Hi Guys,
I have two instances on microsoft azure environment one is splunk-server and other is splunk-forwarder(universalForwarder). Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.
/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder
But in search tab of splunk-web I always get No results found.
search-query: host=splunkforwarder sourcetype=log4j
Am I missing something !!!.Please help me out. Thanks in advance!!
Hi somesoni2,
Thanks for your kind support!!
My problem is solved ,now I am able to monitor my splunkforwarder tomcat log file on splunk-server dashboard
I added following lines:
In ...splunkforwarder/etc/system/local/inputs.conf :
[monitor:///usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j
In ...splunkforwarder/etc/system/local/outputs.conf :
forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:default_index] server=splunkserver.cloudapp.net:9997
I don't see any entry for your file, and may be that is the reason its not sending any data. (not sure why CLI command didn't work). Try adding following to your splunkforwarder\etc\system\local\inputs.conf, at the end
[monitor://usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = true
[SSL]
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =
[fschange:$SPLUNK_HOME/etc]
pollPeriod = 600
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/local/inputs.conf
[default]
host = splunkforwarder
Default one is quite long one.So i will be sending it in parts.
[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/default/inputs.conf
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
Could you please post your inputs.conf file in the forwarder. (mostly splunkforwarder/etc/system/local, if not found here, check splunkforwarder/etc/system/default)