HttpEventCollectorLogbackAppender 中的源标签是什么意思？

Question

I'm using HttpEventCollectorLogbackAppender for writing my java application logs to the splunk server. I've been trying this for very long and still haven't been able to get my logs into splunk.

Can someone please explain what does the source tag refers to in the HttpEventLogbackAppender?

Below is the HttpEventLogbackAppender in my logback.xml file:

<appender name="splunk-httpeventcollector-appender"
          class="com.splunk.logging.appenders.logback.HttpEventCollectorLogbackAppender">
    <url>${SPLUNK_HOST_URL}</url>
    <host>${CFG_DC}_${APP_ENV}_${CONTAINER_ID}</host>
    <token>${SPLUNK_TOKEN}</token>
    <source></source> // what does this refer to?
     <index>${SPLUNK_INDEX}</index>

    <disableCertificateValidation>true</disableCertificateValidation>
    <layout class="ch.qos.logback.classic.PatternLayout">
        <Pattern>%d{ISO8601} [%thread] loglevel=%-5level %logger{36} - remotehost=%mdc{req.remoteHost} forwardedfor=%mdc{req.xForwardedFor} requestmethod=%mdc{req.method} requesturi=%mdc{req.requestURI}</Pattern>
    </layout>
    <batch_size_count>500</batch_size_count>
    <send_mode>parallel</send_mode>

</appender>

Answer 1

From Splunk Documentaion , I found the following : Hope it will help you Link - http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Aboutdefaultfields

source - The source of an event is the name of the file, stream, or other input from which the event originates. For data monitored from files and directories, the value of source is the full path, such as /archive/server1/var/log/messages.0 or /var/log/. The value of source for network-based data sources is the protocol and port, such as UDP:514.

 This topic focuses on three key default fields:

        host
        source
        sourcetype

    Defining host, source, and sourcetype

    The host, source, and sourcetype fields are defined as follows:

        host - An event host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated. The host value lets you locate data originating from a specific device. For more information on hosts, see About hosts.
        sourcetype - The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how your data is to be formatted. For more information on source types, see Why source types matter.

    Source vs sourcetype

    Source and source type are both default fields, but they are entirely different otherwise, and can be easily confused.

        The source is the name of the file, stream, or other input from which a particular event originates. 

        The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.

    Events with the same source type can come from different sources, for example, if you monitor source=/var/log/messages and receive direct syslog input from udp:514. If you search sourcetype=linux_syslog, events from both of those sources are returned. 

Git Hub -

Logback configuration looks like: 

```xml 
<!-- Splunk HTTP Appender --> 
<appender name="splunkHttpAppender" class="com.splunk.logging.HttpEventCollectorLogbackAppender"> 
<url>${lsplunk.http.url}</url> 
<token>${splunk.http.token}</token> 
<source>${splunk.source}</source> 
<host>${splunk.httpevent.listener.host}</host> 
<messageFormat>${splunk.event.message.format}</messageFormat> 
<disableCertificateValidation>${splunk.cert.disable-validation}</disableCertificateValidation> 
<layout class="ch.qos.logback.classic.PatternLayout"> 
<pattern>%date{ISO8601} [%thread] %level: %msg%n</pattern> 
</layout> 
</appender> 

<logger name="com.example.app" additivity="false" level="INFO"> 
<appender-ref ref="splunkHttpAppender"/> 
</logger> 

<root level="INFO"> 
<appender-ref ref="splunkHttpAppender"/> 
</root>

Answer 2

或者另一种方式，你可以做你发送应用程序日志，以S3（AWS），并从他们可以configue路径inputs.conf在Splunk的路径和提索引outputs.conf