Splunk metadata information

377 views Asked by At

We recently purchased splunk and hired a contractor to implement it for us. We want to capture information from the log files and display it in a

very simple manner via splunk. We are facing issues with collecting some metadata type information. I will try to explain it via an example :

Server is setup with two apache instances
The first instance hosts application1
The second instance hosts application2,3,4

Log file examples

    /opt/logs/apache/inst1/file.log
    /opt/logs/apache/inst2/file.log
    /opt/logs/apache/application1/log4j.log
    /opt/logs/apache/application2/log4j.log
    /opt/logs/apache/application3/log4j.log

I want splunk to display information by application id. That is, when I select application1, Splunk should display the servers that application1 is hosted on. After this I can select the apache instance that hosts it. This allows me to drill down to the actual instance without having to generate complex Splunk expressions.
To achieve this, the splunk contractor want us to modify the entire log file location :

Log file examples  

    /opt/logs/apache/add_server_name_here/add_application1_here/inst1/file.log
    /opt/logs/apache/add_server_name_here/add_application2_here/inst2/file.log
    /opt/logs/apache/add_server_name_here/add_inst1_here/application1/log4j.log
    /opt/logs/apache/add_server_name_here/add_inst2_here/application2/log4j.log
    /opt/logs/apache/add_server_name_here/add_inst2_here/application3/log4j.log
    /opt/logs/apache/add_server_name_here/add_inst2_here/application4/log4j.log

This requires a massive change on all of our servers. Is this really necessary or is there a simple way for us to provide this metadata information to Splunk ?

1

There are 1 answers

0
Shakeel On

One option is setting up a lookup file through csv and then automate the lookup by editing props.conf (see step 2 in the csv guide).

The csv file might look something like this

application1,/opt/logs/apache/inst1/file.log
application1,/opt/logs/apache/inst2/file.log
application1,/opt/logs/apache/application1/log4j.log
application2,/opt/logs/apache/application2/log4j.log
application2,/opt/logs/apache/application3/log4j.log

If you get stuck, please ask on answers.splunk.com where Splunk employees are more likely to see it