Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk to monitor Tomcat std err and stdout files

1234testtest
Path Finder
‎12-10-2012 02:26 AM

We have a tomcat installation and the std err and stdout files have timestamps in the name of files. for eg tomcat6-stderr.2011-11-02, tomcat6-stdout.2012-12-09.
In the directory, we also have other files like commons etc., We want to monitor ONLY tomcat6-stdout files and NO OTHER FILES.

I have tried using 

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*.log]
disabled = false
followTail = 0
sourcetype = mystderr
source = mysource

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcat6-stdout*

but nothing seems to work. Any hints would be of great help.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎12-10-2012 08:49 PM

Here are my edits:

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcatstdout.*|tomcat6-stdout.*

You had two typos in your whitelist. First, the whitelist is a regular expression, so the bare * is not a wildcard. Second, the file name in the whitelist should not have a 6- in it, according to your second comments - but it does in the first set of comments. My whitelist will index either variation.

0 Karma
Reply

1234testtest
Path Finder
‎01-04-2013 02:18 AM

Hi Madam,
My inputs.conf has the stanza below.
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*]
disabled = false
followTail = 0
sourcetype = w_std_log_dynamic

I suspect the problem is with log file rotation as if a new tomcat6-stdout with today's date is getting generated, it is not being indexed (not shown in the sources list in the search app).

Kindly help

0 Karma
Reply

1234testtest
Path Finder
‎12-11-2012 05:42 PM

Thanks a lot Mam. It still however is not indexing the log file rotation - when the name is changed. I would troubleshoot again and keep posted.

0 Karma
Reply

1234testtest
Path Finder
‎12-10-2012 06:05 PM
  1. In what does it not work We have put a continuously index for the file tomcatstdout-dddd/mm/yy.log.When the file name changes after the date has changed-foreg when tomcatstdout-2012-12-10.log changes to tomcatstdout-2012-12-11.log, there is no data that is being seen in the splunkdashboard. We have to again feed the input to splunk , the new file with the date tomcatstdout-2012-12-11.log and then it starts to get indexed and data is again shown in the dashboards.
    1. How do we know that it doesnt work Because the dashboard which continuously takes tomcatstdout as a file shows no results
0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-10-2012 03:34 AM

a) In what way does it not work?
b) How do you know that it doesn't?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...