All Apps and Add-ons

Is it possible to move the Monitoring of Java Virtual Machines with JMX app from the indexer to the forwarders?

sjanwity
Communicator

From my very limited understanding of the JMX plugin for splunk, the plugin needs to be set up on the server where all the indexing happens. Is it possible to move this plugin from the indexer out to the individual forwarders instead and, if so, how could I do so?

1 Solution

Damien_Dallimor
Ultra Champion

You can certainly deploy the JMX Mod Input on Universal Forwarders. This is a recommended approach for deploying in distributed environments and also scaling out to be able to poll large numbers of JVM's.

On a UF you'll need to install a system Python 2.7 runtime.

You then need to split out the components of the app. You might use Deployment Manger , Chef , Puppet etc.. but below I'll detail the manual steps.

1) the data collection logic goes on the Splunk UF.

jmx_ta/bin/*
jmx_ta/default/inputs.conf
jmx_ta/default/app.conf
jmx_ta/README/*
jmx_ta/metadata/*

2) the index definition goes on the Splunk Indexer

jmx_ta/default/indexes.conf
jmx_ta/default/props.conf
jmx_ta/default/transforms.conf
jmx_ta/metadata/*

3) the UI logic and Knowledge objects go on your Search Heads

 jmx_ta/default/props.conf
 jmx_ta/default/transforms.conf
 jmx_ta/default/app.conf
 jmx_ta/default/data/*
 jmx_ta/static/*
 jmx_ta/metadata/*

There is no setup UI on a Universal forwarder , but the manual setup steps are simple.

1) setup your config.xml file
2) in default/inputs.conf , enable the input for the config.xml file
3) data will then be collected and forwarded to your indexer(s)
4) any errors will be searchable at "index=_internal ExecProcessor error jmx.py"

View solution in original post

Damien_Dallimor
Ultra Champion

You can certainly deploy the JMX Mod Input on Universal Forwarders. This is a recommended approach for deploying in distributed environments and also scaling out to be able to poll large numbers of JVM's.

On a UF you'll need to install a system Python 2.7 runtime.

You then need to split out the components of the app. You might use Deployment Manger , Chef , Puppet etc.. but below I'll detail the manual steps.

1) the data collection logic goes on the Splunk UF.

jmx_ta/bin/*
jmx_ta/default/inputs.conf
jmx_ta/default/app.conf
jmx_ta/README/*
jmx_ta/metadata/*

2) the index definition goes on the Splunk Indexer

jmx_ta/default/indexes.conf
jmx_ta/default/props.conf
jmx_ta/default/transforms.conf
jmx_ta/metadata/*

3) the UI logic and Knowledge objects go on your Search Heads

 jmx_ta/default/props.conf
 jmx_ta/default/transforms.conf
 jmx_ta/default/app.conf
 jmx_ta/default/data/*
 jmx_ta/static/*
 jmx_ta/metadata/*

There is no setup UI on a Universal forwarder , but the manual setup steps are simple.

1) setup your config.xml file
2) in default/inputs.conf , enable the input for the config.xml file
3) data will then be collected and forwarded to your indexer(s)
4) any errors will be searchable at "index=_internal ExecProcessor error jmx.py"

sjanwity
Communicator

hi, I notice that props.conf and transforms.conf go both in the Indexer and the search head?

0 Karma

Damien_Dallimor
Ultra Champion

That is correct.

0 Karma

sjanwity
Communicator

Is this it? Do we just copy the bits over to the different components? Do we just delete the original app on the indexer except for the files which are supposed to stay on the indexer?

0 Karma

Damien_Dallimor
Ultra Champion

I would start clean to be safe.

Copy (or use whatever deployment tool) , the various artifacts to the respective Splunk nodes that I have described above.

0 Karma

ShaneNewman
Motivator

The JMX application needs python to run, which is not included on the UF. In my organization, we use "Heavy Forwarders" for this task (Full Splunk installs only used for capturing data from databases, jvm's, ect. as well as parsing and sending useless data to the nullq to reduce license consumption). IE, 47TB becomes ~400GB.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...