splunk/addonfactory-solutions-library-python

Improve traceback

hsekowski-splunk opened this issue · 1 comments

hsekowski-splunk commented

If traceback is logged, Splunk internal logs split it to number of events that makes it difficult to read.
Expected behaviour is to have one traceback in single Splunk event.

artemrys commented

It just depends on what are you using and where.

If you see something like this in your log file, then it will not be formatted by Splunk itself as a single event.

07-02-2022 18:40:22.072 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py" Traceback (most recent call last):
07-02-2022 18:40:22.072 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py"   File "/Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py", line 95, in <module>
07-02-2022 18:40:22.072 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py"     run()
07-02-2022 18:40:22.073 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py"   File "/Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py", line 81, in run
07-02-2022 18:40:22.073 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py"     traceback.format_exc()
07-02-2022 18:40:22.074 +0200 ERROR ExecProcessor [14395833 ExecProcessor] - message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/xml_streaming/bin/xml_streaming.py" NameError: name 'traceback' is not defined

If you see something like this in your log file, then it will be formatted by Splunk itself as a single event.

2022-07-02 18:53:54,363 ERROR pid=69705 tid=MainThread file=activity_report.py:stream_events:136 | Exception raised while ingesting data for activity report: division by zero. Traceback: Traceback (most recent call last):
  File "/Applications/Splunk/etc/apps/Splunk_TA_Google_Workspace/bin/activity_report.py", line 132, in stream_events
    service,
  File "/Applications/Splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_runner.py", line 48, in run_ingest
    a = 1 / 0
ZeroDivisionError: division by zero

Not sure what is actually needed to do in the solutions library to make it better, feel free to reopen in case you have ideas :)