Community:Splunk for Azure

From Splunk Wiki

Jump to: navigation, search

Splunk for Windows Azure

So your first cloud-based application is ready, tested many times and successfully deployed in the cloud. It works fine a day, two, a week and suddenly something goes wrong and your new search engine refuses to return any results or your social network is down with no obvious reason.

But of course, you did use a logging module in your application and now you only need to get the logs and look what was going on. Seems pretty simple, isn't it? Well, it may be so when the amount of logs is small enough - either nobody uses your application or your storage quota only keeps the most recent data. In many cases you end up with a perspective of having to manually analyse gygabytes of unstructured data. Or, perhaps, writing another debugging module that would parse your logs in the cloud and filter them down would be a better solution?

While there are many ways you can choose, one of the possible solutions - using a specialized tool that is specifically built for logging in cloud gives you a lot of flexibility and search power. I like Splunk for providing all this with no hassle - all you need to do is to reference a simple logger that would accept your messages and forward them over to the Splunk server. There they are getting parsed and indexed, so you can get the status and running history of your instance immediately.

Below is a simple logger that formats log events into a custom format and sends them over to a designated tcp endpoint of a Splunk server: To use it, you'll need an instance of Splunk server installed either on your server or you can get it running on Amazon ec2 instance while Azure doesn't yet support native Windows code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net.Sockets;
using System.IO;
using System.Net;

namespace SplunkLog
{
    public class Logger
    {
        private string host;

        /// <summary>
        /// Hostname of Splunk server. [Default: 127.0.0.1]
        /// </summary>
        public string Host
        {
            get { return host; }
            set { host = value; }
        }
        private int port;

        /// <summary>
        /// Listening TCP Port of Splunk server. [Default: 9998]
        /// </summary>
        public int Port
        {
            get { return port; }
            set { port = value; }
        }

        public Logger()
        {
            this.host = "127.0.0.1";
            this.port = 9998;
        }

        public Logger(string host, int port)
        {
            this.host = host;
            this.port = port;
        }

        /// <summary>
        /// Sends a message via the socket connection
        /// </summary>
        /// <param name="msg">Message body</param>
        public void send(string msg)
        {
            TcpClient socketForServer;
            NetworkStream networkStream;
            StreamWriter streamWriter;
            try
            {
                socketForServer = new TcpClient(host, port);
                networkStream = socketForServer.GetStream();
                streamWriter = new StreamWriter(networkStream);

                streamWriter.WriteLine(msg);
                streamWriter.Flush();
                networkStream.Close();
            }
            catch (Exception e)
            {
                throw;
            }
        }

        public void send(string type, string message)
        {
            send(formatMessage(type, message));
        }

        /// <summary>
        /// Formats a message to event format
        /// </summary>
        /// <param name="type"></param>
        /// <param name="msg"></param>
        /// <returns></returns>
        public string formatMessage(string type, string msg)
        {
            StringBuilder sb = new StringBuilder();
            return sb.AppendFormat("{0} {1} {2}",
DateTime.Now.ToUniversalTime().ToString(), type, msg).ToString();
        }

        public void debug(string msg)
        {
            this.send(this.formatMessage("DEBUG", msg));
        }

        public void info(string msg)
        {
            this.send(this.formatMessage("INFO", msg));
        }

        public void error(string msg)
        {
            this.send(this.formatMessage("ERROR", msg));
        }

        public void warning(string msg)
        {
            this.send(this.formatMessage("WARN", msg));
        }
    }
}

Using this module is quite simple too:

    using SplunkLog;

    Logger logger = new Logger();

    string type = "ERROR";
    string message = "Total fail";

    logger.send(type, message);

As you noticed, this solution is rather a proof of concept and definitely have some serious drawbacks such as a possible traffic overhead in case of aggressive logging. To handle this message buffering should be implemented and messages sent in bursts. We'll keep you updated about first availability of an improved module. Meanwhile feel free to try it and leave your comments about this approach.


To check an example application that uses the Splunk logger module, go to http://293e8c64-d3b7-4ab8-81f7-169b43536db2.cloudapp.net/Default.aspx In the tcp endpoint string type the address of your tcp listening endpoint, type the message body and press 'Send'

Pressing 'Open Splunk' will open the Web UI of your Splunk server showing the messages received from the endpoint in the last 15 minutes.


SplunkLogger module: http://wiki.splunk.com/Image:SplunkLogger.zip

Azure app: http://wiki.splunk.com/Image:SplunkAzureApp.zip

screenshot: http://wiki.splunk.com/Image:Azureapp_scr.jpg

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk