nfx
commented
2 years ago should be addressed in #18
Open stuart-k-h opened 2 years ago
nfx
commented
2 years ago should be addressed in #18
stuart-k-h
commented
2 years ago If #18 has fixed this (the code commit looks like it should have) and this is verified then it should just be a doc update to remove any confusion.
hkelley
commented
1 year ago Has anyone confirmed that the logs are being ingested? We updated our add-on to v1.2 on Splunk Cloud and now the databricksquery command won't work. The search log just says:
ERROR ChunkedExternProcessor [1401944 phase_1] - Error in 'databricksquery' command: External search command exited unexpectedly with non-zero error code 1.and I can't find anything in the _internal index to provide additional clues.
According to the known issues section of the documentation the logging for the add-on is located within var/log/splunk/ta_databricks.log and var/log/TA-Databricks/_command.log. This is inconsistent with standard Splunk apps/add-on, as they should log under /var/log/splunk with a suitable filename to indicate the source (i.e., ta_databricks) and any subcomponent as required (as an example, tadatabricks_.log).
The logging format should also match that of the standard Splunk logs so that they are automatically ingested and processed correctly. Also, the documentation states that indistinct/unclear error messages may be displayed within the UI, which are not helpful to analysts who encounter them. A suitable/useful error message should always be provided in the UI to aid in troubleshooting, rather than having to inspect the logs each time there is a failure.