Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to get logs in splunk from mulesoft

fhatrick
Loves-to-Learn
‎04-23-2025 03:26 PM

Hi, I have created a new token and index in splunk for my mulesoft project.

These are the configurations I have done in mulesoft to get the splunk logs.Despite this I am unable to see any logs in the dashboard when i search like index="indexname".

LOG4J2.XML FILE CHANGES

<Configuration status="INFO" name="cloudhub"

packages="com.mulesoft.ch.logging.appender,com.splunk.logging,org.apache.l

ogging.log4j">

<Appenders>

<RollingFile "Rolling file details here"

</RollingFile>

<SplunkHttp name="Splunk"

url="localhost url"

token="token" index="indexname"

batch_size_count="10" disableCertificateValidation="true">

<PatternLayout

pattern="%-5p %d [%t] [processor: %X{processorPath}; event: %X{correlationId}] %c: %m%n" />

</SplunkHttp>

<Log4J2CloudhubLogAppender name="CloudHub"

addressProvider="com.mulesoft.ch.logging.DefaultAggregatorAddressProvider"

applicationContext="com.mulesoft.ch.logging.DefaultApplicationContext"

appendRetryIntervalMs="${sys:logging.appendRetryInterval}"

appendMaxAttempts="${sys:logging.appendMaxAttempts}"

batchSendIntervalMs="${sys:logging.batchSendInterval}"

batchMaxRecords="${sys:logging.batchMaxRecords}"

memBufferMaxSize="${sys:logging.memBufferMaxSize}"

journalMaxWriteBatchSize="${sys:logging.journalMaxBatchSize}"

journalMaxFileSize="${sys:logging.journalMaxFileSize}"

clientMaxPacketSize="${sys:logging.clientMaxPacketSize}"

clientConnectTimeoutMs="${sys:logging.clientConnectTimeout}"

clientSocketTimeoutMs="${sys:logging.clientSocketTimeout}"

serverAddressPollIntervalMs="${sys:logging.serverAddressPollInterval}"

serverHeartbeatSendIntervalMs="${sys:logging.serverHeartbeatSendIntervalMs}"

statisticsPrintIntervalMs="${sys:logging.statisticsPrintIntervalMs}">

</Log4J2CloudhubLogAppender>

</Appenders>

 

<Loggers>

<AsyncLogger name="org.mule.service.http" level="WARN" />

<AsyncLogger name="org.mule.extension.http" level="WARN" />

<AsyncLogger name="org.mule.runtime.core.internal.processor.LoggerMessageProcessor" level="INFO" />

<AsyncRoot level="INFO">

<AppenderRef ref="file" />

<AppenderRef ref="Splunk" />

<AppenderRef ref="CloudHub" />

</AsyncRoot>

<AsyncLogger name="Splunk.Logger" level="INFO">

<AppenderRef ref="splunk" />

</AsyncLogger>

</Loggers>

</Configuration>

 

POM.XML FILE CHANGES

 

<repository>

<id>splunk-artifactory</id>

<name>Splunk Releases</name>

<url>https://splunk.jfrog.io/splunk/ext-releases-local</url>

</repository>

 

<dependency>

<groupId>com.splunk.logging</groupId>

<artifactId>splunk-library-javalogging</artifactId>

<version>1.7.3</version>

</dependency>

<dependency>

<groupId>org.apache.logging.log4j</groupId>

<artifactId>log4j-core</artifactId>

<version>2.10.0</version>

</dependency>

<dependency>

<groupId>org.apache.logging.log4j</groupId>

<artifactId>log4j-api</artifactId>

<version>2.10.0</version>

</dependency>

 

Please let me know if i am missing out on any configuration since i believe i am pretty much following what's in the mule website and other articles.

Labels (3)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-24-2025 12:55 AM

Hi @fhatrick 

Check the following points to troubleshoot why logs are not appearing in Splunk using the HEC-based SplunkHTTP log4j logging options:

  1. Splunk HEC URL and Token
  • Ensure the url in your config points to your Splunk HTTP Event Collector (HEC) endpoint, not localhost unless Splunk is running on the same host as MuleSoft.
  • Example: url="https://<splunk-server>:8088"
  • The token value must match exactly the HEC token configured in Splunk.
  1. HEC Configuration in Splunk
  • Confirm that HEC is enabled in Splunk (Settings > Data Inputs > HTTP Event Collector).
  • The token is enabled and assigned to the correct index (indexname).
  1. Index Existence and Permissions
  • Verify the index (indexname) exists in Splunk and your user has permission to search it.
  1. Network Connectivity
  • Ensure the MuleSoft server can reach the Splunk HEC endpoint (no firewall or network issues) - use something like netcat to check this (nc -vz -w1 yourServer 8088)
  1. Testing HEC Directly
  • Test HEC by sending a sample event using:
curl -k https://<splunk-server>:8088/services/collector/event \ -H "Authorization: Splunk <token>" \ -d '{"event":"test event", "index":"indexname"}'

If this event appears in Splunk, the HEC and index are working.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

fhatrick
Loves-to-Learn
‎04-24-2025 01:40 AM

My url is "http://127.0.0.1:8000" in log4j2 and localhost is running on same port. Whereas the listener is 8081 port. Do all of these have to be same? Am i missing out anywhere?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-24-2025 03:00 AM

Hi @fhatrick 

Splunk HEC typically listens on port 8088 - Have you changed this default port to something else? Have you enabled SSL for HEC? If not you will need to use http:// instead of https://

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

fhatrick
Loves-to-Learn
‎04-24-2025 03:04 AM

The url is  "http://127.0.0.1:8088" in log4j2  and localhost(splunk) is running on  port 8000.Whereas the project listener is 8081 port.

Yes i have enabled ssl.

Most documentation have the same setting so i followed the same ,yet cannot see the logs.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2025 05:13 PM

Have you enabled receiving of data in Splunk?  Go to Settings->"Forwarding and Receiving"  to turn on receiving.

Does "localhost url" include the port number (9997 by default)?

Do your firewalls allow connections between Mulesoft and Splunk?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

fhatrick
Loves-to-Learn
‎04-24-2025 02:05 AM

My url is "http://127.0.0.1:8000" in log4j2 and localhost(splunk) is running on same port. Whereas the listener is 8081 port.

Earlier the url was  "http://127.0.0.1:8088" in log4j2 localhost(splunk) is running on  port 8000.Whereas the listener is 8081 port.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...