Skip to main content
Version: 24.3.x

Integrating with Splunk

You can use the Universal Forwarder, which securely collects and sends data into Splunk for indexing and consolidation.

To ingest logs to Splunk, complete these steps:

  1. Install the Universal Forwarder on each node of your Dremio cluster.

    a. For Windows, see Install a Windows universal forwarder.

    b. For Linux, Solaris, or macOS, see Install a *nix universal forwarder.

  2. Configure the inputs.conf file using the following example:

Example for inputs.conf 
#   Version 9.1.2
#
# This is an example inputs.conf for uploading Dremio logs to Splunk.
#
# To learn more about Dremio log files please see the documentation located at
# https://docs.dremio.com/current/sonar/monitoring/#logs
#
# To learn more about configuration files (including precedence) please see the Splunk
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# Audit log.
[monitor://<DREMIO_LOG_PATH>/audit.json]
disabled = 0
index = _audit
Sourcetype = dremio_audit

# HTTP access log for the Dremio web server. This log will be generated by coordinator nodes only.
[monitor://<DREMIO_LOG_PATH>/access.log]
disabled = 0
index = _system
Sourcetype = dremio_access

# Garbage collection log.
[monitor://<DREMIO_LOG_PATH>/server.gc]
disabled = 0
index = _system
Sourcetype = dremio_server_gc

# Server log.
[monitor://<DREMIO_LOG_PATH>/json/server.json]
disabled = 0
index = _system
Sourcetype = dremio_server

# Log for Dremio daemon standard out.
[monitor://<DREMIO_LOG_PATH>/server.out]
disabled = 0
index = _system
Sourcetype = dremio_server_out

# Metadata refresh log.
[monitor://<DREMIO_LOG_PATH>/metadata_refresh.log]
disabled = 0
index = _system
Sourcetype = dremio_metadata_refresh

# Tracker log.
[monitor://<DREMIO_LOG_PATH>/tracker.json]
disabled = 0
index = _system
Sourcetype = dremio_tracker

# Query Log.
[monitor://<DREMIO_LOG_PATH>/queries.json]
disabled = 0
index = _query
Sourcetype = dremio_query
  1. Restart the Universal Forwarder.

a. For Windows, go to %SPLUNK_HOME%\bin and run this command: Command to restart on Windows

splunk restart

b. For *nix systems, go to $SPLUNK_HOME/bin and run this command: Command to restart on *nix systems

./splunk restart