Catfish Catfish - 6 days ago 7
Java Question

Trying to log to Splunk using logback appender

I'm trying to log to splunk directly in my Java application using the logback appender for splunk.

Nothing seems to be going to splunk, but when I manually issue a post command in a REST client i'm seeing my data in splunk.

I wasn't able to get the official splunk logback test to work either.

logback.xml



<appender name="SPLUNK" class="com.splunk.logging.HttpEventCollectorLogbackAppender">
<url>http://mySplunkUrl:8088/services/collector</url>
<token>1234566789</token>
<disableCertificateValidation>true</disableCertificateValidation>
<batch_size_count>1</batch_size_count>
<layout class="ch.qos.logback.classic.PatternLayout">
<pattern>%msg</pattern>
</layout>
</appender>

<root level="trace">
<appender-ref ref="SPLUNK" />
</root>

</configuration>


Unit test

@Test
public void splunkLogger() {
Logger logger = LoggerFactory.getLogger(LogFactoryTest.class);
Date date = new Date();
String jsonMsg = String.format("{event:'CancerCenterTest'}");
logger.info("CancerCenterTest");
logger.info(jsonMsg);
}


This is the documentation I was trying to use: http://dev.splunk.com/view/splunk-logging-java/SP-CAAAE7M

Am I missing something obvious?

EDIT
Here's a link to my project - https://github.com/toymachiner62/splunk-logging

Answer

The problem seems to be that a unit test JVM will exit before Splunk background thread completes the log upload.

Logback adapter for Splunk uses a background thread for sending messages to the server in batches. Batching is controlled by batch_interval, batch_size_bytes and batch_size_count parameters. Even if they are all set to very low levels, the unit test JVM will likely exit and kill the thread before it completes.

Try adding a sleep to the end of the test method e.g.

Thread.sleep(5000);

Also the send may be failing due to some error. These can be surfaced by adding this snippet of code to catch Splunk sender failures:

HttpEventCollectorErrorHandler.onError(new HttpEventCollectorErrorHandler.ErrorCallback() {
    public void error(final List<HttpEventCollectorEventInfo> events, final Exception ex) {
        // FIXME: Dumping stack trace to STDERR is not suitable for production use !
        ex.printStackTrace();
    }
});

Please note that Splunk HttpEventCollectorSender does not seem to be setting any HttpClient timeouts so if the endpoint is unreachable it could take minutes for the connection to time out and an error message to appear.

EDIT: As it turns out there was also an issue with the url parameter in logback.xml . The URL must be specified without a path e.g. http://mySplunkUrl:8088/ not http://mySplunkUrl:8088/services/collector

Comments