By Hannes Wagener - 2015
This is a Splunk modular input add-on for IBM Websphere MQ.
Currently two data inputs are supported. One for creating events from messages on IBM Websphere queues and another for channel status statistics.
Created from the Splunk modular input examples.
include_payload=false/true- Include the message payload in the event. Default: true
use_mqmd_puttime=false/true- Use the message put time as the event time. Default: true
include_mqmd=false/true- Include the MQMD in the event. Default: false
pretty_mqmd=false/true- Use textual descriptions for MQMD values. Default: true
make_mqmd_printable=false/true- Escape non text values in the MQMD. Default: true
payload_limit=1024- How many bytes of the payload to include in the splunk event. Default: 1024 (1kb)
encode_payload=false/base64/hexbinary- Encode the payload. Default: false
make_payload_printable=false/true- Escape non text values in the payload. Default: true
log_payload_as_event=false/true- If false do not log the payload as a name/value pair. Default: false
payload_quote_char='/"- Use a specific character to quote the "payload" kv value. Default: " (double quote)
include_zero_values=true/false- Include values that are set to zero or default values in the event. Default: false
textual_values=true/false- Include the textual description for channel status parameters. Default: true
include_complex_top_level = true/false- Include the complex type top level element when logged.
include_bitstream = true/false- Include the bitstream (base64 or blob) in the splunk event.
write_events = true/false- Write out the events to disk.
gzip_events = true/false- Gzip the events written to disk.
write_events_folder = "/opt/brokerevents"- Directory to which events must be written.
Any modular input log errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log. Debug logging can be "enabled by changing the "ExecProcessor" property under "Server logging" to DEBUG.
index=_internal component=ExecProcessor mq_ta
The number one problem most people experience with the installation is finding a compatible ctypes library for Splunk's Python2 interpreter(particulary _ctypes.so).
Splunk's Python2 interpreter was built using UCS2 whereas most of the recent builds on Ubuntu, CentOS, RHEL, etc. is built using UCS4 thereby making the two incompatible. Splunk V8 comes with the ctypes library installed for both the Python2 and Python3 interpreters by default making the installation much simpler. But earlier versions of Splunk does not include a ctypes library by default.
The easiest way to see whether a Python interpreter was built using UCS2 or UCS4 is to check the
For a UCS2 build the value returned will be 65535. On a UCS4 build the value returned will be 1114111.
For instance - running the python2 interpreter that comes with Splunk:
Python 2.7.15 (default, Jun 24 2019, 17:39:18)
[GCC 5.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
The 65535 value means that Splunk's Python2 interpreter was built using UCS2.
The quickest way to determine if a _ctypes.so was built using UCS2 or UCS4 is to simply print the enclosed strings and searching for "UCS".
For instance - a _ctypes bullt using UCS4(incompatble with Splunk's Python2) will have the following output:
$ strings _ctypes.so | grep UCS
A version that will be compatible with Splunk's Python2 will have output that looks as follows:
$ strings lib-dynload/_ctypes.so | grep UCS
NOTE: If no strings containing "UCS" was found the library is NOT compatible and almost certainly a Python3 version that cannot be used with Python2.
You are free to use this code in any way you like, subject to the Python & IBM disclaimers & copyrights. I make no representations about the suitability of this software for any purpose. It is provided "AS-IS" without warranty of any kind, either express or implied.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.