Splunking Heroku

I love Heroku. I’ve been using it for some time because it is just so simple to deploy applications. However, I’ve never really looked too deeply into the logs produced by my apps via the command line. Queue Splunk. In this post we’ll look at how you can start Splunking data from apps deployed in Heroku, and some recipes to visualise it using the SPL.

Prepare Our Indexer

We will send logs from Heroku to our Splunk Indexer via syslog. To configure the Indexer to accept these logs we’ll need to enable receiving: Settings > Data Inputs > TCP > Add New.

Now we can select the port via which we want to receive this data. We’ll use port:514 for this example but you can select an open port of your choice.

Get Heroku Logging

Heroku provides comprehensive app, system, and API logging by default. But lets turn things up a bit and include some debug and runtime logs to help us with app development, after all this is Splunk.

Assuming you have the Heroku Toolbelt installed, you can run the command below to enable logging.

Debug:

heroku config:add LOG_LEVEL=DEBUG --app <YOUR APP NAME>

Runtime:

heroku labs:enable log-runtime-metrics --app <YOUR APP NAME>

Then restart your app:

heroku restart --app <YOUR APP NAME>

Then add a syslog drain to send these logs to your indexer:

heroku drains:add syslog://<YOUR INDEXER'S IP>:514 --app <YOUR APP NAME>

Heroku meet Splunk, Splunk Heroku

Assuming everything is working correctly we should start to see data being indexed using a simple search: sourcetype="syslog"

SPL Recipes

I’ve just released a Splunk app with a great set of recipes to get you searching and visualising your data from analytics and performance to errors – you can grab it on Splunkbase here.

----------------------------------------------------
Thanks!
David Greenwood