Inconsistent/non-standard logging

[stuart-k-h]

According to the known issues section of the documentation the logging for the add-on is located within var/log/splunk/ta_databricks.log and var/log/TA-Databricks/<command_name>command.log. This is inconsistent with standard Splunk apps/add-on, as they should log under /var/log/splunk with a suitable filename to indicate the source (i.e., ta_databricks) and any subcomponent as required (as an example, ta_databricks_.log).

The logging format should also match that of the standard Splunk logs so that they are automatically ingested and processed correctly. Also, the documentation states that indistinct/unclear error messages may be displayed within the UI, which are not helpful to analysts who encounter them. A suitable/useful error message should always be provided in the UI to aid in troubleshooting, rather than having to inspect the logs each time there is a failure.

[nfx]

should be addressed in #18

[stuart-k-h]

If #18 has fixed this (the code commit looks like it should have) and this is verified then it should just be a doc update to remove any confusion.

[hkelley]

Has anyone confirmed that the logs are being ingested? We updated our add-on to v1.2 on Splunk Cloud and now the databricksquery command won't work. The search log just says:

ERROR ChunkedExternProcessor [1401944 phase_1] - Error in 'databricksquery' command: External search command exited unexpectedly with non-zero error code 1.

and I can't find anything in the _internal index to provide additional clues.