Overview of Splunk logging for Java

Splunk logging for Java enables you to log events to HTTP Event Collector or to a TCP input on a Splunk Enterprise instance within your Java applications. You can use three major Java logging frameworks: Logback, Log4j 2, and java.util.logging. Splunk logging for Java is also enabled for Simple Logging Facade for Java (SLF4J).

Splunk logging for Java provides:

  • Appender classes that package events into the proper format for the input type you're using (HTTP Event Collector or TCP).
  • Handler classes that export the logging events.
  • An optional error handler to catch failures for HTTP Event Collector events.
  • Example configuration files for all three frameworks that show how to configure the frameworks to write to HTTP Event Collector or TCP ports.
  • Support for batching events (sent to HTTP Event Collector only).

See the following resources to learn more about Java logging:

Choose a logging destination

HTTP Event Collector is ideal when you want to log data from your Java application in any of the following scenarios:

  • Sending events directly to Splunk Enterprise rather than requiring writing to disk and installing a forwarder.
  • Sending data securely to Splunk Enterprise, with the option of an HTTPS connection and a unique token.
  • Sending data at a high volume and frequency.

Alternately, you can log to a TCP input directly, or by logging to a file and then using a Splunk Universal Forwarder to monitor the file and send data any time the file is updated. The latter option gives you the features of the Splunk Universal Forwarder, plus added robustness from having persistent files. In either case, you can use the SplunkCimLogEvent class provided by this library to construct your log events according to Splunk-recommended best practices.

Get familiar with data inputs

Before using Splunk logging for Java, you should understand how the data input type you choose works in Splunk Enterprise and what you need to configure the input.

Once you're familiar with data inputs, see Get started with Splunk logging for Java.

Architecture

Splunk logging for Java comprises two groups of classes within com.splunk.logging—one for logging to HTTP Event Collector and another for logging to TCP inputs.

HTTP Event Collector

The following classes are available for logging to HTTP Event Collector:

  • HttpAppender: Creates logging events to send to HTTP Event Collector. Use this class for all loggers except Logback.
  • HttpLogbackAppender: Creates logging events to send to HTTP Event Collector using Logback.
  • HttpInputHandler: Exports logging events to HTTP Event Collector.
  • HttpInputLoggingErrorHandler: Provides an HTTP Event Collector error handler to which your application can subscribe to catch error responses from the Splunk Enterprise server.
  • HttpInputLoggingEventInfo: Provides a container for event data.

The HttpInputEventSender class is an internal helper class that is used by the other classes in the library. Do not use this class.

TCP inputs

The following classes are available for logging to TCP inputs:

  • SplunkCimLogEvent: Encapsulates the best practice logging semantics recommended by Splunk. Events created with this class contain key-value pairs, properly formatted and quoted for logging with any of the standard logging libraries for Java (Logback, Log4j 2, and java.util.logging) and indexing by Splunk Enterprise. SplunkCimLogEvent has convenience methods to set the fields defined in the standard Splunk Common Information Model (CIM).
  • TcpAppender: Writes logging events to a TCP input. This class extends from the ch.qos.logback.core.AppenderBase<E> class, and is included with Splunk logging for Java because Logback does not include a usable appender for TCP sockets.

Other considerations

Resilience

All of the appenders mentioned in the documentation attempt to reconnect in case of dropped connections.

Load balancing

To set up HTTP Event Collector in a load-balanced environment, see Scale HTTP Event Collector with distributed deployments in Getting Data In.
For TCP inputs, you can set up a Splunk Universal Forwarder, and then have all your logging sources write to that TCP input. Use the load-balancing features of the Splunk Universal Forwarder to distribute the data from there to a set of indexers.

Thread safety

For HTTP Event Collector, the adapters for Log4J, Logback, and java.util.logging are thread-safe. For TCP inputs, the adapters for Log4J and Logback are thread-safe.