Have never used Splunk; just looking to see if something is possible.
I not only want to monitor the things that Splunk seems able to handle out of the box, (CPU, RAM, EventLogs, etc), but I'm wondering how common the practice might be of the following:
1. I create a Windows Service that can write to its host's EventLog.
2. I set Splunk to monitor for the custom events that my Windows Service might create.
3. These are all custom events tied to specific activities my custom service is monitoring for.
4. My Windows Service monitors application level activities, like availability of certain web sites, available of web services, status of test T-SQL queries; obviously, this Windows Service has code that is capable of "hitting" these application-level entities; and then upon concluding success/fail, it can write an appropriate custom event into the EventLog.
5. Then Splunk can be configured to monitor for these specific events.
I'm thinking this is a cool idea; is there a reason this is not a good idea?
Thanks for your guidance.
-Larry
As long as your custom event log follows the format of;
key_1=value_1
key_2=value_2
key_n = value_n
Message=something
key_x : value_x
key_y : value_y
key_z : value_z
the default field extractions should work out of the box. It's not like it won't work at all otherwise, but you might have to do some configuring yourself. Shouldn't really be hard, but I'm just saying, since you have little/no experience.
/K