https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206714#M40804 <P>i have configured Splunk Enterprise in my local and universal forwarder in my VM.<BR /> now i need to fetch the tomcat logs from VM to my local splunk</P> <P>i have configured the Splunk inputs.conf as below:</P> <PRE><CODE>[default] host = PC316522 [tcp://:9997] connection_host=dns </CODE></PRE> <P>and serverclass.conf as below:</P> <PRE><CODE>[serverClass:Universal Forwarders:app:sendtoindexer] restartSplunkWeb = 0 restartSplunkd = 0 stateOnClient = enabled [serverClass:Universal Forwarders:app:Splunk_TA_windows] restartSplunkWeb = 0 restartSplunkd = 0 stateOnClient = enabled [serverClass:Universal Forwarders] whitelist.0 = 10.223.68.78 </CODE></PRE> <P>and in my VM, inputs.conf:</P> <PRE><CODE>[default] host = CTSC00637603501 [monitor://D:\TOMCAT8\apache-tomcat-8.0.26-windows-x64\apache-tomcat-8.0.26\logs] disabled=false </CODE></PRE> <P>and outputs.conf as below:</P> <PRE><CODE>[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.226.217.238:8089 [tcpout-server://10.226.217.238:8089] disabled=false and deploymentclient.conf as below: [deployment-client] phoneHomeIntervalInSecs = 1800 [target-broker:deploymentServer] targetUri = 10.226.217.238:8089 phoneHomeIntervalInSecs = 1800 </CODE></PRE> <P>But while searching for logs in Splunk, am not getting the client tomcat logs, could you please help me on this.</P> <P>Thanks,<BR /> Gautami. K</P> Mon, 26 Dec 2016 07:46:55 GMT gautami433806 2016-12-26T07:46:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206714#M40804 <P>i have configured Splunk Enterprise in my local and universal forwarder in my VM.<BR /> now i need to fetch the tomcat logs from VM to my local splunk</P> <P>i have configured the Splunk inputs.conf as below:</P> <PRE><CODE>[default] host = PC316522 [tcp://:9997] connection_host=dns </CODE></PRE> <P>and serverclass.conf as below:</P> <PRE><CODE>[serverClass:Universal Forwarders:app:sendtoindexer] restartSplunkWeb = 0 restartSplunkd = 0 stateOnClient = enabled [serverClass:Universal Forwarders:app:Splunk_TA_windows] restartSplunkWeb = 0 restartSplunkd = 0 stateOnClient = enabled [serverClass:Universal Forwarders] whitelist.0 = 10.223.68.78 </CODE></PRE> <P>and in my VM, inputs.conf:</P> <PRE><CODE>[default] host = CTSC00637603501 [monitor://D:\TOMCAT8\apache-tomcat-8.0.26-windows-x64\apache-tomcat-8.0.26\logs] disabled=false </CODE></PRE> <P>and outputs.conf as below:</P> <PRE><CODE>[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.226.217.238:8089 [tcpout-server://10.226.217.238:8089] disabled=false and deploymentclient.conf as below: [deployment-client] phoneHomeIntervalInSecs = 1800 [target-broker:deploymentServer] targetUri = 10.226.217.238:8089 phoneHomeIntervalInSecs = 1800 </CODE></PRE> <P>But while searching for logs in Splunk, am not getting the client tomcat logs, could you please help me on this.</P> <P>Thanks,<BR /> Gautami. K</P> Mon, 26 Dec 2016 07:46:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206714#M40804 gautami433806 2016-12-26T07:46:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206715#M40805 <P>Hi Gautami, does your UF have read access on that directory ?</P> Mon, 26 Dec 2016 13:06:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206715#M40805 alemarzu 2016-12-26T13:06:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206716#M40806 <P>Perhaps you want to use splunktcp:// on your indexer ? </P> <P>As per the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">inputs.conf documentation</A></P> <BLOCKQUOTE> <P>The following configuration listens on TCP port 9996 for<BR /> Splunk cooked event data from ANY splunk forwarder.<BR /> The host of the data is set to the host name of the remote server ONLY IF the<BR /> remote data has no host set, or if it is set to "localhost".</P> <P>[splunktcp://:9997]</P> </BLOCKQUOTE> <P>Note that I've changed the port to 9997. The above will setup the inputs.conf to listen for Splunk universal forwarder data which is likely what you want to do...</P> <P>Then refer to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf">outputs.conf.example</A> within the outputs.conf documentation...(your outputs needs to be changed as well)</P> Tue, 27 Dec 2016 09:50:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-my-configurations-to-fetch-the-client-logs-from-VM/m-p/206716#M40806 gjanders 2016-12-27T09:50:24Z