Skip to content

Upgrade the Splunk Add-on for Tomcat

Upgrade from version 3.3.1 or earlier to version 4.0.0 or higher

Splunk Add-on for Tomcat version 4.0.0 and higher does not include urllib3, and requests, due to security reasons.

However, Splunk Enterprise architectural decisions do not allow modules introduced by previous versions of the add-on to be deleted automatically during upgrade.

Splunk administrators must manually delete the following directories from all Splunk servers where the add-on was upgraded:

  • Splunk_TA_tomcat/lib/urllib3

  • Splunk_TA_tomcat/lib/urllib3-*.dist-info

  • Splunk_TA_tomcat/lib/requests

  • Splunk_TA_tomcat/lib/requests-*.dist-info

This ensures that the urllib3 and requests modules built into Splunk Python are used.

Starting in version 4.0.0, Java dependency JARs no longer include version numbers in their filenames (for example, commons-io-x.x.x.jar is now commons-io.jar).

If upgrading from a previous version, delete any files matching the pattern <library-name>-x.x.x.jar if present in:

$SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/bin/java/jmx-op-invoke-1.2.0/lib

Keep only the unversioned JAR files shipped with this version, for example commons-io.jar, log4j-api.jar, log4j-core.jar.

Upgrade note for 3.3.1

When upgrading from version 3.3.0 to 3.3.1, Splunk administrators must manually clean up duplicate or older Java dependency jars from:

$SPLUNK_HOME/etc/apps/Splunk_TA_tomcat/bin/java/jmx-op-invoke-1.2.0/lib

Delete the following files if present:

  • commons-lang3-3.14.0.jar
  • log4j-api-2.18.0.jar
  • log4j-core-2.18.0.jar

Also remove any additional older versions matching these patterns if multiple versions are present:

  • commons-lang3-<version-number>.jar
  • log4j-api-<version-number>.jar
  • log4j-core-<version-number>.jar

Keep only the following versions shipped with Splunk Add-on for Tomcat 3.3.1:

  • log4j-core-2.25.3.jar
  • commons-lang3-3.18.0.jar
  • log4j-api-2.25.3.jar

Upgrade note for 3.3.0

To upgrade Splunk Add-on for Tomcat from v2.1.0 to v3.0.0:

  1. In Splunk Web, navigate to Settings > Data Inputs and click on Splunk Add-on for Tomcat.

  2. Deactivate the inputs configured in your existing version of the Splunk Add-on for Tomcat.

  3. Upgrade the add-on to version v3.0.0 either by clicking the Upgrade button, or by following the installation steps in the Install topic of this manual.

  4. In Splunk Web, navigate to the Splunk Add-on for Tomcat.

  5. On the Splunk Add-on for Tomcat configuration page, navigate to the Account tab, by clicking Configuration > Account. Configure your Tomcat account, see the Set up the Splunk Add-on for Tomcat topic in this manual for more information.

  6. Navigate to the Inputs page, by clicking Inputs tab.

  7. Add the account you have configured by editing the dumpAllThreads input.

  8. Activate the reconfigured dumpAllThreads input.

  9. (Optional) If you are using the savedsearches of Tomcat, refer the Migrating from CSV lookups to KV store lookups under Activate saved searches for the Splunk Add-on for Tomcat section for detailed steps.

Before upgrading the Splunk add-on for Tomcat to version 2.1.0 from version 2.0.1 or lower, follow these steps: If you want to use the tomcat:access:log:splunk sourcetype to collect CIM-compatible data, follow these steps to Configure Splunk recommended fields in Splunk add-on for Tomcat instead.

Note

Splunk Cloud Platform deployments on Victoria Experience do not require Inputs Data Manager (IDM). If your deployment is on Victoria Experience you can run add-ons that contain scripted and modular inputs directly on the search head. To determine if your deployment has the Classic or Victoria experience, see Determine your Splunk Cloud Platform Experience.

For the Classic Experience:

  1. Deactivate the “dumpAllThreads” input if activated, on your Heavy Forwarder (HF) or Inputs Data Manager (IDM) from the user interface.

  2. Upgrade the Splunk add-on for Tomcat to the version 2.1.0.

  3. Restart your Splunk instance.

  4. Activate the “dumpAllThreads” input.