#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

Where to place props and transforms specific to an app installed on Search Head for Splunk App for WebSphere Application Server

menonmanish
Path Finder

I am trying out the Splunk App for Websphere. I have a UF, an indexer and a Search Head. I have installed the app on SH. Placed the props.conf,transforms.conf and indexes.conf on etc/system/local of Indexer. Now i want to apply the props and transforms only for this app. Please let me know how can i achieve this.

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

You could safely put all the contents of
$SPLUNK_HOME/etc/apps/splunk_app_was/default/

on both the indexer and search head. the indexes.conf will create an empty index on the search head (and harm nothing) and macros.conf and savedsearches.conf will be ignored on the indexer.

if you look at props.conf, based on the sources, the app creates sourcetypes and has both EXTRACT (search time) and TRANSFORMS (index time) extractions.

So the answer (without knowing what you want to do) is that any additions to the existing props.conf and transforms.conf would be in
$SPLUNK_HOME/etc/apps/splunk_app_was/local/

if you are coding them by hand... again putting your changes on both indexer and search head will harm nothing. Splunk will use what it need depending upon whether your additions are search time or index time behaviors.

TO CLARIFY:

Your forwarder points the data to your indexer. The forwarder is told that it should send data to the index "websphere". It will only send that data to the indexer... since it's only communicating with the indexer so if you did have indexes.conf on the search head, it would remain empty and harm nothing (in fact, there are benefits to that because you can then add or restrict usage of that index when you create roles and users)

The doc could be more clear, but what they're saying is...
unpack the tarball.
copy the app... to both indexer and search head. The files that "don't belong" or "aren't really needed" will be ignored... so you don't have to worry about them. $SPLUNK_HOME/etc/apps/splunk_app_was/default/ on the indexer and search head can be identical.

If you want to add something or change something... the ../default and ../local directories are hierarchical.

So for example if I have this in ../default:
indexes.conf

[websphere]
homePath = $SPLUNK_DB/websphere/db
coldPath = $SPLUNK_DB/websphere/colddb
thawedPath = $SPLUNK_DB/websphere/thaweddb
disabled = false

to disable that I create an indexes.conf file in $SPLUNK_HOME/etc/apps/splunk_app_was/local/
that looks like this:
[websphere]
disabled = true

and now the disbaled=false under the [websphere] stanza in default, is set to true and that stanza is disabled. The alternative in this case... is to just not have the indexes.conf (in default) at all. But then later... you might be wondering "what did I do? and why?"

Same goes for props.conf

usually people don't include the disabled=false in a props.conf or transforms.conf stanza, as that is the default setting... so it is implied.

but if you add a props.conf in `local' you can add to what is in default... by simply adding that one directive.

for example, one of the stanzas in props.conf in default is this:

[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s

so to if I wanted to add something to that stanza, all you need is the name of the stanza

so in$SPLUNK_HOME/etc/apps/splunk_app_was/local/props.conf I might add the following:

[WebSphere:javacore]
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah

and Splunk will see:

[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah

Now, WHERE your directive would be applied would depend on what it was. in this case, a search time extraction needs to be on the search head.

If you changed something about line breaking... that's index time and would be on the indexer.
Again... it doesn't hurt anything to just update both spots. but that's up to you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

You could safely put all the contents of
$SPLUNK_HOME/etc/apps/splunk_app_was/default/

on both the indexer and search head. the indexes.conf will create an empty index on the search head (and harm nothing) and macros.conf and savedsearches.conf will be ignored on the indexer.

if you look at props.conf, based on the sources, the app creates sourcetypes and has both EXTRACT (search time) and TRANSFORMS (index time) extractions.

So the answer (without knowing what you want to do) is that any additions to the existing props.conf and transforms.conf would be in
$SPLUNK_HOME/etc/apps/splunk_app_was/local/

if you are coding them by hand... again putting your changes on both indexer and search head will harm nothing. Splunk will use what it need depending upon whether your additions are search time or index time behaviors.

TO CLARIFY:

Your forwarder points the data to your indexer. The forwarder is told that it should send data to the index "websphere". It will only send that data to the indexer... since it's only communicating with the indexer so if you did have indexes.conf on the search head, it would remain empty and harm nothing (in fact, there are benefits to that because you can then add or restrict usage of that index when you create roles and users)

The doc could be more clear, but what they're saying is...
unpack the tarball.
copy the app... to both indexer and search head. The files that "don't belong" or "aren't really needed" will be ignored... so you don't have to worry about them. $SPLUNK_HOME/etc/apps/splunk_app_was/default/ on the indexer and search head can be identical.

If you want to add something or change something... the ../default and ../local directories are hierarchical.

So for example if I have this in ../default:
indexes.conf

[websphere]
homePath = $SPLUNK_DB/websphere/db
coldPath = $SPLUNK_DB/websphere/colddb
thawedPath = $SPLUNK_DB/websphere/thaweddb
disabled = false

to disable that I create an indexes.conf file in $SPLUNK_HOME/etc/apps/splunk_app_was/local/
that looks like this:
[websphere]
disabled = true

and now the disbaled=false under the [websphere] stanza in default, is set to true and that stanza is disabled. The alternative in this case... is to just not have the indexes.conf (in default) at all. But then later... you might be wondering "what did I do? and why?"

Same goes for props.conf

usually people don't include the disabled=false in a props.conf or transforms.conf stanza, as that is the default setting... so it is implied.

but if you add a props.conf in `local' you can add to what is in default... by simply adding that one directive.

for example, one of the stanzas in props.conf in default is this:

[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s

so to if I wanted to add something to that stanza, all you need is the name of the stanza

so in$SPLUNK_HOME/etc/apps/splunk_app_was/local/props.conf I might add the following:

[WebSphere:javacore]
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah

and Splunk will see:

[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah

Now, WHERE your directive would be applied would depend on what it was. in this case, a search time extraction needs to be on the search head.

If you changed something about line breaking... that's index time and would be on the indexer.
Again... it doesn't hurt anything to just update both spots. but that's up to you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

menonmanish
Path Finder

Makes a lot more sense now. Thanks again. But a concern for me here is that i could have a file, that some how matches the source pattern of my props.conf..But i don't want the sourcetype of that source to be changed. I need to change the sourcetype of only selective sources coming from a particular host. I want to apply the source as well as the host filter on my props.conf. Hope I was able to explain myself.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

well... you want to check here:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Wheretofindtheconfigurationfiles
and also check to be sure that the "source" regex in the app are specific enough for you.

It's not so much about accidentally grabbing things. it's being aware of the Configuration file precedence and how to tell what Spunk see's last. (last is the win)

for which you want to check here:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Troubleshooting/Usebtooltotroubleshootconfiguratio...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

menonmanish
Path Finder

So please find the steps that I must do..
1. Install Splunk App for WAS on my Search Head
2. Create $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on my indexer
3. Copy files from $SPLUNK_HOME/etc/apps/splunk_app_was/default/ on my search head to $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on my indexer
4. Cut indexes.conf from $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on Indexer to $SPLUNK_HOME/etc/system/local/ on Indexer
5. Put inputs.conf on UF like
[monitor:///servers/was7/appserver/profiles/dmgr/config/cells/MyCell/security.xml]
crcSalt =
disabled = false
followTail = 0
index = websphere

So this ensures that if for any other source from any other server having the same path, the props.conf specific to Splunk app for WAS will not be applied??

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...