All Apps and Add-ons

Do you have dummy guide for setting up the ITM6 App for Splunk?

JerseyT1
New Member

I need help in gathering data from ITM. I saw this in Google search and this fits perfectly from what we are looking for. I was wondering if there was more user-friendly (dummy guide) for people who are not familiar with Splunk (I know the basics, but the level of extensive writing of code), but have strong background in ITM.

Thank you for any help you can provide.

0 Karma

kierencrossland
Path Finder

At the moment there is just the guide in the documentation tab on Splunkbase. Hopefully the info below can get you started.

You first need to make sure ITM is running the SOAP and Dashboard Data Provider interfaces. Currently these need to be available over http, and not https. You probably have these running already...

Then in the ITM6 app for Splunk you need to add some details of the ITM environment by navigating to ITM6 app for Splunk > Settings > Manage TEMS Connections > New.

Once you have done this, navigate to ITM6 app for Splunk > Dashboards > Dashboard Data Browser. This dashboard populates drop down menu's allowing you to browse the Dashboard Data Provider endpoints without needing to type any Splunk searches. Although handily you can then click the small magnifying glass in the bottom left of the generated table to see the Splunk search used to grab the data from ITM.

0 Karma

kierencrossland
Path Finder

Also, once you have the TEMS connection working use the magnifying glass on any of the packaged dashboards to see the Splunk search used to get ITM data, there are dashboards that use both DASH and SOAP.

0 Karma

JerseyT1
New Member

Thank you for responding back. I figured it out if I use http://servename(TEMS):1920///cms/soap. It brings out a interface and then I can do CT_GET command and provide credential and queries name using '_' as spaces and I was able retrieve information that I can easily add Input to Object.

After I configure Manage TEMS connections (using ports 1920 and 15200) and it seems to be working. But I cannot get anything except "Agent Health" dashboard working (none of these work: Agent Status, Dashboard Data Browser, Historical Collection Status, Situation Status or Situation Status by Time). I still cannot figure out how home page of ITM6 is populated. I only see "No results found" even I see TEMS are showing up in drop down box. If you can please respond back. Thank you

0 Karma

JerseyT1
New Member

I have to say it's a great app. I wish I can figure out how to get most of use out of it.

0 Karma

JerseyT1
New Member

Also when I looked at Dashboard Data Browser, I see TEMS drop down is filled out, but not Datasource, it states that "Search Produced no results". Please advise what can cause from no results returning. Thank you

0 Karma

kierencrossland
Path Finder

The datasource dropdown uses this search to populate itself:

| itmdash tems=$tems$

Try running that from the Splunk search, replacing your $tems$ with your tems instance name. It may produce a useful error message.

Also try the same for a basic SOAP query in a Splunk search:

| itmsoap tems=$tems$ sql="SELECT NODE,VERSION,THRUNODE,O4ONLINE,PRODUCT FROM O4SRV.INODESTS"

Do either of these work? and if not do they produce an error message that might let us know what is happening?

I'd also make sure that the Splunk server can access ports 1920 and 15200 on the TEMS server just to check there isn't a firewall getting in the way of things.

0 Karma

JerseyT1
New Member

Got following error doing |itmdash tems="xxx" xxx-name of TEMS.

9 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
data = dash.list_datasources()
raise ITM6DASHException("%s" % (url))
return self.request(endpoint='datasources')
File "C:\Program Files\Splunk\etc\apps\ITM6\bin\itm6\dash.py", line 55, in request
File "C:\Program Files\Splunk\etc\apps\ITM6\bin\itm6\dash.py", line 58, in list_datasources
File "C:\Program Files\Splunk\etc\apps\ITM6\bin\itmdash.py", line 177, in 
External search command 'itmdash' returned error code 1.
Traceback (most recent call last):
itm6.dash.ITM6DASHException: http://xxx:15200/ibm/tivoli/rest/providers/itm.xxx/datasources
0 Karma

kierencrossland
Path Finder

It looks like your getting an unsuccessful http response from the dashboard data provider.

What happens if you try to access "http://xxx:15200/ibm/tivoli/rest/providers/itm.xxx/datasources" in a browser?

The first xxx is the TEMS hostname, and second one is the TEMS instance name, seen when running "kincinfo.exe -r" on the TEMS server. Pretty sure the later xxx is case sensitive as well.

If the original url from the error you pasted above does not work, then adjust it in your browser until its correct or try http://xxx:15200/ibm/tivoli/rest/providers, this should give you a link to the itm.xxx part. Then amend the TEMS details in Splunk to match the working hostname and instance combination.

0 Karma

JerseyT1
New Member

We are running entire ITM environment on zLinux. When I tried to check the website with the URL provided, it fails to display. I assume that dashboard data provider is not enabled/running, do you know how to enable it? I heard I need Jazz? Thank you for all your help.

0 Karma

JerseyT1
New Member

Also can you confirm what you are using for TEMS port and TEPS port. Are we supposed to set 15200 or 1920 for which?

0 Karma

kierencrossland
Path Finder

If your on *nix then swap kincinfo.exe for cinfo. I guessed at Windows because your Splunk env is on it.

TEMS port is 1920, and TEPS is 15200.

Jazz use's the dashboard data provider to get ITM data, but you don't need Jazz to run it. To enable the dashboard data provider reconfigure your TEPS, and answer yes to the following question:

itmcmd config -A cq
....
Enable ITM REST service ? (1=Yes, 2=No)(Default is: 2): 1
....

Then recycle the TEPS.

Make sure the server is listening by running netstat on your TEPS server:

netstat -an | grep 15200
0 Karma

kierencrossland
Path Finder

I saw a comment about you being on version 6.2.3 in my emails, but cant find it on here... Anyway I think your right, the dashboard data provider is introduced in 6.3. I have updated the prereqs of the app on splunkbase to mention this.

I the meantime though you can still use the app to make your own dashboards using the SOAP interface. There's a few good examples of SOAP queries here.

Heres a couple of example SOAP queries we use to pull back data from Linux OS agents:

# Disk used percent
| itmsoap tems=$tems$ fields="TIMESTAMP,ORIGINNODE,MOUNTPT,DSKUSEDPCT" table="KLZ.KLZDISK" nodelist=$msl$ at="All Remotes" clause="MOUNTPT LIKE '*DB2*'" timefield=TIMESTAMP

# Aggregate CPU usage
| itmsoap tems=$tems$ fields="TIMESTAMP,ORIGINNODE,SYSCPU,CPUID" table="KLZ.KLZCPU" nodelist=$msl$ at="All Remotes" clause="CPUID = -1" timefield=TIMESTAMP | eval SYSCPU=SYSCPU/100 | rename SYSCPU AS "System CPU (Percent)"
0 Karma

JerseyT1
New Member

What level or ITM are you using this. We are using 6.2.3. We are upgrading to 6.3.

0 Karma

JerseyT1
New Member

when I ran netstat -an | grep 15200 I got following. I already did the enabling rest service.

I see the address are established. xx.xx.xx.xx are server IP address and I see Splunk server IDs as established.

tcp 0 0 xx.xx.xx.xx:15200 xx.xx.xx.xx:63120 ESTABLISHED
tcp 0 0 xx.xx.xx.xxx:15200 xx.xx.xx.xx:59023 TIME_WAIT
tcp 0 0 xx.xx.xx.xxx:15200 xx.xx.xx.xx:59020 TIME_WAIT
tcp 0 0 xx.xx.xx.xx:15200 xx.xx.xx.xx:59030 ESTABLISHED
tcp 0 0 xx.xx.xx.xx:15200 xx.xx.xx.xx:59025 ESTABLISHED
tcp 0 0 xx.xx.xx.xx:15200 xx.xx.xx.xx:59022 TIME_WAIT
tcp 0 0 xx.xx.xx.xx:15200 xx.xx.xx.xx:59029 TIME_WAIT

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...