@MousumiChowdhury firstoff thank you for assisting me with this, having said that bin directory is not inside /opt/splunk/etc/apps/search, so i had to manually create the bin folder and gave it splunk ownership and copy the tomcat script inside bin. 2) This is how the indexes.conf [root@ip-xx.xxx.xx.xxx local]# cat indexes.conf [tomcatindex] coldPath = $SPLUNK_DB/tomcatindex/colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB/tomcatindex/db maxTotalDataSizeMB = 512000 thawedPath = $SPLUNK_DB/tomcatindex/thaweddb [tomcatindex] coldPath = /opt/splunkforwarder/etc/apps/search/bin/./tomcatscript.sh enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = /opt/splunkforwarder/etc/apps/search/bin/./tomcatscript.sh maxTotalDataSizeMB = 512000 thawedPath = /opt/splunkforwarder/etc/apps/search/bin/./tomcatscript.sh 3)[root@ip-xx-xxx-xx-xx local]# cat inputs.conf [monitor:///opt/tomcat/logs/catalina.out] disabled = false index = tomcat [monitor:///opt/splunkforwarder/bin/tomcatscript.sh] disabled = false index = tomcatindex [monitor:///opt/splunkforwarder/etc/apps/search/bin/./tomcatscript.sh] disabled = false index = tomcatindex After making these changes, i have restarted splunkforwarder and search for the index, but i do not see the index still, what am i missing? ... View more

@MousumiChowdhury i still dont see the new custom index in splunk search. I will describe how my splunk is setup, maybe, i am missing something. 1) tomcatscript.sh is inside /opt/splunkforwarder/bin !/bin/bash if [ -z "$(ps -ef | grep java | grep tomcat)" ] then echo "Tomcat is NOT running" else echo "Tomcat is running" fi 2) inputs.conf inside /opt/splunkforwarder/etc/apps/search/local [monitor:///opt/tomcat/logs/catalina.out] disabled = false index = tomcat [monitor:///opt/splunkforwarder/bin/tomcatscript.sh] disabled = false index = tomcatindex 3)indexes.conf inside /opt/splunkforwarder/etc/apps/search/local [tomcatindex] coldPath = $SPLUNK_DB/tomcatindex/colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB/tomcatindex/db maxTotalDataSizeMB = 512000 thawedPath = $SPLUNK_DB/tomcatindex/thaweddb when i do a search on splunk host="abcvm" but the only index i see is "os". I also did a restart as well for the splunkforwarder but didnt see the newly created index. Maybe i am doing something wrong, would appreciate if you could direct me, thank you ... View more

@niketn so i have my tomcat server running and when i ran below query, i get output with the host name, current date and time as well as downtime 999. Is that the expected output? I was under the impression if the tomcat/jboss services are running then there would be no output since there is no downtime for those services. We should only get result when downtime (jboss/tomcat) is more then 5 min | tstats latest(_time) as _time WHERE (host="hostsvm") AND source="/opt/tomcat/logs/catalina.out" by host | eval "downTime (in Min)"=round((now()-_time)/60,0) | append [ | makeresults | eval host="hostsvm", "downTime (in Min)"="999"] | dedup host | where 'downTime (in Min)'>5 ... View more

@Mousumichowdhury i created a shell script and placed it inside /opt/splunkforwarder/bin with executable permission. I also made an entry inside inputs.conf, below is the how the entry looks like inside inputs.conf [default] host = svm /opt/splunkforwarder/bin/tomcatscript.sh how do you create an index? ... View more

@somesoni2 @saurabhtcs when i used the query, if i shutdown the host, nothing comes up when i ran the query. It only shows result for last 24hrs. I started/stopped the host and ran this query but it didnt give desired result. The desire result which i want is, if the host is shutdown, the query has been setup as alert and should be able to inform user that host is shutdown or not responding with the updated timestamp | tstats count latest(_time) where index=* host="abssvm" by host | rename earliest(_time) as earliest_time, latest(_time) as latest_time | eval status= if(latest_time > relative_time(now(),"-5min"),"Active","Inactive") | convert ctime(latest_time) | search status="Inactive" | fields - count ... View more

Can you give an example of how this would be possible? ... View more

two issues when i changed the source and ran the query 1) It is picking jboss server for other environment, for example, i need jboss for ABC environment but not for DEF environment, but its picking up all the server from ABC environment and DEF environment. 2)The second issue is that the query should only give me result when it detects is the jboss server is down, but it is still showing me result ... View more

The OS we are using is Linux (Amazon Linux EC2 instance or Redhat). We use Jboss server log to identify if its starting or shutdown, the absolute path for that is /opt/jboss-eap/standalone/log/server.log. Another way we check if Jboss service is running by checking Jboss pid ps aux | grep jboss ... View more

@niketnilay Exactly what fsrodriguez mentioned, that is what i need. ... View more

hey Niketniley, looks the the query will do the job, but i am getting below mentioned error. I tried putting a space between search "downTime (in Min)">5 but its not helping Comparator '>' is missing a term on the right hand side The search job has failed due to an error. You may be able view the job in the Job Inspector. ... View more

thank you the query worked ... View more