Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does splunk 6.x support DailyRollingFileAppender?

erickyi
Path Finder
‎03-13-2017 11:20 PM

I tried to setup $SPLUNK_HOME/etc/log.cfg to change its current logging (RollingFileAppender)

Attempt 1 - failed : encountered parsing errors
appender.A4=org.apache.log4j.DailyRollingFileAppender
appender.A1.File=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.DatePattern='.'yyyy-MM-dd

Attempt 2 - failed due to parsing errors
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.filePattern=${SPLUNK_HOME}/var/log/splunk/splunkd.log-%d{yyyy-MM-dd}-%i

Help. what can i do to change the logging? I thought splunk supports the standard log4j 2

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 04:22 PM

The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.

The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉

View solution in original post

Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 06:04 PM

Thanks ssievert for the quick response and letting us know. Cheers 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 04:22 PM

The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.

The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉

Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 11:58 PM

Just to verify: In your first attempt, did you really use appender.A4=org.apache.... instead of appender.A1=org.apache....?

0 Karma
Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 12:00 AM

HI ssievert,

Yes, I tried both options ; org.apache.log4j.DailyRollingFileAppender and DailyRollingFileAppender
but unfortunately both failed

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎03-14-2017 12:08 AM

I just tried and getting Parse error at "appender.A1.DatePattern='.'yyyy-MM-dd" as well. I'll see what I can find out...

0 Karma
Reply
Solved! Jump to solution

erickyi
Path Finder
‎03-14-2017 12:37 AM

Thank you ssievert,

good that you confirmed my findings.

My objective is that if I have a daily rolling mechanism going, then it would be easy for me to backup the old logs incrementally (by date). If this is not possible, then I will use native unix technologies. i am getting there on my script.

Test: find $SPLUNK_HOME -name '*.log.?' -exec stat --printf="%y %n\n" {} \;|grep date +"%Y-%m-%d" |awk '{print $4}'

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...