Enable saved searches for the Splunk Add-on for Tomcat

The Splunk Add-on for Tomcat includes two preconfigured lookup generation saved searches that you need to enable if you are using this add-on with Splunk IT Service Intelligence. These saved searches are based on the data collected through JMX and file based logs. You need to configure JMX inputs and set up the Splunk Add-on for Tomcat in order to collect the data. After the data has been indexed by the Splunk platform, you can manually run the saved searches in order to populate the lookup files then set a frequency to run them that matches the frequency of configuration changes in your environment.

You can review and enable these saved searches either in Splunk Web or in the configuration files.

Access and enable saved searches in Splunk Web

To access and enable the saved searches in Splunk Web:

1. Go to Settings > Searches, reports, and alerts.

2. Set the app context to Splunk Add-on for Tomcat.

3. Click Enable next to the searches you would like to enable.

Access and enable saved searches in savedsearches.conf

To access and enable the saved searches in the configuration files:

1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/default/savedsearches.conf.

2. Copy the file to /local.

3. In the local copy, for each search that you want to enable, change Disabled = 1 to Disabled = 0.

Migrating from CSV lookups to KV store lookups

1. Disable the savedsearch Tomcat version number and Tomcat application server from Splunk Web on the search head.
2. Execute the below two SPL queries to migrate existing CSV lookup data to KVStore from your search heads:
   1. | inputlookup tomcat_application_server_lookup.csv | outputlookup tomcat_application_server_lookup
   2. | inputlookup tomcat_version_number_lookup.csv | outputlookup tomcat_version_number_lookup
3. Enable the savedsearch Tomcat version number and Tomcat application server from Splunk Web on the search head.