Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the ideal way of writing log files using log4net?

maniishpawar
Path Finder
‎02-09-2018 07:23 AM

is there a best practice log4net pattern template that can help SPLUNK index data more efficiently and do field extraction?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-09-2018 07:30 AM

This is the best part of Splunk! You don't need to customize your logging style to Splunk, but rather customize Splunk to your logging format.

This can be done by setting base configs in your props.conf on the indexer. This will tell Splunk when to break the text into events and also identify the timestamp. An example of base configs will look like this 

[sourcetype]
TIME_PREFIX = <Regex showing Splunk where your timestamp starts>
TIME_FORMAT = <striftime of your timestamp>
MAX_TIMESTAMP_LOOKAHEAD <How many characters into the event is your timestamp>
SHOULD_LINEMERGE = false
LINE_BREAKER = <Regex showing how to break the text into events>
TRUNCATE = <How many bytes your event should be before automatically breaking.. This prevents un-usually large events>

Most field extractions happen at search time, so you would add the extractions to your props.conf on the search head. You could also do the extractions inside the Splunk user interface

View solution in original post

0 Karma
Reply
Solved! Jump to solution

maniishpawar
Path Finder
‎02-09-2018 11:35 AM

I will ask our splunk folks about the CIM. If they had it in place I believe this will solve the purpose.

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-09-2018 07:30 AM

This is the best part of Splunk! You don't need to customize your logging style to Splunk, but rather customize Splunk to your logging format.

This can be done by setting base configs in your props.conf on the indexer. This will tell Splunk when to break the text into events and also identify the timestamp. An example of base configs will look like this 

[sourcetype]
TIME_PREFIX = <Regex showing Splunk where your timestamp starts>
TIME_FORMAT = <striftime of your timestamp>
MAX_TIMESTAMP_LOOKAHEAD <How many characters into the event is your timestamp>
SHOULD_LINEMERGE = false
LINE_BREAKER = <Regex showing how to break the text into events>
TRUNCATE = <How many bytes your event should be before automatically breaking.. This prevents un-usually large events>

Most field extractions happen at search time, so you would add the extractions to your props.conf on the search head. You could also do the extractions inside the Splunk user interface

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-09-2018 10:13 AM

Considering the "enterprise wide" aspect, I think it makes sense for the team running Splunk to specify a format for your logs to come over, considering you are the ones generating the logs.

Why make the Splunk team create props/transforms for each different app's data when it's easier to ask the developers to adhere to a standard they already have configurations for?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-09-2018 10:54 AM

See my message above about how applying base configs will lessen the load on the indexers.. Also, it would be best to standardize the logging format around the CIM so it limits the need to keep writing props.conf based off new sourcetypes.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-09-2018 11:06 AM

This was the idea I had, as the entire use case at my company was for SIEM purposes, and if you weren't included in the CIM, your data didn't do anything. I left the company before implementing this, but my initial thought was to allow for generic datamodel adherence in a format like:

<timestamp> <tag1> <tag2> ... <tagN> <key1>=<value1> <tab> <key2>=<value2> ... <tab> <keyN> = <valueN>

This allows anyone to send a log that could conform to the CIM by including the tags that the CIM needs, and the key/value pairs that the CIM wants.

With something like that, a single sourcetype can handle all the parsing and feed any CIM datamodel necessary.

0 Karma
Reply
Solved! Jump to solution

maniishpawar
Path Finder
‎02-09-2018 07:47 AM

Splunk implementation we had is at enterprise level.
But in our business, we are trying to consolidate logging and enforce a set of format/ best practices so thats why the question. It will be cleaner on the app development team side as well as Splunk team side.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-09-2018 07:59 AM

Every data source ingested should have base configs applied to them to ease the load off the indexers. If you do not apply them and let Splunk "do the work" and try to make a nicely formatted log, this will add additional overhead to Splunk.

If you look at the link below, it shows 4 pipelines. Applying base configs allows you to skip the merging pipeline, which lessens the load.

https://wiki.splunk.com/Community:HowIndexingWorks

If you want to standardize logging formats, you should look into the common information model

http://docs.splunk.com/Documentation/CIM/4.9.1/User/Overview

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...