Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Evaluating if splunk is for me.

infinitiguy
Path Finder
‎02-01-2012 07:06 AM

Hi Everyone,

I'm trying to find a log solution and here is what I would like to achieve.

  • I have 50 systems with weekly messages aggregation of under 500MB a week.
  • I also have jboss applications running on the same 50 nodes that I'd like to capture their error.log's (but not server.log).
  • I also want to filter what actually gets sent to splunk as I'm only interested in the first line of the stacktraces.

I can filter these out using egrep for a date format - which brings my 100M log down to 4M. Does splunk have any capability to do filtering before it actually brings something in to index? Sometimes our logs can get out of control and I can write 2-5GB of error.logs within a couple hours - most of which I'm not interested in, and wouldn't want in splunk, which would cause me to go over the 500MB free threshold.

Anyone have any thoughts? How do other people handle similar types of problems?

[dmurphy@jboss11 ~]$ egrep [0-9]{4}-[0-9]{2}-[0-9]{2} error.log.1  
2012-01-22 13:02:36,548 [http-0.0.0.0-8080-223] ERROR [org.apache.commons.beanutils.PropertyUtils] Method invocation failed.
2012-01-22 13:04:08,114 [http-0.0.0.0-8080-105] ERROR [org.apache.commons.beanutils.PropertyUtils] Method invocation failed.
Tags (1)
Reply

RicoSuave
Builder
‎02-01-2012 09:40 AM

The short answer is YES. Everything that you are looking to do can be done with splunk. I won't go into the details because you are better off reading the documentation and playing with splunk yourself, but it's not hard at all to configure splunk for your requirements. My recommendation is to download splunk, and go through the tutorials available in the documentation. Then read the sections that deal with installing and administration of splunk. And of course, once you have more detailed questions, with regards to configuration, ask them here.

0 Karma
Reply

wwhitener
Communicator
‎02-01-2012 01:38 PM

For what it's worth, I'd also think about doing a support contract for a short while. Then you get some expert help when something particularly tricky shows up.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...