Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get tomcat logs in splunk 7.2.0?

kumaresan5666
New Member
‎12-01-2018 12:57 AM

I am working in machine learning recently. My goal is need to see logs from locally installed tomcat in splunk search.

I installed apache tomcat at a drive in my local machine. then opened splunk instance, I installed tomcat add ons, followed this instruction(splunk docs). created inputs.conf file and placed it in Splunk_TA_tomcat/local folder. then restarted splunk . after i went to search page. i entered this command sourcetype = tomcat:access:log. i got nothing. please help me.

1. Create an 
inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/local.

2. Add the following stanzas. Modify the directory name if necessary to use the actual directory your Tomcat files are stored in.

[monitor:///Applications/apache-tomcat-8.0.23/logs/catalina.*.log]
disabled = false
followTail = false
index = main
sourcetype = tomcat:runtime:log

[monitor:///Applications/apache-tomcat-8.0.23/logs/localhost.*.log]
disabled = false
followTail = false
index = main
sourcetype = tomcat:runtime:log

[monitor:///Applications/apache-tomcat-8.0.23/logs/manager.*.log]
disabled = false
followTail = false
index = main
sourcetype = tomcat:runtime:log

[monitor:///Applications/apache-tomcat-8.0.23/logs/host-manager.*.log]
disabled = false
followTail = false
index = main
sourcetype = tomcat:runtime:log

[monitor:///Applications/apache-tomcat-8.0.23/logs/localhost_access_log.*.txt]
disabled = false
followTail = false
index = main
sourcetype = tomcat:access:log
Tags (1)
0 Karma
Reply

vr2312
Builder
‎12-03-2018 04:33 PM

Hello @prakash007 , please ensure that there are logs present in the below locations :

Applications/apache-tomcat-8.0.23/logs

the same as the ones you have mentioned in your inputs.conf file.

If there are no logs available, please update the inputs.conf to the appropriate destinations.

Also check if you are able to receive internal logs from the Server onto splunk so that we can ensure the connectivity from the server to splunk is existent.

You can do that by running : index=_internal host=XXXX

0 Karma
Reply

prakash007
Builder
‎12-01-2018 09:23 AM

Did you check to see any data exists in the path you mentioned in monitor stanza..??
Run a all time search in case the timestamps are off index=main sourcetype=tomcat*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...