Getting Data In

Splunk to monitor Tomcat std err and stdout files

1234testtest
Path Finder

We have a tomcat installation and the std err and stdout files have timestamps in the name of files. for eg tomcat6-stderr.2011-11-02, tomcat6-stdout.2012-12-09.
In the directory, we also have other files like commons etc., We want to monitor ONLY tomcat6-stdout files and NO OTHER FILES.

I have tried using

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*.log]
disabled = false
followTail = 0
sourcetype = mystderr
source = mysource

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcat6-stdout*

but nothing seems to work. Any hints would be of great help.

Tags (2)
0 Karma

lguinn2
Legend

Here are my edits:

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcatstdout.*|tomcat6-stdout.*

You had two typos in your whitelist. First, the whitelist is a regular expression, so the bare * is not a wildcard. Second, the file name in the whitelist should not have a 6- in it, according to your second comments - but it does in the first set of comments. My whitelist will index either variation.

0 Karma

1234testtest
Path Finder

Hi Madam,
My inputs.conf has the stanza below.
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*]
disabled = false
followTail = 0
sourcetype = w_std_log_dynamic

I suspect the problem is with log file rotation as if a new tomcat6-stdout with today's date is getting generated, it is not being indexed (not shown in the sources list in the search app).

Kindly help

0 Karma

1234testtest
Path Finder

Thanks a lot Mam. It still however is not indexing the log file rotation - when the name is changed. I would troubleshoot again and keep posted.

0 Karma

1234testtest
Path Finder
  1. In what does it not work We have put a continuously index for the file tomcatstdout-dddd/mm/yy.log.When the file name changes after the date has changed-foreg when tomcatstdout-2012-12-10.log changes to tomcatstdout-2012-12-11.log, there is no data that is being seen in the splunkdashboard. We have to again feed the input to splunk , the new file with the date tomcatstdout-2012-12-11.log and then it starts to get indexed and data is again shown in the dashboards.
    1. How do we know that it doesnt work Because the dashboard which continuously takes tomcatstdout as a file shows no results
0 Karma

kristian_kolb
Ultra Champion

a) In what way does it not work?
b) How do you know that it doesn't?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...