Skip to content

The Cribl Pack for Splunk Internal - Initial Release
Compare
Choose a tag to compare
@nicktank nicktank released this 28 Jul 00:19
· 8 commits to main since this release
v0.3.2
d6ee482
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Internal logs do not count against index, but they surely impact your resource utilization. In my experience, 5-7% of enterprise deployments' resources are consumed by UF internal logs. Some of these logs can be useful, but most are not.

In this case we are:

  • Dropping any splunkd logs at DEBUG or TRACE level
  • Aggregating repetitive splunkd.logs based on component-level ID in a lookup file
  • A repeat count will be added to the logs allowed through.
  • Dropping any metrics logs that are not either name and group =thruput, or group=per_*_thruput
  • Optionally aggregating these based on a lookup value for farm
  • Optionally:
  • Aggregation logs will still end up in _internal, with sourcetype and source == 'metrics:agg'
  • OR - Aggregated stats will be sent to a metrics store (metrics index is metrics, adjust as needed in the Aggregation functions)
  • Dropping any introspection logs
  • For splunkd and metrics logs that do make it through, optionally trim the timestamp off _raw
  • Trim source to just the file name (eg, ./splunkd.log)
Assets 3
Loading