Use this Pack to reduce your Splunk Forwarder log volume.
Internal logs do not count against index, but they surely impact your resource utilization. In my experience, 5-7% of enterprise deployments' resources are consumed by UF internal logs. Some of these logs can be useful, but most are not. The pipelines in this Pack will allow you to better control your UF traffic before index time.
Intended for $SPLUNK/var/log/splunk/metrics.log
files
- Start by dropping any events that are NOT thruput events
- Majority of reduction from this step
- Optionally aggregate the events into Metrics events
- There are 2 Aggregate functions: 1 for
per_*_thruput
and one forthruput
- There is also the option to lookup the host to get a farm or pod to group by
- Metrics will be delivered to _metrics by default; modify if needed but be aware of license impacy
- There are 2 Aggregate functions: 1 for
- Use the Trim function to remove the timestamp text from _raw (we already have _time)
- Rewrite source field to just the file name, eg
./metrics.log
Intended for $SPLUNK/var/log/splunk/splunkd.log
files
- Extract the basic layout of the event
- Drop DEBUG and TRACE level events with prejudice
- Suppress messages from some components in 30 second windows based on host-punct-component-level key
- Component-level combos that will be suppressed are listed in the components_suppression.csv lookup
- A
repeated=
counter will be added to the end of the surviving event- Instead, optionally leave
suppressCount
as an index time field
- Instead, optionally leave
- Random clean up:
- Drop the text time string since we already have _time
- Replace the path to Splunk if shown in the _raw event with
$SPLUNK
- Replace the path to
$SPLUNK/var/log/splunk/
insource
with./
- Splunk Forwarders sending logs through LogStream :-)
- We have provided a few component-level entries in the lookup. Add more, or remove, as you see fit
To use this Pack, follow these steps:
- Install the pack
- Set-up route(s) that match for Splunk inputs and source for splunkd or metrics and point them to the pack
- Example:
__inputId.startsWith('splunk') && /splunkd.log|metrics.log/.test(source)
- Example:
Note: I do not recommend using this as a pre-processor pipeline unless you have a source defined that solely receives internal logs
- Updated this README. Same as previous release.
- Updated docs to reference _metrics as default metrics destination index
- Replaced the Agg function with a Suppression function with an Eval to add the
repeated
count - Clarified this doc
- Re-wrote Agg function to be cleaner
- Moved regex extract to the top
- Used __level from regex extract for drop function instead of full _raw
- Aggregation of stats sent to metrics store (optional)
- Comments clean-up
- Aggregation of stats sent to metrics store (optional)
- Comments clean-up
- re-wrote splunkd log suppression
- initial release
To contribute to the Pack, please do the following:
Contact Jon Rust jrust@cribl.io
To contact us please email jrust@cribl.io.
This Pack uses the following license: Apache 2.0
.