I tried to setup $SPLUNK_HOME/etc/log.cfg to change its current logging (RollingFileAppender)
Attempt 1 - failed : encountered parsing errors
appender.A4=org.apache.log4j.DailyRollingFileAppender
appender.A1.File=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.DatePattern='.'yyyy-MM-dd
Attempt 2 - failed due to parsing errors
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.filePattern=${SPLUNK_HOME}/var/log/splunk/splunkd.log-%d{yyyy-MM-dd}-%i
Help. what can i do to change the logging? I thought splunk supports the standard log4j 2
The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.
The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉
Thanks ssievert for the quick response and letting us know. Cheers 🙂
The short answer is that any appender other than the RollingFileAppender won't work.
While the configuration file suggests log4j use under the covers, that is not the case. The implementation was changed to remove a dependency on a 3rd-party library, but the cfg file structure was preserved.
The only supported file appender in the current implementation is the RollingFileAppender.
The only option is to rotate files outside of Splunk and hope that we can handle renaming an active log file transparently... 😉
Just to verify: In your first attempt, did you really use appender.A4=org.apache.... instead of appender.A1=org.apache....?
HI ssievert,
Yes, I tried both options ; org.apache.log4j.DailyRollingFileAppender and DailyRollingFileAppender
but unfortunately both failed
I just tried and getting Parse error at "appender.A1.DatePattern='.'yyyy-MM-dd"
as well. I'll see what I can find out...
Thank you ssievert,
good that you confirmed my findings.
My objective is that if I have a daily rolling mechanism going, then it would be easy for me to backup the old logs incrementally (by date). If this is not possible, then I will use native unix technologies. i am getting there on my script.
Test: find $SPLUNK_HOME -name '*.log.?' -exec stat --printf="%y %n\n" {} \;|grep date +"%Y-%m-%d"
|awk '{print $4}'