I'm new to Splunk and learn as I go.
I set up the universal forwarder on the Oracle WebLogic server, and on the Splunk Web front end, I can see the perfmon counters for that server.
On the Splunk server (on Linux backend) the Technology Add-on has been installed and I can see it on the left hand side as a new app!
Now trying to configure the universal forwarder to be aware of WebLogic (Windows machine), so I copy Technology Add-on (TA)
Function1_WebLogicServer\appserver\addons\Function1_WLS_Admin_win_TA to C:\Program Files\SplunkUniversalForwarder\etc\apps\ on the WebLogic server and according to instructions modified
C:\Program Files\SplunkUniversalForwarder\etc\apps\Function1_WLS_Admin_win_TA\default\inputs.conf file to have the correct paths to the App server and WebLogic home location.
and that's where I get stuck. Could you please advise as to what actions should I take to get it working?
Thanks in advance
First of all, it is a best practice to create inputs.conf under app's local folder instead of default. Howerver, this shouldn't be why you are getting in any data.
After you made changes to you .conf file on the universal forwarder (uf), have you restarted the instance? If not, I suggest you restart uf to make sure the changes will take effect.
On uf, use the following command to view the monitored directories and double-check they are correct:
splunk list monitor
Hope this helps. Thanks!
thanks for getting back to me
modified inputs.config file in C:\Program Files\SplunkUniversalForwarder\etc\apps\Function1_WLS_Admin_win_TA\default
# Admin Server Win inputs
### Inputs for Admin Server Logs [monitor://C:\WINDOWS\.\...\user_projects\domains\*\servers\AdminServer\logs\AdminServer.log] index = wls sourcetype = wls_adminserver disabled = false [monitor://C:\WINDOWS\.\...\user_projects\domains\*\servers\AdminServer\logs\*.log] index = wls sourcetype = wls_adminserver blacklist = access.log disabled = false [monitor://C:\WINDOWS\.\...\user_projects\domains\*\servers\AdminServer\logs\access.log] index = wls sourcetype = wls_adminserver_access disabled = false ### Windows JMX Input Scripts # RUN PY TO WLST TO MBEAN AND WRITE JMX LOG # EVERY MINUTE [script://.\bin\runWlstScriptsMinute.cmd D:\Oracle\Middleware\user_projects\domains\E1_Apps\servers\PS_TWB1\stage\PS_7002_TWB1\app\webclient.war D:\Oracle\Middleware\wlserver_10.3] index = wls sourcetype = wls_trash interval = 300 disabled = false # EVERY HOUR [script://.\bin\runWlstScriptsHourly.cmd D:\Oracle\Middleware\user_projects\domains\E1_Apps\servers\PS_TWB1\stage\PS_7002_TWB1\app\webclient.war D:\Oracle\Middleware\wlserver_10.3] index = wls sourcetype = wls_trash interval = 3600 disabled = false # EVERY DAY [script://.\bin\runWlstScriptsDaily.cmd D:\Oracle\Middleware\user_projects\domains\E1_Apps\servers\PS_TWB1\stage\PS_7002_TWB1\app\webclient.war D:\Oracle\Middleware\wlserver_10.3] index = wls sourcetype = wls_trash interval = 86400 disabled = false false # FORWARD JMX LOG [monitor://$SPLUNK_HOME\var\log\wls_jmx*] index = wls sourcetype = wls_jmx disabled = false
Hi Shaun, the configuration looks pretty good from what I can tell. Two additional things to help troubleshoot:
(1) Check the forwarder logs by searching "index=_internal" and see if there are any errors that might help indicate what is going on.
(2) Simple check, but was the Splunk forwarder service restarted after making the configuration changes in inputs.conf?
Thanks for your feedback
checked for the forwarder logs by searching "index=_internal" for the weblogic host and can not see any error
splunk service has been restarted many times since then.
there must be something wrong on the universal forwarder side, as it pushed system/windows perf counter information but nothing related to weblogic .
all I'm after is clear instruction from A-Z to get it working and I'm struggling to find anything for it