I am new to configuring splunk, I have just installed an instance locally. I have an application which uses log4net to output its logs and I am trying to make the complete logs, with all properties, go to splunk over UDP.
I see that splunk supports a a source type log4net_xml , which I would assume corresponds to log4net's XmlLayout . I have therefore created a UDP data source in splunk selecting log4net_xml as the source type.
I have also added an appender to the log4net.config file of my application:
<appender name="UdpAppender" type="log4net.Appender.UdpAppender">
<identity value="Logging" />
<layout type="log4net.Layout.XmlLayout" />
<remoteAddress value="127.0.0.1" />
<remotePort value="514" />
</appender>
Events from my application show up in Splunk search fine, formatted as XML strings similar to this one:
<log4net:message>Hello world!</log4net:message><log4net:properties><log4net:data name="Subject" value="Site ERROR" /><log4net:data name="log4net:UserName" value="kamil" /></log4net:properties>
Given that splunk gives an impression of supporting this format, I would expect it to extract fields such as message , Subject and UserName from these strings but this does not happen. The only fields are splunk's built-in ones, plus a couple random ones where splunk found some substrings of the format XYZ=ABC within these logs.
I tried using the log4j source type (faked with with log4net's XmlLayoutSchemaLog4j layout) but this did not work either.
Does what I'm trying to do make sense? Or am I too naive in my approach?
... View more