3rd-party log analysis tools

This page describes how to add and configure Aerospike filtering and parsing rules for supported 3rd-party log ingestion tools. These rules break Aerospike logs into a format that can be read and used in custom alerts or dashboards.

Parsing rules are currently available for Fluent Bit and Splunk. Both of these tools parse Aerospike Database logs one line at a time.

Note

The configuration files hosted on GitHub for Fluent Bit and Splunk are scheduled to be updated with every minor version release of Aerospike Database to parse any future log formats. The updates will be backwards-compatible with older Aerospike releases.

Prerequisites

• A running instance of Aerospike Database 6.0 or later.
• A working installation of Fluent Bit or Splunk for ingesting Aerospike Database logs.

Configure Fluent Bit

1. Download the Aerospike parser file aerospike-fluent-bit-parsers.conf to the /etc/fluent-bit/ directory on the machine running Fluent Bit.

   wget https://raw.githubusercontent.com/aerospike/aerolab/refs/heads/master/src/ingest/thirdparty_tools/fluentbit/aerospike-fluent-bit-parsers.conf -P /etc/fluent-bit/

2. Download the Aerospike filter file aerospike-fluent-bit-filters.conf to the same /etc/fluent-bit/ directory as the parser file.

   wget https://raw.githubusercontent.com/aerospike/aerolab/refs/heads/master/src/ingest/thirdparty_tools/fluentbit/aerospike-fluent-bit-filters.conf -P /etc/fluent-bit/

3. Modify the [SERVICE] section of the Fluent Bit configuration file at /etc/fluent-bit/fluent-bit.conf to add the location of the Aerospike parser.

   The [SERVICE] section should appear similar to the following:

   # Parsers File (fluent-bit.conf)
   # ============
   # specify an optional 'Parsers' configuration file
   # parsers_file /root/fluentbit/parsers.conf
   parsers_file /etc/fluent-bit/aerospike-fluent-bit-parsers.conf

4. At the end of the same file, add an @INCLUDE directive to specify the location of the Aerospike filter file aerospike-fluent-bit-filters.conf.

   @INCLUDE /etc/fluent-bit/aerospike-fluent-bit-filters.conf

Configure Splunk

1. Create a custom Splunk app specifically for Aerospike logs. This creates a directory under /etc/splunk/etc/apps/ with the name of your app. See the Splunk documentation for details.

2. On the machine running Splunk, download the properties file aerospike_splunk_local_props.conf to your app’s /local/ directory with the name props.conf. Replace the placeholder in the following example with your app’s name as per your directory structure.

   wget https://raw.githubusercontent.com/aerospike/aerolab/refs/heads/master/src/ingest/thirdparty_tools/splunk/aerospike_splunk_local_props.conf -O /etc/splunk/etc/apps/YOUR_APP/local/props.conf

3. Download the local transforms file aerospike_splunk_local_transforms.conf to the same /local/ directory as the properties file, with the name transforms.conf. Replace the placeholder in the following example with your app’s name as per your directory structure.

   wget https://raw.githubusercontent.com/aerospike/aerolab/refs/heads/master/src/ingest/thirdparty_tools/splunk/aerospike_splunk_local_transforms.conf -O /etc/splunk/etc/apps/YOUR_APP/local/transforms.conf

4. Restart Splunk.