Getting Data In

file montoring on universal forwarder from splunk server

lalit_mohan
Path Finder

Hi Guys,

I have two instances on microsoft azure environment one is splunk-server and other is splunk-forwarder(universalForwarder). Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.
search-query: host=splunkforwarder sourcetype=log4j

Am I missing something !!!.Please help me out. Thanks in advance!!

Tags (2)
0 Karma

lalit_mohan
Path Finder

Hi somesoni2,

Thanks for your kind support!!

My problem is solved ,now I am able to monitor my splunkforwarder tomcat log file on splunk-server dashboard

I added following lines:

In ...splunkforwarder/etc/system/local/inputs.conf :
[monitor:///usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j

In ...splunkforwarder/etc/system/local/outputs.conf :

forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:default_index] server=splunkserver.cloudapp.net:9997

somesoni2
SplunkTrust
SplunkTrust

I don't see any entry for your file, and may be that is the reason its not sending any data. (not sure why CLI command didn't work). Try adding following to your splunkforwarder\etc\system\local\inputs.conf, at the end

[monitor://usr/share/apache-tomcat-7.0.42/logs/catalina.out]

index = default

sourcetype=log4j

lalit_mohan
Path Finder

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true

0 Karma

lalit_mohan
Path Finder

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

0 Karma

lalit_mohan
Path Finder

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/local/inputs.conf
[default]
host = splunkforwarder

Default one is quite long one.So i will be sending it in parts.

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/default/inputs.conf

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you please post your inputs.conf file in the forwarder. (mostly splunkforwarder/etc/system/local, if not found here, check splunkforwarder/etc/system/default)

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...