All Apps and Add-ons
Highlighted

splunk ingestion from queues

Contributor

I am using Splunk heavy forwarder to read data from the MQ/Solace queues. For this I am using app "Splunk JMS modular input".

But when the data read from queues is indexed, It is converting the new lines in the message to series of white spaces. i.e. it is simply converting multi line event to single line event. May I know how to handle this scenario without parsing the events further.

Ex:
Actual event:
how are you
hi
good to know

Indexed event:
how are you hi good to know

0 Karma
Highlighted

Re: splunk ingestion from queues

Ultra Champion

Have you tried unchecking that default option.

alt text

View solution in original post

0 Karma
Highlighted

Re: splunk ingestion from queues

Contributor

Hi Damien,
Thank you for the response. Is it possible to remove the header for every message which is added by splunk JMS when read the message from queue.

Example.
Thu Jul 19 13:10:13 CDT 2018 name=QUEUEmsgreceived eventid=ID:xxxxx msgdest=xxx msg_body=

0 Karma
Highlighted

Re: splunk ingestion from queues

Ultra Champion
0 Karma
Highlighted

Re: splunk ingestion from queues

Contributor

thank you

0 Karma
Highlighted

Re: splunk ingestion from queues

Contributor

@Damien Dallimore , Splunk JMS app UI is basically showing to enter connection details for connecting solace queues. In case if I have to connect to MQ queue(where wee have host, serverchannel etc), May I know how to enter the values on UI. I tried to enter key value pairs in JNDI properties input box, but it is not working.

It would be a great help.

0 Karma
Highlighted

Re: splunk ingestion from queues

Ultra Champion

No , the JMS configuration page provides fields for connecting to ANY JMS provider. It is not specific to any particular JMS provider (such as Solace).

Maybe this blog will help you : https://www.splunk.com/blog/2013/04/11/splunking-websphere-mq-queues-and-topics.html

0 Karma
Highlighted

Re: splunk ingestion from queues

Contributor

Hi @Damien Dallimore , Instead of using bindings file for MQ setup,

Can we provide property values like host name, serverchannel, queuemanager to connect to queue via JMS UI.

0 Karma
Highlighted

Re: splunk ingestion from queues

Ultra Champion

Yes. This is very clearly and thoroughly described in : https://www.splunk.com/blog/2013/04/11/splunking-websphere-mq-queues-and-topics.html , have you tried reading the blog and trying it out for yourself yet ?

0 Karma
Highlighted

Re: splunk ingestion from queues

New Member

Hi Damien, the blog explains to create a binding file to connect to MQ. But it does not explain , how to connect without the binding file. Sorry, If I am missing something from the blog that I need to consider. Basically I dont have binding file and looking for options to create connection without bindings file

0 Karma