Splunk HttpEventCollectorLogbackAppender how to set source and host?

10
votes

I'm using the Splunk HttpEventCollectorLogbackAppender to automatically send application logs to Splunk. I've been trying to set the host, source, and sourcetype but am not having any luck getting them sent to Splunk.

Is it possible to set the host, source, or sourcetype using the Splunk HttpEventCollectorLogbackAppender and if so, how do I do it?

I've been trying to send JSON and it doesn't seem to be working.

Here's the documentation that tells you what options are available and it says that they need to be passed as a query string, but since i'm using the out of the box Splunk appender i'm not sure how to set those.

http://dev.splunk.com/view/event-collector/SP-CAAAE6P

Splunk logback appender:

...
<!-- SPLUNK appender -->
  <appender name="SPLUNK" class="com.splunk.logging.HttpEventCollectorLogbackAppender">
    <url>http://myurl:8088</url>
    <token>mytoken</token>
    <disableCertificateValidation>true</disableCertificateValidation>
    <batch_size_count>1</batch_size_count>
    <layout class="ch.qos.logback.classic.PatternLayout">
      <pattern>%logger: %msg%n</pattern>
    </layout>
  </appender>

<root level="INFO">
  <appender-ref ref="SPLUNK"/>
</root>
...

Example log line

Logger logger = LoggerFactory.getLogger(MyClass.class);
logger.debug("I'm logging debug stuff");
2
javalogbacksplunk
It might be help to post example code.Larry Shatzer
Have you read the documentation for the java logging framework itself here github.com/splunk/splunk-library-javalogging?Larry Shatzer
@LarryShatzer You bet I have. Many times.Catfish

2 Answers

6
votes

Any setters on HttpEventCollectorLogbackAppender can be added to your logback configuration.

So to invoke setHost, setSource and setSourcetype you add them to your logback configuration like this:

<appender name="SPLUNK" class="com.splunk.logging.HttpEventCollectorLogbackAppender">
    <url>http://myurl:8088</url>
    <host>x</host>
    <source>y</source>
    <sourcetype>z</sourcetype>
    <token>mytoken</token>
    <disableCertificateValidation>true</disableCertificateValidation>
    <batch_size_count>1</batch_size_count>
    <layout class="ch.qos.logback.classic.PatternLayout">
        <pattern>%logger: %msg%n</pattern>
    </layout>
</appender>
0
votes

You can set this way: replace MyAppender, MyIndex, MySource and configure URL and Token in properties files, if you use the small batch size you would lose some events/log below is ideal configuration up to 100 TPS

<Appender name="MYAppender"
    class="com.splunk.logging.HttpEventCollectorLogbackAppender">
    <url>${url}</url>
    <token>${token}</token>
    <index>MyIndex</index>
    <sourcetype>MySource</sourcetype>
    <eventBodySerializer>util.RawEventBodySerializer</eventBodySerializer>
    <disableCertificateValidation>true</disableCertificateValidation>
    <send_mode>parallel</send_mode>
    <batch_size_bytes>102400</batch_size_bytes>
    <batch_size_count>10</batch_size_count>
    <batch_interval>60000</batch_interval>
    <layout class="ch.qos.logback.classic.PatternLayout">
        <pattern>%m%n</pattern>
    </layout>
</Appender>