All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alarm for tomcat service

fsrodriguez
New Member
‎12-10-2017 07:42 AM

I have set up an alarm to tell me when tomcat service is down.

hosts="server" source="ps" tomcat | stats latest(_time) as latest by host

That is what I have for my search. For the trigger I have set: search < 1.

Sometimes I get false alarms. Am I missing something?

Also at my job they used /var/logs directory... shouldn't we just use some tomcat directory just to monitor tomcat?

Thanks in advance!

0 Karma
Reply

nickhills
Ultra Champion
‎12-11-2017 12:59 AM

Tomcat can be installed in many ways, and whilst you are correct that the 'normal' location is /var/log/tomcat/catalina.out often this is symlinked to somewhere else such as /usr/share/tomcat8/log/catalina.out As long as you have the correct sourcetypes set for the inputs, I wouldn't worry about the paths too much unless its also your job to manage the servers and it bothers you.

In your query above you are monitoring the tomcat process from ps which from time to time (depending on config) may choose to restart itself (or crash and restart) whilst both of these are events you may be interested in, I have found that monitoring the catalina.out file over an x minute period provides a better indication of when the process stop because the log file approach is more forgiving of restarted processes.
It also would highlight if tomcat 'hangs'. In such a situation the process might still be running, but not servicing requests. This latter approach would catch that.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fsrodriguez
New Member
‎12-11-2017 05:39 AM

ah ok! yeah that makes a lot of sense just to monitor the catalina.out file. Are you using "ps" ? I have it to check every 5 minutes. Would you mind sharing your query?

I'm wondering if there is an alternative method to check other than running PS.

0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 02:26 AM

Yes, I tend to monitor the tomcat sourcetype - since a running tomcat server is frequently writing logs (even when idle) I have found this a better method rather than ps.

that way even if tomcat hangs (as ours did from time to time) the lack of catalina logs is more telling than a running process in ps.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...