search

Financial-Times / splunk-heroku

Support for Heroku log drains packaged as a Splunk app.
https://tech.in.ft.com/tech-topics/logging/splunk/logging-from-heroku
MIT License
2 stars 0 forks source link

Add source type for Heroku runtime metric logs #20

Closed sjparkinson closed 2 years ago

sjparkinson commented 2 years ago

See https://devcenter.heroku.com/articles/log-runtime-metrics.

They look like the following in a log drain:

300 <158>1 2022-06-07T15:29:55.655816+00:00 host heroku web.1 - source=web.1 dyno=heroku.2808254.d97d0ea7-cf3d-411b-b453-d2943a50b456 sample#load_avg_1m=2.46 sample#load_avg_5m=1.06 sample#load_avg_15m=0.99
300 <158>1 2022-06-07T15:29:56.655816+00:00 host heroku web.1 - source=web.1 dyno=heroku.2808254.d97d0ea7-cf3d-411b-b453-d2943a50b456 sample#memory_total=21.00MB sample#memory_rss=21.22MB sample#memory_cache=0.00MB sample#memory_swap=0.00MB sample#memory_pgpgin=348836pages sample#memory_pgpgout=343403pages

We should ensure the dyno field remains aligned to the other source types, e.g. with values like web.1.

Should these be handled as a metric? https://docs.splunk.com/Documentation/Splunk/8.2.6/Metrics/Overview

Are they useful? Or should we use the nullQueue to not index them?

sjparkinson commented 2 years ago

Worth a look through https://docs.splunk.com/Documentation/Splunk/8.2.6/Metrics/L2MConfiguration as we'd want to include this configuration within this app to transform the log messages into metrics.

sjparkinson commented 2 years ago

Production log messages are now available if you search for index=heroku sourcetype="heroku:system" "dyno=heroku.*"