Splunk® Supported Add-ons

Splunk Add-on for Tomcat

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Splunk recommended fields in Splunk add-on for Tomcat

Splunk best practice is to utilize the tomcat:access:splunk:log source type in order for logs to be CIM-compliant.

In order to utilize this source type, you must follow these steps to disable Tomcat add-on inputs.

  • File monitor input for the tomcat:access:log sourcetype: Settings > Data Inputs > Files & directories > input for tomcat:access:log sourcetype > Disable
  • dumpAllThreads: Settings > Data Inputs > Splunk Add-on for Tomcat > dumpAllThreads > Disable
  1. Open the back-end access to your tomcat server.
  2. Stop the tomcat server.
  3. Navigate to $CATALINA_HOME/conf/ and open the server.xml in a text editor.
  4. Search for the line org.apache.catalina.valves.AccessLogValve in the file.
  5. Update the prefix and pattern keys as below:
    prefix="localhost_access_log_splunk" suffix=".txt"
    
    
    pattern="%t, x_forwarded_for="%{X-Forwarded-For}i", remote_ip="%a", remote_host="%h", server="%v", server_port=%p, user="%u", http_method=%m, uri_path="%U", uri_query="%q", status=%s,  bytes_sent=%b, response_time=%F, http_content_type="%{Content-Type}o", http_user_agent="%{User-Agent}i", http_referrer="%{Referer}i", url="%{Host}i%U%q""
    
  6. Save the server.xml file.
  7. Start the tomcat server.
  8. Reconfigure the add-on and check the checkbox for "Enable data collection from Tomcat log files".
  9. Enable the dumpAllThread input.

Optionally, you can configure the Tomcat server to authenticate the User, since the tomcat:access:log:splunk source type supports user field mapping. You can follow the steps mentioned in the documentation for Tomcat.

Last modified on 18 December, 2021
PREVIOUS
Upgrade the Splunk Add-on for Tomcat
  NEXT
Lookups for the Splunk Add-on for Tomcat

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters