Skip to content

Activate saved searches for the Splunk Add-on for Tomcat

The Splunk Add-on for Tomcat includes two preconfigured lookup generation saved searches that you need to activate if you are using this add-on with Splunk IT Service Intelligence. These saved searches are based on the data collected through JMX and file based logs. You need to configure JMX inputs and set up the Splunk Add-on for Tomcat in order to collect the data. After the data has been indexed by the Splunk platform, you can manually run the saved searches in order to populate the lookup files then set a frequency to run them that matches the frequency of configuration changes in your environment.

Saved search name Description
Tomcat application server Saved search which populates the application_server and appserver_port_number fields using the tomcat_application_server_lookup KV store lookup.
Tomcat version number Saved search which populates the version_number field using the tomcat_version_number_lookup KV store lookup.

You can review and activate these saved searches either in Splunk Web or in the configuration files.

Access and activate saved searches in Splunk Web

To access and activate the saved searches in Splunk Web:

  1. Go to Settings > Searches, reports, and alerts.

  2. Set the app context to Splunk Add-on for Tomcat.

  3. Select Enable next to the searches you would like to activate.

Access and activate saved searches in savedsearches.conf

To access and activate the saved searches in the configuration files:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/default/savedsearches.conf.

  2. Copy the file to /local.

  3. In the local copy, for each search that you want to activate, change Disabled = 1 to Disabled = 0.

Migrating from CSV lookups to KV store lookups

  1. Disable the savedsearch Tomcat version number and Tomcat application server from Splunk Web on the search head.

  2. Execute the following two SPL queries to migrate existing CSV lookup data to KVStore from your search heads:

    a. | inputlookup tomcat_application_server_lookup.csv | outputlookup tomcat_application_server_lookup

    b. | inputlookup tomcat_version_number_lookup.csv | outputlookup tomcat_version_number_lookup

  3. Activate the savedsearch Tomcat version number and Tomcat application server from Splunk Web on the search head.