Splunk® Supported Add-ons

Splunk Add-on for Tomcat

Troubleshoot the Splunk Add-on for Tomcat

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Splunk Add-on for Tomcat logs

This add-on has 3 logs that are located at $SPLUNK_HOME/var/log/splunk:

  • splunk_ta_tomcat_main.log
  • splunk_ta_tomcat_setup.log
  • splunk_ta_tomcat_util.log

To check for errors in the internal logs for this add-on, you can perform this search:

index=_internal source=*ta_tomcat*

You can configure the logging verbosity on the setup page for the add-on. Supported log levels are INFO, DEBUG, and ERROR.

To check for JMX errors, you can perform this search of the JMX internal logs:

index=_internal sourcetype=jmx

Getting errors when Splunk add-on for Tomcat is installed on Splunk Universal Forwarder

While installing Splunk add-on for Tomcat on Universal forwarder, if you get the below error: 

08-15-2021 10:41:53.124 +0900 ERROR ModularInputs - Introspecting scheme=tomcat: Unable to run "/opt/splunkforwarder/bin/python3.7 /opt/splunkforwarder/etc/apps/Splunk_TA_tomcat/bin/tomcat.py --scheme": child failed to start: No such file or directory
08-15-2021 10:41:53.124 +0900 ERROR ModularInputs - Unable to initialize modular input "tomcat" defined in the app "Splunk_TA_tomcat": Introspecting scheme=tomcat: Unable to run "/opt/splunkforwarder/bin/python3.7 /opt/splunkforwarder/etc/apps/Splunk_TA_tomcat/bin/tomcat.py --scheme": child failed to start: No such file or directory.

You can ignore this error as the Splunk add-on for Tomcat's modular input requires a heavy forwarder which ships Python in it. As Python isn't provided with Splunk Universal Forwarder, you would get this error if a Python executable is not found on your Splunk universal forwarder machine.

Running Java processes are not terminating as expected

On Windows systems, running Java processes are not terminating as expected when the input is either modified or disabled.

This appears to be a Symlink-related issue with Oracle JDK on Windows, where launching java subprocesses without the full path causes an internal process spawn that isn't cleaned up.

To fix this issue, configure JAVA_HOME in SPLUNK_HOME\etc\splunk-launch.conf like: JAVA_HOME=C:\Program Files\Java\jdk-21 After restarting Splunk, the issue no longer occurs.

Last modified on 26 June, 2025
Enable saved searches for the Splunk Add-on for Tomcat   Upgrade the Splunk Add-on for Tomcat

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters