its ingestion for Appinspect

mtroianovskyi
Explorer

Our app's modular input is writing its logs into $SPLUNK_HOME/var/log/$APP_NAME/$LOG_NAME.log - this conforms to the Appinspect check Operating system standards - Check that applications only write to the following directories.

However, when we try to add the default/inputs.conf with the monitor stanza to ingest the modular input logs into _internal index, we get the failure - Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.

So one check suggests to use $SPLUNK_HOME/var/log/$APP_NAME while the other check suggests $SPLUNK_HOME/var/log/splunk instead. So it is not clear what directory has to be used for the custom app modular input logs.

0 Karma
1 Solution

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

View solution in original post

0 Karma

mtroianovskyi
Explorer

As suggested by alacercogitatus on splunk-usergroups:

you should write to var/log/splunk/<appname>/modinput.log, and include a Diag.py so that you can do splunk diag --collect app:<appname> and only get your own files, and not the whole system

0 Karma
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...