All Apps and Add-ons

ActiveMQ JMS connection

dimitryz
Path Finder

Hello,
I'm able to make a connection and also pool/browse messages from the queue.
My configuration is very similar to what described here :
http://blogs.splunk.com/2013/04/11/splunking-websphere-mq-queues-and-topics/

from inputs.conf

[jms://queue/:dynamicQueues/TestQ2]

browse_mode = all

browse_queue_only = 1

durable = 0

index_message_header = 1

index_message_properties = 1

init_mode = jndi

jms_connection_factory_name = ConnectionFactory

jndi_initialcontext_factory = org.apache.activemq.jndi.ActiveMQInitialContextFactory

jndi_provider_url = tcp://192.168.1.10:61616

sourcetype = syslog

strip_newlines = 1

browse_frequency = -1

destination_user =

index = main

But I have some strange phenomena :

Let say I have 9 messages in Queue called TestQ2.

When I run source="jms://queue/:dynamicQueues/TestQ2"

I've got 9,890 events .

When I filtered it with

source="jms://queue/:dynamicQueues/TestQ2"|dedup event_id

I got 9 events.

Please assist.

Regards,
Dmitry

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Because you have browse mode enabled. Browsing does not dequeue messages. And you have the frequency at -1 , so essentially it is in a constant browsing state of the same 9 messages.

View solution in original post

0 Karma

nettrigger
Explorer

Hello ! This post is great !

I need know something, how can i create the?

jms_connection_factory_name & jndi_initialcontext_factory

Any documentation fot this objects?

Regards in advance !

0 Karma

Damien_Dallimor
Ultra Champion

ActiveMQ have good documentation : http://activemq.apache.org/jndi-support.html

0 Karma

Damien_Dallimor
Ultra Champion

Because you have browse mode enabled. Browsing does not dequeue messages. And you have the frequency at -1 , so essentially it is in a constant browsing state of the same 9 messages.

0 Karma

Damien_Dallimor
Ultra Champion

If you can't consume the message , and you have to use a queue (vs a topic) , then I suggest you use mirrored queues : http://activemq.apache.org/mirrored-queues.html

Then you can turn off browse mode and consume directly from that mirror queue and you'll only get 1 copy of each message indexed in Splunk.

Dequeue = take off the queue
Enqueue = put on the queue

dimitryz
Path Finder

Hello Damien,
and thank you for an answer.
I understand the point ,but what if I can't consume message ,I need only browse existing messages.
If I understand right this is what you mean when you use dequeue ?
When I change frequency to higher value,I see the same issue,but much slowly.
There are plenty of tools for browse (HermesJMS for example)
but I would like to offer to our client to use Splunk for JMS too.

Regards,
Dmitry

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...