I have a requirement to read data from Tibco queue to Splunk. Can you please help me in providing an insight into the above topic?
This is a summary of Tibco data aquisition schemes I put together for a customer. The sources are from many different Splunk Technical Masters.
If you want to read data from a tibco multicast port then there is an example application here.
http://splunk-base.splunk.com/apps/50964/indexing-events-from-multicast-address
===================================================================
If you want to read the logs from the TIBCO BW engine look here.
http://splunk-base.splunk.com/apps/22276/splunk-for-tibco-businessworks-engine
===================================================================
With TIBCO EMS, create a EMS/JMS client listener (or set of listeners) and dequeue the message into Splunk using a scripted input. You may want to use a forwarder if you need to distribute the data evenly to multiple indexers.
I have a reference implementation that uses Weblogic, but it should be the same concepts. You'll have to modify the listener code to use EMS classes.
http://splunk-base.splunk.com/apps/22388/jms-receiver-for-indexing
For JMX, see if they can get a JMX client from your customer or a Tibco expert that collects statistics and you can modify it to print to standard out and make it into a scripted input. I don't know how much JMX is a standard, but you can show them this app's input to get an idea for what is needed.
http://splunk-base.splunk.com/apps/25505/splunk-for-jmx
===================================================================
If your question is Tibco Common Base Event logs?
The CBE format is specified here:
http://www.eclipse.org/tptp/platform/documents/resources/cbe101spec/CommonBaseEvent_SituationData_V1..., which is a 75 page document with 10 authors, but appears to describe a reasonably simple XML schema. I know we can trivially build a sourcetype around this; the customer's question is whether we already have one.
Here are notes I sent a customer last week from the knowledge I created to sufficiently deliver a sample dashboard that allowed searching of a transaction ID to return all associated workflow events.
"""
props.conf:
REPORT-tibcoFields = xml_extractions
transforms.conf :
[xml_extractions]
REGEX=ns1:(S+)[^]+>([^<]+)</ns1
FORMAT=$1::$2
MV_ADD=true
Also, if wanting to do something similar, automagically, using search language, this should do it:
sourcetype=tibco earliest=@d | xmlkv
"""
===================================================================
We did extensive analysis of Tibco logs at Cricket, and we did most everything with xmlkvrecursive from xmlutils. Spath would probably do all of this natively now in 4.3. XML utils is at: http://splunk-base.splunk.com/apps/22338/xmlutils.
The logs had a namespace format similar to what's in your props.conf file. We did not find anything difficult to do.
Hi All, is there any steps to follow to ingest transactional data from TIBCO database to Splunk without any add-on's
What if I want to read the InTotalMsgs and OutTotalMsgs numbers for certain topics, without consuming messages? Has anyone done that?
This modular input will do what you require :
http://splunk-base.splunk.com/apps/69562/jms-messaging-modular-input
This is a summary of Tibco data aquisition schemes I put together for a customer. The sources are from many different Splunk Technical Masters.
If you want to read data from a tibco multicast port then there is an example application here.
http://splunk-base.splunk.com/apps/50964/indexing-events-from-multicast-address
===================================================================
If you want to read the logs from the TIBCO BW engine look here.
http://splunk-base.splunk.com/apps/22276/splunk-for-tibco-businessworks-engine
===================================================================
With TIBCO EMS, create a EMS/JMS client listener (or set of listeners) and dequeue the message into Splunk using a scripted input. You may want to use a forwarder if you need to distribute the data evenly to multiple indexers.
I have a reference implementation that uses Weblogic, but it should be the same concepts. You'll have to modify the listener code to use EMS classes.
http://splunk-base.splunk.com/apps/22388/jms-receiver-for-indexing
For JMX, see if they can get a JMX client from your customer or a Tibco expert that collects statistics and you can modify it to print to standard out and make it into a scripted input. I don't know how much JMX is a standard, but you can show them this app's input to get an idea for what is needed.
http://splunk-base.splunk.com/apps/25505/splunk-for-jmx
===================================================================
If your question is Tibco Common Base Event logs?
The CBE format is specified here:
http://www.eclipse.org/tptp/platform/documents/resources/cbe101spec/CommonBaseEvent_SituationData_V1..., which is a 75 page document with 10 authors, but appears to describe a reasonably simple XML schema. I know we can trivially build a sourcetype around this; the customer's question is whether we already have one.
Here are notes I sent a customer last week from the knowledge I created to sufficiently deliver a sample dashboard that allowed searching of a transaction ID to return all associated workflow events.
"""
props.conf:
REPORT-tibcoFields = xml_extractions
transforms.conf :
[xml_extractions]
REGEX=ns1:(S+)[^]+>([^<]+)</ns1
FORMAT=$1::$2
MV_ADD=true
Also, if wanting to do something similar, automagically, using search language, this should do it:
sourcetype=tibco earliest=@d | xmlkv
"""
===================================================================
We did extensive analysis of Tibco logs at Cricket, and we did most everything with xmlkvrecursive from xmlutils. Spath would probably do all of this natively now in 4.3. XML utils is at: http://splunk-base.splunk.com/apps/22338/xmlutils.
The logs had a namespace format similar to what's in your props.conf file. We did not find anything difficult to do.
Below URL is not opening. getting error as "The page you are trying to access was not found. Please check your URL for typos and try again."
http://splunk-base.splunk.com/apps/22388/jms-receiver-for-indexing
URLs are not opening the solution
Looking for TIBCO system monitoring details by Splunk
This add-on is paid and requires license from BaboonBones
Is there any other way we can monitor Tibaco queues and topics?