Archive

Websphere App version question

Path Finder

Okay gang. We're running Splunk for the Enterprise 6.3.1 with an indexer, search head and deployment manager (I just wanted to get that out of the way, it's probably not important for my question).

I've been working with the Splunk Add-on for IBM WebSphere Application Server (version 3.0.0). I have been a little frustrated with the lack of built in dashboards or context around the data, but I have been very happy with the source-typing, and the behind the scenes data ingestion.

Previously, our team had evaluated the WebSphere Application Server App (version 2.0.1). There is a full array of dashboards and views as well as quite a bit of data context provided in this app. I guess my question is, why has this app been deprecated? Is there some reason that I shouldn't be using the previous app if what I am really after are the dashboards and views? As a follow-up, is anybody aware of any effort being put into the new app in order to further build out the dashboards? Is there anyone familiar with both apps who could provide some guidance?

I currently have both apps running, side-by-side on the same server, however, I have the data for each app pushing to different indexes in order to be able to keep straight which app is producing what (and I have different websphere servers instrumented to push to each different index).

Any information would be appreciated.

Thanks,
Matt G.

0 Karma

Influencer

Okay gang. We're running Splunk for the Enterprise 6.3.1 with an indexer, search head and deployment manager (I just wanted to get that out of the way, it's probably not important for my question).
It's always important. Thank you for putting the version there!

Hopefully one of the Splunk devs will comment on why it's been deprecated, but if I had to guess I would say the new app supports CIM and the old one doesn't appear too. That said, the old app says its compatible with 6.3, so I myself would be comfortable using it - but expect it to never be updated again.

0 Karma

Path Finder

Just for the sake of argument, I have included a sample of my current props.conf containing the EXTRACT statements (I'm particularly interested in the [WebSphere:SystemOutErrLog] fields):

[WebSphere:ServerExceptionLog]
TRUNCATE = 0
LINEBREAKER = (?!)
TRANSFORMS-was
server = server-extract
BREAKONLYBEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:javacore]
BREAKONLYBEFORE = NULL\s+[-]{30,}
MAXEVENTS = 13000
EXTRACT-websphere
DumpRoutineSub = (?i)0SECTION\s(?P[\w ])
BREAKONLYBEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:NativeStdOutErrLog]
EXTRACT-websphereverbosegcMessage = (?P<\?xml(.*))
TRANSFORMS-was
server = server-extract
TRANSFORMS-washost = host-extract
BREAK
ONLYBEFORE = [.+:.{2}:.{2}:.{3}\s
MAX
EVENTS = 1000

[WebSphere:SystemOutErrLog]
EXTRACT-webspherethreadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere
shortName = (?i)^[^]]]\s+[a-f0-9]+\s+(?P[^ ])(?= )
EXTRACT-webspherelogEventType = (?P\b[F|W|I|D|E|A|C|R]\b)
EXTRACT-websphere
className = \b[F|W|I|D|E|A|C|R]\b\s+(?P[^ ])
EXTRACT-webspheremethodName = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?P\b\w+\b)
EXTRACT-websphere
messageID = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?:[^ ]+\s+)?(?P[A-Z0-9]{3,}):
EXTRACT-websphere_message = (?i)^(?:[^:]
:){4}\s+(?P.*)
TRANSFORMS-wasserver = server-extract
TRANSFORMS-was
host = host-extract
BREAKONLYBEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:StartStopServerLog]
EXTRACT-webspherethreadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere
shortName = (?i)^[^]]]\s+[a-f0-9]+\s+(?P[^ ])(?= )
TRANSFORMS-wasserver = server-extract
TRANSFORMS-was
host = host-extract
BREAKONLYBEFORE = [.+:.{2}:.{2}:.{3}\s

[WebSphere:wsadminTraceout]
EXTRACT-webspherethreadID = (?i)^[^]]]\s+(?P[^ ])(?= )
EXTRACT-websphere
shortName = (?i)^(?:[^ ]* ){4}(?P[^ ])(?= )
EXTRACT-webspherelogEventType = (?P\b[F|W|I|D|E|A|C|R]\b)
EXTRACT-websphere
messageID = \b[F|W|I|D|E|A|C|R]\b\s+(?:[^ ]+\s+)?(?:[^ ]+\s+)?(?P[A-Z0-9]{3,}):
EXTRACT-websphere_message = (?i)^(?:[^:]
:){4}\s+(?P.*)
TRANSFORMS-wasserver = server-extract
TRANSFORMS-was
host = host-extract
BREAKONLYBEFORE = [.+:.{2}:.{2}:.{3}\s

0 Karma

Path Finder

I really appreciate the quick response. I have things mostly setup now using the 2.01 version of the app and add-on. The problem I have now is that most of the dashboards aren't working because it seems like the included props.conf file is having a problem with the EXTRACT-websphere_???? statements (there are a whole lot of EXTRACT statements involving a lot of fields). The extracted fields seem to be what most of the dashboards are based on, and those fields don't seem to be extracting properly (or at least they don't seem to be available on the fields selection on the left of the search screen). I'm gathering data from both WAS7 and WAS8 instances, so I'm not sure if that's effecting anything. The TRANSFORMS-??? fields seem to be working fine.

Any thoughts from anyone?

Thanks Again,
Matt G.

0 Karma

Influencer

Would you mind posting this as a new question? Otherwise no one will see your new question but me probably 🙂

0 Karma