Skip to main content
Version: 1.0.0

Logging

REStream provides extensive logging capabilities. REStream writes the following logs that are available in Splunk by default:

IndexSourcetypeSourceContent
_internalrestream:modinput:replay$SPLUNK_HOME/var/log/splunk/criblreplay.logLogs written by the modular input criblreplay
_internalrestream:modinput:discovery$SPLUNK_HOME/var/log/splunk/cribldiscovery.logLogs written by the modular input cribldiscovery
_internalrestream:command:search$SPLUNK_HOME/var/log/splunk/criblsearch.logLogs written by the custom command criblsearch
_internalrestream:command:queue$SPLUNK_HOME/var/log/splunk/criblqueue.logLogs written by the custom command criblqueue
_internalrestream:modaction:autoreplay$SPLUNK_HOME/var/log/splunk/criblautoreplay.logLogs written by modular action criblautoreplay
_internalrestream:collection:handler$SPLUNK_HOME/var/log/splunk/CollectionHandler.logLogs written by helper class managing kvstore collections
_internalrestream:job:optimizer$SPLUNK_HOME/var/log/splunk/CriblJobOptimizer.logLogs written by helper class reducing replay jobs
_internalrestream:modinput:configrationvalidator$SPLUNK_HOME/var/log/splunk/restreamconfigvalidator.logLogs written by class managing inputs.conf entries based on restream_inputs.conf
UTStream

REStream depends on libraries provided by UTStream. Therefore some actions triggered by REStream are found in log files by UTStream. The sourcetypes that are both written by UTStream and REStream are:

  • utstream:instance
  • utstream:job
  • utstream:job:runner

Change verbosity

To change the default INFO verbosity, add a logger.conf file to the local directory of the app.

[logging]
rootLevel = <VERBOSITY>

Additionally, it is possible to change the verbosity for a logfile by defining a configuration as follow:

[logging]
cribldiscovery = DEBUG
criblreplay = DEBUG