Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Evaluating if splunk is for me.

infinitiguy
Path Finder
‎02-01-2012 07:06 AM

Hi Everyone,

I'm trying to find a log solution and here is what I would like to achieve.

  • I have 50 systems with weekly messages aggregation of under 500MB a week.
  • I also have jboss applications running on the same 50 nodes that I'd like to capture their error.log's (but not server.log).
  • I also want to filter what actually gets sent to splunk as I'm only interested in the first line of the stacktraces.

I can filter these out using egrep for a date format - which brings my 100M log down to 4M. Does splunk have any capability to do filtering before it actually brings something in to index? Sometimes our logs can get out of control and I can write 2-5GB of error.logs within a couple hours - most of which I'm not interested in, and wouldn't want in splunk, which would cause me to go over the 500MB free threshold.

Anyone have any thoughts? How do other people handle similar types of problems?

[dmurphy@jboss11 ~]$ egrep [0-9]{4}-[0-9]{2}-[0-9]{2} error.log.1  
2012-01-22 13:02:36,548 [http-0.0.0.0-8080-223] ERROR [org.apache.commons.beanutils.PropertyUtils] Method invocation failed.
2012-01-22 13:04:08,114 [http-0.0.0.0-8080-105] ERROR [org.apache.commons.beanutils.PropertyUtils] Method invocation failed.
Tags (1)
Reply

RicoSuave
Builder
‎02-01-2012 09:40 AM

The short answer is YES. Everything that you are looking to do can be done with splunk. I won't go into the details because you are better off reading the documentation and playing with splunk yourself, but it's not hard at all to configure splunk for your requirements. My recommendation is to download splunk, and go through the tutorials available in the documentation. Then read the sections that deal with installing and administration of splunk. And of course, once you have more detailed questions, with regards to configuration, ask them here.

0 Karma
Reply

wwhitener
Communicator
‎02-01-2012 01:38 PM

For what it's worth, I'd also think about doing a support contract for a short while. Then you get some expert help when something particularly tricky shows up.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...