All Apps and Add-ons

Java Logging Appenders: Error after sending logs from log4j-slf4j-impl directly to Splunk

johnjonatan319
Engager

Hi,

I am trying to send logs from demo app that I built using the log4j-slf4j-impl library to Splunk Cloud instance.
I followed the instruction in http://dev.splunk.com/view/splunk-logging-java/SP-CAAAE7M
My code contains a Main class, log4j2.xml, and a pom file.

Main class:

import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
import com.splunk.logging.HttpEventCollectorLog4jAppender;

 public class TestApp {
     public static final Logger LOG = LogManager.getLogger("testApp");
     public static void main(String[] args) {
         LOG.info("This Will Be Printed On Info");
         LOG.error("This Will Be Printed On Error");
         LOG.fatal("This Will Be Printed On Fatal");
     }
 }

log4j2.xml is located in path: \src\main\resources\log4j2.xml

 <?xml version="1.0" encoding="UTF-8"?>
 <Configuration xmlns="http://logging.apache.org/log4j/2.0/config">
     <Appenders>
         <Console name="STDOUT" target="SYSTEM_OUT">
             <PatternLayout pattern="%-5p | %d{yyyy-MM-dd HH:mm:ss} | [%t] %C{2} (%F:%L) - %m%n" />
         </Console>
         <Http name="http" url="https://%URL%.cloud.splunk.com/services/collector" token="%TOKEN%" disableCertificateValidation="true">
             <PatternLayout pattern="%-5p | %d{yyyy-MM-dd HH:mm:ss} | [%t] %C{2} (%F:%L) - %m%n" />
         </Http>
     </Appenders>
     <Loggers>
         <Logger name="testApp" level="debug" />
         <Root level="info">
             <AppenderRef ref="STDOUT" />
             <AppenderRef ref="http"/>
         </Root>
     </Loggers>
 </Configuration>

pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">;
    <modelVersion>4.0.0</modelVersion>
    <groupId>log4j-slf4j-impl-example</groupId>
    <artifactId>log4j-slf4j-impl-example</artifactId>
    <version>1.0-SNAPSHOT</version>
    <repositories>
        <repository>
            <id>splunk-artifactory</id>
            <name>Splunk Releases</name>
            <url>http://splunk.jfrog.io/splunk/ext-releases-local</url>
        </repository>
    </repositories>
    <dependencies>
        <dependency>
            <groupId>com.splunk.logging</groupId>
            <artifactId>splunk-library-javalogging</artifactId>
            <version>1.7.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-slf4j-impl</artifactId>
            <version>2.3.0</version>
        </dependency>
    </dependencies>
</project>

The result of the app is:

   INFO  | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:9) - This Will Be Printed On Info
     ERROR | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:10) - This Will Be Printed On Error
     FATAL | 2019-06-14 15:39:46 | [main] TestApp (TestApp.java:11) - This Will Be Printed On Fatal

Which means that the app runs, and prints to console as in the appender, But the program continues to run,
in my opinion, it can't reach the URL address of my Splunk instance. I also checked my Splunk instance and no data reached the server.
Can any guide me on what is not configured correctly?

Thank you in advance
John

0 Karma
1 Solution

jnudell_2
Builder

Hi @johnjonatan319 ,

Here are things to check for troubleshooting:
- Do you receive events from that host for the _internal index?
If not, then you probably do not have the forward setup to send data to SplunkCloud correctly: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/DataSplunkCloudcanindex

  • Instead of writing to STDOUT, write to a file on disk, and then configure the forwarder to watch that file If this works, then it would be an issue with the way the app is processing STDOUT information. Maybe writing to disk would be a better option for troubleshooting and providing the ability to re-ingest missed events in the case of a network issue/error.

Let me know if this helps.

View solution in original post

0 Karma

jnudell_2
Builder

Hi @johnjonatan319 ,

Here are things to check for troubleshooting:
- Do you receive events from that host for the _internal index?
If not, then you probably do not have the forward setup to send data to SplunkCloud correctly: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/DataSplunkCloudcanindex

  • Instead of writing to STDOUT, write to a file on disk, and then configure the forwarder to watch that file If this works, then it would be an issue with the way the app is processing STDOUT information. Maybe writing to disk would be a better option for troubleshooting and providing the ability to re-ingest missed events in the case of a network issue/error.

Let me know if this helps.

0 Karma

johnjonatan319
Engager

Thank you for your assistance.
The problem was that i used the cloud, When i installed a normal Splunk instance the problem diapered.
Thank you again
John

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...