All Apps and Add-ons

ActiveMQ JMS connection

dimitryz
Path Finder

Hello,
I'm able to make a connection and also pool/browse messages from the queue.
My configuration is very similar to what described here :
http://blogs.splunk.com/2013/04/11/splunking-websphere-mq-queues-and-topics/

from inputs.conf

[jms://queue/:dynamicQueues/TestQ2]

browse_mode = all

browse_queue_only = 1

durable = 0

index_message_header = 1

index_message_properties = 1

init_mode = jndi

jms_connection_factory_name = ConnectionFactory

jndi_initialcontext_factory = org.apache.activemq.jndi.ActiveMQInitialContextFactory

jndi_provider_url = tcp://192.168.1.10:61616

sourcetype = syslog

strip_newlines = 1

browse_frequency = -1

destination_user =

index = main

But I have some strange phenomena :

Let say I have 9 messages in Queue called TestQ2.

When I run source="jms://queue/:dynamicQueues/TestQ2"

I've got 9,890 events .

When I filtered it with

source="jms://queue/:dynamicQueues/TestQ2"|dedup event_id

I got 9 events.

Please assist.

Regards,
Dmitry

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Because you have browse mode enabled. Browsing does not dequeue messages. And you have the frequency at -1 , so essentially it is in a constant browsing state of the same 9 messages.

View solution in original post

0 Karma

nettrigger
Explorer

Hello ! This post is great !

I need know something, how can i create the?

jms_connection_factory_name & jndi_initialcontext_factory

Any documentation fot this objects?

Regards in advance !

0 Karma

Damien_Dallimor
Ultra Champion

ActiveMQ have good documentation : http://activemq.apache.org/jndi-support.html

0 Karma

Damien_Dallimor
Ultra Champion

Because you have browse mode enabled. Browsing does not dequeue messages. And you have the frequency at -1 , so essentially it is in a constant browsing state of the same 9 messages.

0 Karma

Damien_Dallimor
Ultra Champion

If you can't consume the message , and you have to use a queue (vs a topic) , then I suggest you use mirrored queues : http://activemq.apache.org/mirrored-queues.html

Then you can turn off browse mode and consume directly from that mirror queue and you'll only get 1 copy of each message indexed in Splunk.

Dequeue = take off the queue
Enqueue = put on the queue

dimitryz
Path Finder

Hello Damien,
and thank you for an answer.
I understand the point ,but what if I can't consume message ,I need only browse existing messages.
If I understand right this is what you mean when you use dequeue ?
When I change frequency to higher value,I see the same issue,but much slowly.
There are plenty of tools for browse (HermesJMS for example)
but I would like to offer to our client to use Splunk for JMS too.

Regards,
Dmitry

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...