Solved: Re: Splunk Add-on for Java Management Extensions: ...

jspears · ‎06-30-2015

The TA for JMX doesn't seem to be extracting the host field, so all my events appear to come from the heavy forwarder running the add-on. The stanza in transforms is attempting to match on a string starting with host= but I don't see that in any of the data being collected. Here's the stanza included with the app:

 [extract-host]
 DEST_KEY = MetaData:Host
 REGEX = host=([a-zA-Z0-9\._-]+)
 FORMAT = host::$1

jcoates_splunk · ‎07-08-2015

hi, we're setting host to "the instance of the Splunk forwarder that collected the data" and setting source to "the instance of the Java Management Extensions that produced the data", because we may have a 1:many relationship of forwarders and JMX sources.

View solution in original post

jcoates_splunk · ‎07-08-2015

hi, we're setting host to "the instance of the Splunk forwarder that collected the data" and setting source to "the instance of the Java Management Extensions that produced the data", because we may have a 1:many relationship of forwarders and JMX sources.

jspears · ‎04-19-2016

Thanks. FWIW, this was ultimately rendered moot by running the TA on each UF, connecting to localhost go get the data.

Splunk Add-on for Java Management Extensions: Why is the host field not being extracted?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023