splunk-integration icon indicating copy to clipboard operation
splunk-integration copied to clipboard
verified publisher icon databrickslabs

Inconsistent/non-standard logging

Open stuart-k-h opened this issue 4 years ago • 3 comments

According to the known issues section of the documentation the logging for the add-on is located within var/log/splunk/ta_databricks.log and var/log/TA-Databricks/<command_name>command.log. This is inconsistent with standard Splunk apps/add-on, as they should log under /var/log/splunk with a suitable filename to indicate the source (i.e., ta_databricks) and any subcomponent as required (as an example, ta_databricks_.log).

The logging format should also match that of the standard Splunk logs so that they are automatically ingested and processed correctly. Also, the documentation states that indistinct/unclear error messages may be displayed within the UI, which are not helpful to analysts who encounter them. A suitable/useful error message should always be provided in the UI to aid in troubleshooting, rather than having to inspect the logs each time there is a failure.

stuart-k-h avatar Feb 23 '22 13:02 stuart-k-h

should be addressed in #18

nfx avatar Feb 23 '22 18:02 nfx

If #18 has fixed this (the code commit looks like it should have) and this is verified then it should just be a doc update to remove any confusion.

stuart-k-h avatar Feb 24 '22 06:02 stuart-k-h

Has anyone confirmed that the logs are being ingested? We updated our add-on to v1.2 on Splunk Cloud and now the databricksquery command won't work. The search log just says:

ERROR ChunkedExternProcessor [1401944 phase_1] - Error in 'databricksquery' command: External search command exited unexpectedly with non-zero error code 1.

and I can't find anything in the _internal index to provide additional clues.

hkelley avatar Jul 28 '23 10:07 hkelley