Splunk metadata information
We recently purchased splunk and hired a contractor to implement it for us. We want to capture information from the log files and display it in a
very simple manner via splunk. We are facing issues with collecting some metadata type information. I will try to explain it via an example :
Server is setup with two apache instances
The first instance hosts application1
The second instance hosts application2,3,4
Log file examples
/opt/logs/apache/inst1/file.log
/opt/logs/apache/inst2/file.log
/opt/logs/apache/application1/log4j.log
/opt/logs/apache/application2/log4j.log
/opt/logs/apache/application3/log4j.log
I want splunk to display information by application id. That is, when I select application1, Splunkshould display the servers that application1 is hosted on. After this I can select the apache instance that hosts it. This allows me to drill down to the actual instance without having to generate complex Splunk expressions.
To achieve this, the splunk contractor want us to modify the entire log file location :
Log file examples
/opt/logs/apache/add_server_name_here/add_application1_here/inst1/file.log
/opt/logs/apache/add_server_name_here/add_application2_here/inst2/file.log
/opt/logs/apache/add_server_name_here/add_inst1_here/application1/log4j.log
/opt/logs/apache/add_server_name_here/add_inst2_here/application2/log4j.log
/opt/logs/apache/add_server_name_here/add_inst2_here/application3/log4j.log
/opt/logs/apache/add_server_name_here/add_inst2_here/application4/log4j.log
This requires a massive change on all of our servers. Is this really necessary or is there a simple way for us to provide this metadata information to Splunk ?
Suscipit aliquam sapiente possimus. Suscipit magnam dolor quaerat vel eveniet ut. Autem molestiae eaque necessitatibus ut magni. Amet et saepe corrupti ullam dolore accusantium culpa et.
See All Comments - 100% Free
WSO depends on everyone being able to pitch in when they know something. Unlock with your email and get bonus: 6 financial modeling lessons free ($199 value)
or Unlock with your social account...