All Apps and Add-ons

TomCat Addon Question (index)?

Jarohnimo
Builder

Hello All, i'm a bit green in some of these areas so forgive me if my questions are elementary.

I'm trying to grab the tomcat logs from remote servers and have them send their logs to the index of my choosing. I haven't dealt with much linux data (mainly windows) so please bare with me.

I've always created deployment apps on my deployment server to receive data from all of the nodes. The instructions for grabbing tomcat data is slightly different from what I'm use to and i could use some assistance on how it's done. I'm using this article as a guide:
https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Configureinputs2

Tomcat logs seem to be slightly different. It's states: Copy the inputs.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/default to $SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/local. So no Deployment app is needed it seems... ?

This will produce:

[tomcat]
interval = 60

[tomcat://dumpAllThreads]
object_name = java.lang:type=Threading
operation_name = dumpAllThreads
params = true, true
signature = boolean, boolean
split_array = true
duration = 120
disabled = true

^ There is no index specified in the syntax above, My Question is can I simply add index=Myindex to the above stanza to force the data to go where I want it to go? flip disabled = false and then i'm done?

Is this common for certain apps not to create deployment apps but to control all the data from the app directory by creating a local inputs.conf and specifying your index in the stanza?
Thank you

0 Karma
1 Solution

JDukeSplunk
Builder

I don't know if tomcat:// follows the same rules as monitor://. It should, so yes adding index = MyIndex should work. This assumes, of course, that the index is present on the indexers.

We do not use the Splunk_TA_Tomcat app. Rather we custom built a deployment app for our application servers running Tomcat to pull catalina.out and local_access.log

Example.

#####################
#Tomcat_b  
#####################

[monitor:///opt/apache-tomcat/*/logs/catalina.out]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_b
ignoreOlderThan = 30d

[monitor:///opt/apache-tomcat-*/logs/catalina.out]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_b
ignoreOlderThan = 30d

#####################
#Tomcat_Access
#####################

[monitor:///opt/apache-tomcat-*/logs/localhost_access_log.*.log]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_access
ignoreOlderThan = 30d

[monitor:///opt/apache-tomcat/*/logs/localhost_access_log.*.log
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_access
ignoreOlderThan = 30d

View solution in original post

JDukeSplunk
Builder

I don't know if tomcat:// follows the same rules as monitor://. It should, so yes adding index = MyIndex should work. This assumes, of course, that the index is present on the indexers.

We do not use the Splunk_TA_Tomcat app. Rather we custom built a deployment app for our application servers running Tomcat to pull catalina.out and local_access.log

Example.

#####################
#Tomcat_b  
#####################

[monitor:///opt/apache-tomcat/*/logs/catalina.out]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_b
ignoreOlderThan = 30d

[monitor:///opt/apache-tomcat-*/logs/catalina.out]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_b
ignoreOlderThan = 30d

#####################
#Tomcat_Access
#####################

[monitor:///opt/apache-tomcat-*/logs/localhost_access_log.*.log]
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_access
ignoreOlderThan = 30d

[monitor:///opt/apache-tomcat/*/logs/localhost_access_log.*.log
disabled = 0
index = application
sourcetype = apollo:prod:tomcat_access
ignoreOlderThan = 30d

Jarohnimo
Builder

Hi there, thank you for your response and posting the actual stanza (That's very helpful). The way you package your app and deploy is how i do for all other apps. This tomcat one is a bit confusing

They state deployment isn't supported here:

(Scroll all the way to the bottom and view Deployment server it says not supported)
http://docs.splunk.com/Documentation/AddOns/released/Tomcat/Install

Viewing your Stanza looks similar to how they specify "local only" setup here: https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Setup

It's very confusing from Splunk as the direction for deployment of the app isn't clear. I much rather package my own app and deploy only the items of my choice. Let me know what you think after viewing the links above.

The fact you have it working in your environment in encouraging.

0 Karma

JDukeSplunk
Builder

We package this app in our deployment server, and send it out as /whateverAPPNAME/local/inputs.conf and publish it via server-class to the linux boxes running tomcat. So yes this is a local-only deployment. From the looks, the Splunk_TA_Tomcat runs on a Splunk server and uses HTTP to read info on the tomcat utility website (can't think of its name).

We decided since we had UF's on each Linux host anyway, to just read the files. (We also read GC.Log) This, of course, does not give us much in the way of thread or performance data the way the TA app would. We don't care (yet). We just want the access logs and catalina.out.

0 Karma

Jarohnimo
Builder

Thank you, you've been most helpful.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...