Troubleshoot the Splunk Add-on for Tomcat
General troubleshooting
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Splunk Add-on for Tomcat logs
This add-on has 3 logs that are located at $SPLUNK_HOME/var/log/splunk
:
splunk_ta_tomcat_main.log
splunk_ta_tomcat_setup.log
splunk_ta_tomcat_util.log
To check for errors in the internal logs for this add-on, you can perform this search:
index=_internal source=*ta_tomcat*
You can configure the logging verbosity on the setup page for the add-on. Supported log levels are INFO, DEBUG, and ERROR.
To check for JMX errors, you can perform this search of the JMX internal logs:
index=_internal sourcetype=jmx
Getting errors when Splunk add-on for Tomcat is installed on Splunk Universal Forwarder
While installing Splunk add-on for Tomcat on Universal forwarder, if you get the below error:
08-15-2021 10:41:53.124 +0900 ERROR ModularInputs - Introspecting scheme=tomcat: Unable to run "/opt/splunkforwarder/bin/python3.7 /opt/splunkforwarder/etc/apps/Splunk_TA_tomcat/bin/tomcat.py --scheme": child failed to start: No such file or directory 08-15-2021 10:41:53.124 +0900 ERROR ModularInputs - Unable to initialize modular input "tomcat" defined in the app "Splunk_TA_tomcat": Introspecting scheme=tomcat: Unable to run "/opt/splunkforwarder/bin/python3.7 /opt/splunkforwarder/etc/apps/Splunk_TA_tomcat/bin/tomcat.py --scheme": child failed to start: No such file or directory.
You can ignore this error as the Splunk add-on for Tomcat's modular input requires a heavy forwarder which ships Python in it. As Python isn't provided with Splunk Universal Forwarder, you would get this error if a Python executable is not found on your Splunk universal forwarder machine.
Running Java processes are not terminating as expected
On Windows systems, running Java processes are not terminating as expected when the input is either modified or disabled.
This appears to be a Symlink-related issue with Oracle JDK on Windows, where launching java subprocesses without the full path causes an internal process spawn that isn't cleaned up.
To fix this issue, configure JAVA_HOME
in SPLUNK_HOME\etc\splunk-launch.conf
like:
JAVA_HOME=C:\Program Files\Java\jdk-21
After restarting Splunk, the issue no longer occurs.
Enable saved searches for the Splunk Add-on for Tomcat | Upgrade the Splunk Add-on for Tomcat |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!