All Apps and Add-ons

What changes should I make to control the file size of the logs generated by the Oracle WebLogic App for Splunk?


I have a server setup to use the Oracle Weblogic TA that I've recently taken over Splunk support for. While looking into it I found that the Weblogic TA generates its own log files in the $SPLUNK_HOME/var/log folder that it uses to index Weblogic data. It appears that there isn't any log rotation on these files and while it isn't an immediate concern I do want to ensure they don't grow indefinitely.
In one of the scripts that generates the log files there is the following code:

# roll log file if needed
#fsize = os.path.getsize(logFileName)
#if fsize > int(logfileMaxSize) :
#       os.rename(logFileName, logFileName+".1")

The code is commented out and only exists in one of the three log collector scripts (daily, hourly, minute). I intend to change the code to the following:

# roll log file if needed
fsize = os.path.getsize(logFileName)
if os.path.isfile(logFileName) and fsize > int(logfileMaxSize):
   if os.path.isfile(logFileName+".1"):
   os.rename(logFileName, logFileName+".1")

The collector scripts are,,; I'll apply the change to hourly and copy it to the point in the minute and daily scripts.

I expect that I'll need to change the inputs.conf for the TA to include the rolled over log files, I'll also need to increase the value in logfileMaxSize to be at least 10MB. I am otherwise unfamiliar with the Function1 Oracle Weblogic TA. Does anyone who has used it extensively know if I need to consider anything else with the above change? Alternatively, how do you deal with controlling the size of the logs the TA is generating?

There is a more recent version of the app but the collector scripts haven't changed and there isn't a log rotation script in the TA bin folder (as far as I can tell anyway).

0 Karma


If you use the Splunk TA builder for your application ( i.e. oracle webLogic), it handles log rotation automatically using splunk internal log rotation libs. You may want to check that.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...