Getting Data In

file montoring on universal forwarder from splunk server

Path Finder

Hi Guys,

I have two instances on microsoft azure environment one is splunk-server and other is splunk-forwarder(universalForwarder). Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.
search-query: host=splunkforwarder sourcetype=log4j

Am I missing something !!!.Please help me out. Thanks in advance!!

Tags (2)
0 Karma

Path Finder

Hi somesoni2,

Thanks for your kind support!!

My problem is solved ,now I am able to monitor my splunkforwarder tomcat log file on splunk-server dashboard

I added following lines:

In ...splunkforwarder/etc/system/local/inputs.conf :
[monitor:///usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j

In ...splunkforwarder/etc/system/local/outputs.conf :

forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = .
[tcpout:default
index] server=splunkserver.cloudapp.net:9997

SplunkTrust
SplunkTrust

I don't see any entry for your file, and may be that is the reason its not sending any data. (not sure why CLI command didn't work). Try adding following to your splunkforwarder\etc\system\local\inputs.conf, at the end

[monitor://usr/share/apache-tomcat-7.0.42/logs/catalina.out]

index = default

sourcetype=log4j

Path Finder

[splunktcp]
route=haskey:replicationBucketUUID:replicationQueue;haskey:dstrx:typingQueue;haskey:linebreaker:indexQueue;absentkey:linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
startbyshell = true

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true

0 Karma

Path Finder

[batch://$SPLUNKHOME/var/spool/splunk]
move
policy = sinkhole
crcSalt =

[batch://$SPLUNKHOME/var/spool/splunk/...stashnew]
queue = stashparsing
sourcetype = stashnew
move
policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

0 Karma

Path Finder

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/local/inputs.conf
[default]
host = splunkforwarder

Default one is quite long one.So i will be sending it in parts.

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/default/inputs.conf

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNKHOME/etc/splunk.version]
_TCP
ROUTING = *
index = internal
sourcetype=splunk
version

0 Karma

SplunkTrust
SplunkTrust

Could you please post your inputs.conf file in the forwarder. (mostly splunkforwarder/etc/system/local, if not found here, check splunkforwarder/etc/system/default)