我们最近购买了splunk并聘请了一家承包商来为我们实施。我们希望从日志文件中捕获信息并将其显示在
中 通过splunk非常简单的方式。我们面临着收集一些元数据类型信息的问题。我将尝试通过一个例子来解释它:Server is setup with two apache instances The first instance hosts application1 The second instance hosts application2,3,4 Log file examples /opt/logs/apache/inst1/file.log /opt/logs/apache/inst2/file.log /opt/logs/apache/application1/log4j.log /opt/logs/apache/application2/log4j.log /opt/logs/apache/application3/log4j.log
我希望splunk按应用程序ID显示信息。也就是说,当我选择application1时,Splunk应该显示托管application1的服务器。在此之后,我可以选择托管它的apache实例。这使我可以深入到实际实例,而无需生成复杂的Splunk表达式 为实现这一目标,splunk承包商希望我们修改整个日志文件位置:
Log file examples /opt/logs/apache/add_server_name_here/add_application1_here/inst1/file.log /opt/logs/apache/add_server_name_here/add_application2_here/inst2/file.log /opt/logs/apache/add_server_name_here/add_inst1_here/application1/log4j.log /opt/logs/apache/add_server_name_here/add_inst2_here/application2/log4j.log /opt/logs/apache/add_server_name_here/add_inst2_here/application3/log4j.log /opt/logs/apache/add_server_name_here/add_inst2_here/application4/log4j.log
这需要对我们所有服务器进行大规模更改。这是真的有必要还是我们有一种简单的方法可以将这些元数据信息提供给Splunk?
答案 0 :(得分:1)
一个选项是通过csv设置查找文件,然后通过编辑props.conf自动执行查找(请参阅csv指南中的步骤2)。
csv文件可能看起来像这样
application1,/opt/logs/apache/inst1/file.log
application1,/opt/logs/apache/inst2/file.log
application1,/opt/logs/apache/application1/log4j.log
application2,/opt/logs/apache/application2/log4j.log
application2,/opt/logs/apache/application3/log4j.log
如果您遇到问题,请在answers.splunk.com询问Splunk员工更有可能看到它