All Apps and Add-ons

Websphere App version question

mgranger1
Path Finder

Okay gang. We're running Splunk for the Enterprise 6.3.1 with an indexer, search head and deployment manager (I just wanted to get that out of the way, it's probably not important for my question).

I've been working with the Splunk Add-on for IBM WebSphere Application Server (version 3.0.0). I have been a little frustrated with the lack of built in dashboards or context around the data, but I have been very happy with the source-typing, and the behind the scenes data ingestion.

Previously, our team had evaluated the WebSphere Application Server App (version 2.0.1). There is a full array of dashboards and views as well as quite a bit of data context provided in this app. I guess my question is, why has this app been deprecated? Is there some reason that I shouldn't be using the previous app if what I am really after are the dashboards and views? As a follow-up, is anybody aware of any effort being put into the new app in order to further build out the dashboards? Is there anyone familiar with both apps who could provide some guidance?

I currently have both apps running, side-by-side on the same server, however, I have the data for each app pushing to different indexes in order to be able to keep straight which app is producing what (and I have different websphere servers instrumented to push to each different index).

Any information would be appreciated.

Thanks,
Matt G.

0 Karma

jplumsdaine22
Influencer

Okay gang. We're running Splunk for the Enterprise 6.3.1 with an indexer, search head and deployment manager (I just wanted to get that out of the way, it's probably not important for my question).
It's always important. Thank you for putting the version there!

Hopefully one of the Splunk devs will comment on why it's been deprecated, but if I had to guess I would say the new app supports CIM and the old one doesn't appear too. That said, the old app says its compatible with 6.3, so I myself would be comfortable using it - but expect it to never be updated again.

0 Karma

mgranger1
Path Finder

Just for the sake of argument, I have included a sample of my current props.conf containing the EXTRACT statements (I'm particularly interested in the [WebSphere:SystemOutErrLog] fields):

[WebSphere:ServerExceptionLog]
TRUNCATE = 0
LINE_BREAKER = (?!)
TRANSFORMS-was_server = server-extract
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSub = (?i)0SECTION\s*(?P[\w ]*)
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:NativeStdOutErrLog]
EXTRACT-websphere_verbosegcMessage = (?P<\?xml(.*))
TRANSFORMS-was_server = server-extract
TRANSFORMS-was_host = host-extract
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s
MAX_EVENTS = 1000

[WebSphere:SystemOutErrLog]
EXTRACT-websphere_threadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere_shortName = (?i)^[^]]]\s+[a-f0-9]+\s+(?P[^ ])(?= )
EXTRACT-websphere_logEventType = (?P\b[F|W|I|D|E|A|C|R]\b)
EXTRACT-websphere_className = \b[F|W|I|D|E|A|C|R]\b\s+(?P[^ ])
EXTRACT-websphere_methodName = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?P\b\w+\b)
EXTRACT-websphere_messageID = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?:[^ ]+\s+)?(?P[A-Z0-9]{3,}):
EXTRACT-websphere_message = (?i)^(?:[^:]
:){4}\s+(?P.*)
TRANSFORMS-was_server = server-extract
TRANSFORMS-was_host = host-extract
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:StartStopServerLog]
EXTRACT-websphere_threadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere_shortName = (?i)^[^]]]\s+[a-f0-9]+\s+(?P[^ ])(?= )
TRANSFORMS-was_server = server-extract
TRANSFORMS-was_host = host-extract
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:wsadminTraceout]
EXTRACT-websphere_threadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere_shortName = (?i)^(?:[^ ]* ){4}(?P[^ ])(?= )
EXTRACT-websphere_logEventType = (?P\b[F|W|I|D|E|A|C|R]\b)
EXTRACT-websphere_messageID = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?:[^ ]+\s+)?(?P[A-Z0-9]{3,}):
EXTRACT-websphere_message = (?i)^(?:[^:]
:){4}\s+(?P.*)
TRANSFORMS-was_server = server-extract
TRANSFORMS-was_host = host-extract
BREAK_ONLY_BEFORE = [.+:.{2}:.{2}:.{3}\s

0 Karma

mgranger1
Path Finder

I really appreciate the quick response. I have things mostly setup now using the 2.01 version of the app and add-on. The problem I have now is that most of the dashboards aren't working because it seems like the included props.conf file is having a problem with the EXTRACT-websphere_???? statements (there are a whole lot of EXTRACT statements involving a lot of fields). The extracted fields seem to be what most of the dashboards are based on, and those fields don't seem to be extracting properly (or at least they don't seem to be available on the fields selection on the left of the search screen). I'm gathering data from both WAS7 and WAS8 instances, so I'm not sure if that's effecting anything. The TRANSFORMS-??? fields seem to be working fine.

Any thoughts from anyone?

Thanks Again,
Matt G.

0 Karma

jplumsdaine22
Influencer

Would you mind posting this as a new question? Otherwise no one will see your new question but me probably 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...