We use the following command on both nodes and dmgr hosts. As you see we use WAS own JVM and we do substitution right away to put custom index name. Blacklist section helps us weed out rolled over logs.
SPLUNK_ADDON_DIR=${SPLUNK_CONFIGS:?}/splunk_forwarder_addon_was
INDEX_NAME=ind_${PROD:?}_${APP_NAME:?}_${ENVID:?}_app
if [[ -d "/opt/IBM/BPM751/WebSphere/AppServer/profiles/" ]] ; then
/opt/IBM/BPM751/WebSphere/AppServer/java/bin/java \
-jar $SPLUNK_ADDON_DIR/bin/CreateInputs.jar \
-startpath /opt/IBM/BPM751/WebSphere/AppServer/profiles/ \
-hostname $(hostname) \
-enablenodemetadata -whitelist '\.log$|\.txt$|\.out$' \
-blacklist 'native_stderr|trace|(SystemErr_|SystemOut_|native_stdout_)[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]_[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.log$' \
-alldmgrprofile \
-print | sed -e 's/index \= websphere/index = '$INDEX_NAME'/g' > $OUT_FILE
fi
... View more