Skip to main content
Version: current [25.0.x]

Integrating with Splunk

You can use the Universal Forwarder, which securely collects and sends data into Splunk for indexing and consolidation.

To ingest logs to Splunk, complete these steps:

  1. Install the Universal Forwarder on each node of your Dremio cluster.

    a. For Windows, see Install a Windows universal forwarder.

    b. For Linux, Solaris, or macOS, see Install a *nix universal forwarder.

  2. Configure the inputs.conf file using the following example:

    Example for inputs.conf
    #   Version 9.1.2
    #
    # This is an example inputs.conf for uploading Dremio logs to Splunk.
    #
    # To learn more about Dremio log files please see the documentation located at
    # https://docs.dremio.com/current/sonar/monitoring/#logs
    #
    # To learn more about configuration files (including precedence) please see the Splunk
    # documentation located at
    # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

    # Audit log.
    [monitor://<DREMIO_LOG_PATH>/audit.json]
    disabled = 0
    index = _audit
    Sourcetype = dremio_audit

    # HTTP access log for the Dremio web server. This log will be generated by coordinator nodes only.
    [monitor://<DREMIO_LOG_PATH>/access.log]
    disabled = 0
    index = _system
    Sourcetype = dremio_access

    # Garbage collection log.
    [monitor://<DREMIO_LOG_PATH>/server.gc]
    disabled = 0
    index = _system
    Sourcetype = dremio_server_gc

    # Server log.
    [monitor://<DREMIO_LOG_PATH>/json/server.json]
    disabled = 0
    index = _system
    Sourcetype = dremio_server

    # Log for Dremio daemon standard out.
    [monitor://<DREMIO_LOG_PATH>/server.out]
    disabled = 0
    index = _system
    Sourcetype = dremio_server_out

    # Metadata refresh log.
    [monitor://<DREMIO_LOG_PATH>/metadata_refresh.log]
    disabled = 0
    index = _system
    Sourcetype = dremio_metadata_refresh

    # Tracker log.
    [monitor://<DREMIO_LOG_PATH>/tracker.json]
    disabled = 0
    index = _system
    Sourcetype = dremio_tracker

    # Query Log.
    [monitor://<DREMIO_LOG_PATH>/queries.json]
    disabled = 0
    index = _query
    Sourcetype = dremio_query

  3. Restart the Universal Forwarder.

    a. For Windows, go to %SPLUNK_HOME%\bin and run this command:

    Command to restart on Windows
    splunk restart

    b. For *nix systems, go to $SPLUNK_HOME/bin and run this command:

    Command to restart on *nix systems
    ./splunk restart