- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk to monitor Tomcat std err and stdout files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk to monitor Tomcat std err and stdout files
We have a tomcat installation and the std err and stdout files have timestamps in the name of files. for eg tomcat6-stderr.2011-11-02, tomcat6-stdout.2012-12-09.
In the directory, we also have other files like commons etc., We want to monitor ONLY tomcat6-stdout files and NO OTHER FILES.
I have tried using
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*.log]
disabled = false
followTail = 0
sourcetype = mystderr
source = mysource
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcat6-stdout*
but nothing seems to work. Any hints would be of great help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are my edits:
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\]
disabled = false
followTail = 0
sourcetype = mystderr
whitelist = tomcatstdout.*|tomcat6-stdout.*
You had two typos in your whitelist. First, the whitelist is a regular expression, so the bare * is not a wildcard. Second, the file name in the whitelist should not have a 6- in it, according to your second comments - but it does in the first set of comments. My whitelist will index either variation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Madam,
My inputs.conf has the stanza below.
[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*]
disabled = false
followTail = 0
sourcetype = w_std_log_dynamic
I suspect the problem is with log file rotation as if a new tomcat6-stdout with today's date is getting generated, it is not being indexed (not shown in the sources list in the search app).
Kindly help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot Mam. It still however is not indexing the log file rotation - when the name is changed. I would troubleshoot again and keep posted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- In what does it not work
We have put a continuously index for the file tomcatstdout-dddd/mm/yy.log.When the file name changes after the date has changed-foreg when tomcatstdout-2012-12-10.log changes to tomcatstdout-2012-12-11.log, there is no data that is being seen in the splunkdashboard. We have to again feed the input to splunk , the new file with the date tomcatstdout-2012-12-11.log and then it starts to get indexed and data is again shown in the dashboards.
- How do we know that it doesnt work Because the dashboard which continuously takes tomcatstdout as a file shows no results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a) In what way does it not work?
b) How do you know that it doesn't?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
