One of my customers is look at capturing TIBCO RVD messages using Splunk. Would anyone have an idea who I could listen to TIBCO? I know that it is a multicast using UDP, but when I configure a UDP input in Splunk, I don't get any message at all. The monitor has been done on a server which is receiving messsage, having the TIBCO RVD receiver down (otherwise port issue).
This is a summary of Tibco data aquisition schemes I put together for a customer. The sources are from many different Splunk Technical Masters.
If you want to read data from a tibco multicast port then there is an example application here.
If you want to read the logs from the TIBCO BW engine look here.
With TIBCO EMS, create a EMS/JMS client listener (or set of listeners) and dequeue the message into Splunk using a scripted input. You may want to use a forwarder if you need to distribute the data evenly to multiple indexers.
I have a reference implementation that uses Weblogic, but it should be the same concepts. You'll have to modify the listener code to use EMS classes.
For JMX, see if they can get a JMX client from your customer or a Tibco expert that collects statistics and you can modify it to print to standard out and make it into a scripted input. I don't know how much JMX is a standard, but you can show them this app's input to get an idea for what is needed.
If your question is Tibco Common Base Event logs?
The CBE format is specified here:
http://www.eclipse.org/tptp/platform/documents/resources/cbe101spec/CommonBaseEvent_SituationData_V1..., which is a 75 page document with 10 authors, but appears to describe a reasonably simple XML schema. I know we can trivially build a sourcetype around this; the customer's question is whether we already have one.
Here are notes I sent a customer last week from the knowledge I created to sufficiently deliver a sample dashboard that allowed searching of a transaction ID to return all associated workflow events.
REPORT-tibcoFields = xml_extractions
Also, if wanting to do something similar, automagically, using search language, this should do it:
sourcetype=tibco earliest=@d | xmlkv
We did extensive analysis of Tibco logs at Cricket, and we did most everything with xmlkvrecursive from xmlutils. Spath would probably do all of this natively now in 4.3. XML utils is at: http://splunk-base.splunk.com/apps/22338/xmlutils.
The logs had a namespace format similar to what's in your props.conf file. We did not find anything difficult to do.