Thursday, February 23, 2006

Splunk Question and Answer

I got the following email yesterday, from a user named jrichardson regarding some blog posts I had made on my progress with Splunk.


Date: Wed, 22 Feb 2006 20:42:46 -0800 (PST)
From: jrichardson
Subject: [Dmourati Blog] 2/22/2006 08:33:17 PM

How did you configure the tailing processor in splunk?I'd like create
a "rule" for "Everything in /var/log/remote/$HOSTNAME/messages"
without having to create a seperate "file" tag for each remote

Posted by jrichardson to Dmourati Blog at 2/22/2006 08:33:17 PM



You found a weak spot in my blog posts, namely that I haven't figured out how to have blogger correctly represent embedded xml like the configuration elements from my config.xml. Sorry about that. To answer your question, I've been using the TailingProcessor in a one-to-one mapping to my log files. For example, I have (XML below intentionally mucked to avoid processing by blogger):

fileName/var/log/remote-syslog-ng/demetri04/messages /fileName

And another config stanza containing:

fileName /var/log/remote-syslog-ng/demetri05/messages /fileName

To your point, what if I had demetri01-demetri99 that I wanted to configure? I can think of two options, neither of which is particularly attractive. The first is to use the Tailing all files in a Directory option. The restriction as defined in the docs is that all the files in the directory need to be of the same type. In order to accomplish this flat arrangement, you'd need some type of symlink structure to represent all logs of a single type in a flat directory. Somethink like:

[root@demetri05 remote-syslog-ng]# cd splunk/
[root@demetri05 splunk]# ls -lah
total 8.0K
drwxr-xr-x 2 root root 4.0K Feb 23 01:15 .
drwx------ 5 root root 4.0K Feb 23 01:15 ..
lrwxrwxrwx 1 root root 21 Feb 23 01:15 demetri04-messages -> ../demetri04/messages
lrwxrwxrwx 1 root root 21 Feb 23 01:15 demetri05-messges -> ../demetri05/messages

Not particularly elegant, but would probably work. The other solution that comes to mind is to generate the config.xml file programatically. I use perl's XML::Simple quite a bit for straight forward XML generation/parsing. That might be a bit more work at first but probably more flexible.

The only other option that comes to mind is to skip the tailingprocessor and go with the directory monitor plus some cron job or some such to pump data in. I doubt I'd go that route, however. Probably the perl or other programatic method is the best.

Sphere: Related Content