topic Re: file montoring on universal forwarder from splunk server in Getting Data In

file montoring on universal forwarder from splunk server

lalit_mohan — Wed, 13 Nov 2013 15:12:55 GMT

Hi Guys,

I have two instances on microsoft azure environment one is splunk-server and other is splunk-forwarder(universalForwarder). Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.
search-query: host=splunkforwarder sourcetype=log4j

Am I missing something !!!.Please help me out. Thanks in advance!!

Re: file montoring on universal forwarder from splunk server

somesoni2 — Wed, 13 Nov 2013 16:24:22 GMT

Could you please post your inputs.conf file in the forwarder. (mostly splunkforwarder/etc/system/local, if not found here, check splunkforwarder/etc/system/default)

Re: file montoring on universal forwarder from splunk server

lalit_mohan — Mon, 28 Sep 2020 15:16:14 GMT

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/local/inputs.conf
[default]
host = splunkforwarder

Default one is quite long one.So i will be sending it in parts.

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/default/inputs.conf

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

Re: file montoring on universal forwarder from splunk server

lalit_mohan — Mon, 28 Sep 2020 15:16:17 GMT

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

Re: file montoring on universal forwarder from splunk server

lalit_mohan — Mon, 28 Sep 2020 15:16:19 GMT

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true

Re: file montoring on universal forwarder from splunk server

somesoni2 — Wed, 13 Nov 2013 19:18:00 GMT

I don't see any entry for your file, and may be that is the reason its not sending any data. (not sure why CLI command didn't work). Try adding following to your splunkforwarder\etc\system\local\inputs.conf, at the end

[monitor://usr/share/apache-tomcat-7.0.42/logs/catalina.out]

index = default

sourcetype=log4j

Re: file montoring on universal forwarder from splunk server

lalit_mohan — Mon, 28 Sep 2020 15:16:35 GMT

Hi somesoni2,

Thanks for your kind support!!

My problem is solved ,now I am able to monitor my splunkforwarder tomcat log file on splunk-server dashboard

I added following lines:

In ...splunkforwarder/etc/system/local/inputs.conf :
[monitor:///usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j

In ...splunkforwarder/etc/system/local/outputs.conf :

forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:default_index] server=splunkserver.cloudapp.net:9997