New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting a Splunk-specific layout-class for log4j2 #200
Comments
Hi @UnitedMarsupials, Based on your suggestion, if the resolution of this issue can be at Splunk Server side, then it is not in our scope. Please let us know in case of further queries. Thank you ! |
Unfortunately, this turned out to be untrue. At least, according to the Splunk-administrators at our organization, such massaging of the incoming JSON is not possible. Please, reopen this ticket and implement the Splunk-specific layout-class as requested -- to both avoid data-duplication and allow for easy addition of any custom-data to each event... Thank you! |
Hi @UnitedMarsupials, If this issue does not belong to Splunk server side then duplicate entries are created in serialising, it seems. |
Sorry, I don't understand the question: are you asking me for a patch, or an example of the current problem? For a patch, I'd need to write the new class myself -- from scratch, for there is nothing Splunk-specific in place right now. I might get around to it some day, but I don't have any such code ready... |
@UnitedMarsupials I think we don't have a full understanding of the problem here and not sure how your initial post is related to logging lib and what kind of fix you expect. Well described scenario or any env shared could help. |
I thought my original submission would make the problem obvious, but I'll try to explain again... I understand, that this project seeks to cover all logging API implementations -- maybe, you can summon someone with the deeper knowledge of the log4j2 in particular to help understand, what I'm talking about? When creating the text of each event-message, log4j2 uses the layout class specified in the configuration file. These layouts are many -- and users can implement their own. It is the choice of the layout, that determines the format used by each event -- it can be a CSV-row, a single long line, an XML- or a YAML-blob, an SQL In my original submission, I provided a live example of the log4j2 configuration we use here to send events to a Splunk-server -- using the Our configuration makes your code -- the appender called My request in this ticket is for a new class |
@UnitedMarsupials, As far as SplunkLayout (custom class) is concerned, we can create that class but again we have to use Json for formatting event messages along with few metadata fields. |
@bparmar-splunk Did this get merged in? I have this exact problem. Doesn't look like it. Would be great as it sends more data than necessary to Splunk and creates messy and thus confusing log entries. One thing I did was exclude the MDC:
Which helps a bit, but the whole json object e.g. "message.message" isn't ideal. |
Actually played a little bit with Splunk and there is way to format event output by implementing custom:
|
By default -- without any layout specified -- the
SplunkHttp
-appender will simply log the textual message itself, along with a few other standard fields.To get more details -- and even, optionally, insert additional custom fields -- one would use the
JsonLayout
. For example:This works Ok, but results in useless duplications... For example, here is one event logged using above configuration:
As you can see, there are problems:
message.level
is the same thing asseverity
.message.thread
is a copy ofthread
.logger
is a copy ofmessage.loggerName
.message.instant
duplicatestime
.endOfBatch
is quite useless, but cannot be suppressed.message.contextMap
is always included even when empty.message
dictionary -- including the actualmessage.message
text. It'd be nicer, if the fields were at the top level:threadPriority
instead ofmessage.threadPriority
.One cannot blame the stock
JsonLayout
class for this redundancy, because it does not know, that the calling appender (SplunkHttp
) is adding the information too. One's only way to make the events appear more sensible, currently, is to implement special manipulations on the Splunk-server side, based on thesourceType
.Hence a request for a custom
SplunkLayout
to format the messages as would make sense for Splunk in particular.The text was updated successfully, but these errors were encountered: