Re: BAC / UCMDB Log Searching (555 Views)
Reply
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 1 of 18 (686 Views)

BAC / UCMDB Log Searching

I'm actively using Splunk for searching across all our BAC, UCMDB, and RC logs and finding it very useful. Right now I'm having no issues with the free version of splunk. I've written a small blurb about it on skazal.com and I'm happy to discuss it further with anyone if interested.

We've been using UCMDB, BAC, Sitescope, etc. for years and have been in need of a way to search and correlate log messages across the various app platforms and servers. Splunk is working well for this.
Please use plain text.
Honored Contributor
Rajasekhar Gundu
Posts: 1,085
Registered: ‎03-31-2008
Message 2 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

Thats great. Can you explain the usage of it on them? If you can provide any document or guide on it, it would be really helpful.

Regards,
Raj

Like this Post? Click Kudos! to show appreciation.
Is your issue addressed? Click "ACCEPT AS SOLUTION" against the post which helped you the most.
Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 3 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

I'm working on some basic documentation and details on how I got it working along with some basic, helpful use cases. I'll post a notice when I have that ready, but if there is something specific, don't wait for the doc, just ask :)

Basically, the product installs correctly per the instructions. Our BAC/UCMDB implentation is on a Windows Platform and there was a little twist on how to configure the log directory specifications that I worked out with their tech support (something I'll detail in the docs). Once that was done, it started indexing the log files. Out of the box, it has a basic understanding of log4j formatted files. The free version limits you to 500 MB of indexing data perday. If you need to support more than that or want to set up multiple collectors to forward data, you'll need to go to the non-free version. John Mahon was the rep at Splunk that I worked with. Everyone there was very helpful.

Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 4 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

Here's some real quick setup instructions that I originally posted on skazal.com for indexing log files on a combined BAC/UCMDB environment.

So here's a bit on what I did to get Splunk running to index a combined BAC/UCMDB environment using all Windows servers (Splunk and BAC).

Splunk was installed on a separate host. A straight forward windows install.

The tricky part (not so tricky, really) is that you can't use the web GUI for specifying the files you want to index. Here what I did:

I was able to create a share from the root of the BAC install directory and mount it on the Splunk server. Important note, you have to use a named share, not an administrative share, that is a reference like: \\mybacserver\D$ won't work. You need to explicitly create a share on the BAC/UCMDB host(s) you want to index.

In the example below I reference the explicit share by the name \\mybacserver\HPBAC

Once you've got that done and mounted, edit the file: C:\Program Files\Splunk\etc\system\local\inputs.conf

These are the lines to add...

[monitor://\\mybacserver\HPBAC\DiscoveryProbe\root\logs\*.log]
disabled = false
host = name-of-splunk-server
sourcetype = log4j

[monitor://\\mybacserver\HPBAC\log\...\*.log]
disabled = false
host = name-of-splunk-server
sourcetype = log4j


If you have multiple servers and logs to add, just use the same idea. Once done, startup splunk per the normal method (command line or service start) and you're off to the races.

If you find the need to start over and want to get rid of your previously indexed content, you can use the command line:

splunk clean all -f

You can also use the command:

splunk cmd listtails

to generate a list of all the files that Splunk is actually indexing.
Please use plain text.
Regular Advisor
alissa_b
Posts: 105
Registered: ‎01-13-2009
Message 5 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

thank you for sharing your experience.
I am also trying to index BAC logs with splunk.
I followed your instructions how to configure it with the inputs.conf file, however it seems that the results (and source type = log4j) are not shown in the splunk UI, even though according to the listtails command the logs are searched. Is there anything additional that needs to be done in the Splunk UI?
Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 6 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

Not being able to see this in the UI is true. I'm guessing its related to the same issue that requires you to enter the patterns in the conf file. If you go to Data Inputs -> Files and Directories, you should see file counts which is the only confirmation I can find in the UI. Does that help?
Please use plain text.
Regular Advisor
alissa_b
Posts: 105
Registered: ‎01-13-2009
Message 7 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

I see this entry in files and directories, and the files count says 1 - does it make any sense? obviosuly BAC has much more than 1 log file :)
But where do you see the indexing results/searching for errors if not in the UI?
Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 8 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

Are you running Splunk on windows?
You can ask splunkd what files it actually found with, from the command line:

splunk list monitor

You can also turn on some debug data on the splunk instance, by editing log.cfg, set

category.TailingProcessor = DEBUG

Then look in the log files in the directory:

C:\Program Files\Splunk\var\log\splunk

I hope that helps, let me know.

Please use plain text.
Regular Advisor
alissa_b
Posts: 105
Registered: ‎01-13-2009
Message 9 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

hi, thanks for your help.
yes I use splunk on windows.
Bac is also on windows but on another server.
I created share as you suggested, and I also tried to map it as a drive to the server where splunk is installed and it didn't help.
I also checked the logs you mentioned and it prints every time "the file does not exist yet" for the log I specified on BAC server (the logs do exist on BAC server)

When you said to add this line, did you mean to add it 'as is' once , or explicitly add it as number of log files and change the log\...\*.log part to be the real file name (such as jboss_boot.log)?
[monitor://\\mybacserver\HPBAC\log\...\*.log]
disabled = false
host = name-of-splunk-server
sourcetype = log4j
Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 10 of 18 (686 Views)

Re: BAC / UCMDB Log Searching

Ok, of course the \\mybacserver should be a reference to your BAC host. HBAC is the name of the exported share of the install directory for BAC, for us, we have BAC installed in D:\HPBAC and I've set up that directory to be shared with the name "HPBAC".

The '...' is Splunk's notation to transend all subdirectories, so in this case it will index any files that end with '.log' anywhere under the \HPBAC\log directory.

For the line:

host = name-of-splunk-server

'name-of-splunk-server' should be the hostname where you've installed splunk.
Please use plain text.
Regular Advisor
alissa_b
Posts: 105
Registered: ‎01-13-2009
Message 11 of 18 (685 Views)

Re: BAC / UCMDB Log Searching

thanks for the response.
I did everything as you suggested, however it looks like it doesn't recognize the log files in the directory.

When you see file count in the splunk UI, do you see 1 file, or it gives the real log files amount?
Please use plain text.
Regular Advisor
alissa_b
Posts: 105
Registered: ‎01-13-2009
Message 12 of 18 (685 Views)

Re: BAC / UCMDB Log Searching

...and of course I replaced mybacserver with the real BAC host name.
I just wasn't sure whether log\...\*.log is a general instruction or something splunk recognizes as you said.
Please use plain text.
Frequent Advisor
Thomas Dosedel
Posts: 76
Registered: ‎03-31-2008
Message 13 of 18 (685 Views)

Re: BAC / UCMDB Log Searching

So you've validated that you can get to the log files by manually browse to the logfiles from the Splunk server. When you run the 'splunk list monitor' command, you get a list of the log files you expect?
Please use plain text.
Frequent Advisor
メイ
Posts: 59
Registered: ‎07-17-2013
Message 14 of 18 (587 Views)

Re: BAC / UCMDB Log Searching

dear expert,

 

thanks for your sharing.

We are now considering integrate Splunk with BSM/SiS, could you please share your documentation??

And do you have any suggestion?

 

we also want to send Splunk Events/ metrics into BSM, is that possible ?

Can we integrate Splunk Events into OMW, and therefore passed into Events/ metrics into BSM??

Or is there any other method??

 

thanks in advance.

Please use plain text.
HP Expert
PatWest
Posts: 831
Registered: ‎03-06-2008
Message 15 of 18 (577 Views)

Re: BAC / UCMDB Log Searching

may it's better to contac Thomas directly?

http://h30499.www3.hp.com/t5/user/viewprofilepage/user-id/610405
Please use plain text.
Frequent Advisor
メイ
Posts: 59
Registered: ‎07-17-2013
Message 16 of 18 (571 Views)

Re: BAC / UCMDB Log Searching

thanks for your reminder!!!!

 

I didn't realize there is a function to send a private message >o<~

 

 

Please use plain text.
HP Expert
PatWest
Posts: 831
Registered: ‎03-06-2008
Message 17 of 18 (562 Views)

Re: BAC / UCMDB Log Searching

:>) keep us  updated of how this evolves, maybe other customers can benefit from it.

Please use plain text.
Frequent Advisor
メイ
Posts: 59
Registered: ‎07-17-2013
Message 18 of 18 (555 Views)

Re: BAC / UCMDB Log Searching

sure! But no response yet......
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation