icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading IBM Websphere MQ Modular Input for Splunk
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


IBM Websphere MQ Modular Input for Splunk

IBM Websphere MQ modular inputs for Splunk.
This add-on creates adds two data inputs. One to create Splunk events from messages read off IBM Websphere MQ queues and another to create events from IBM Websphere MQ Channel Status statistics. It adds a "IBM Websphere MQ Queue" and a "IBM Websphere MQ Channel Status" section under "Data Inputs" allowing you to configure which queues or channels are used and how the resulting Splunk events are created. Tested on Splunk 6+, 7.1 to 8. PyMQI V1.5 to V1.9.2, IBM MQ Client libraries V7.0 to V9.1.3

splunk-ibm-websphere-mq-add-on - mq_ta

By Hannes Wagener - 2015


This is a Splunk modular input add-on for IBM Websphere MQ.
Currently two data inputs are supported. One for creating events from messages on IBM Websphere queues and another for channel status statistics.

Created from the Splunk modular input examples.


  • Simple UI based configuration via Splunk Manager
  • Poll IBM Websphere MQ queues for messages at interval or can be triggered from the Websphere MQ trigger monitor(future feature).
  • Poll IBM Websphere MQ Channel Status statistics.
  • Uses regular splunk sourcetypes for the events ("Generic single line" or "syslog")
  • You can specify multiple queues or channels per data input. You can specify whether to use a thread per data input or per queue/channel.
  • Automatic thread management. No need to restart splunk after changes are made to a data input. This includes adding and removing queues.
  • Includes default response handlers for queue input and channel status input.
  • Includes a response handler for IBM Websphere Message Broker monitoring events.


  • Splunk 6.0+, 7+, 8+
  • PyMQI 1.5+
  • ctypes library for Python. NOTE: Splunk V8 has the ctypes libary installed by default for both Python2 and Python3. See the dedicated section in the Troubleshooting section on where you can find or build a compatible _ctypes.so
  • IBM Websphere MQ Client Libraries V7+
  • Only currently supported on Linux (but Windows (and any other platform) should be possible if the platform versions of the PyMQI and ctypes libraries are installed)


  • Install the IBM Websphere MQ client. Ensure that the user that runs splunk has access to the MQ client libraries. The easiest way to achieve this is to add the MQ client library locations (generaly /opt/mqm/lib) to the dynamic loader configuration (ld.so.conf).
  • Get and build the PyMQI library. You can download from here: https://github.com/dsuch/pymqi
  • Untar the MQ modular input release to your $SPLUNK_HOME/etc/apps directory.
  • Copy the built PyMQI library to the $SPLUNK_HOME/etc/apps/mq_ta/bin folder.
  • Copy python c_types library directory to the $SPLUNK_HOME/etc/apps/mq_ta/bin directory. Splunk's Python interpreter is built with UCS-2. Make sure you use a compatible _ctypes.so library. NOTE: This step is not required if running Splunk V8+ as the ctypes library is included for both Python2 and Python3.
  • Ensure that the pymqi and ctypes libraries can be imported when using the Splunk Python interpreter.
  • Restart Splunk

Response Handlers


  • Basic handler for MQ messages.
  • Supported options:
  • include_payload=false/true - Include the message payload in the event. Default: true
  • use_mqmd_puttime=false/true - Use the message put time as the event time. Default: true
  • include_mqmd=false/true - Include the MQMD in the event. Default: false
  • pretty_mqmd=false/true - Use textual descriptions for MQMD values. Default: true
  • make_mqmd_printable=false/true - Escape non text values in the MQMD. Default: true
  • payload_limit=1024 - How many bytes of the payload to include in the splunk event. Default: 1024 (1kb)
  • encode_payload=false/base64/hexbinary - Encode the payload. Default: false
  • make_payload_printable=false/true - Escape non text values in the payload. Default: true
  • log_payload_as_event=false/true - If false do not log the payload as a name/value pair. Default: false
  • payload_quote_char='/" - Use a specific character to quote the "payload" kv value. Default: " (double quote)


  • Default handler for Channel Status Statistics.
  • Supported options:
  • include_zero_values=true/false - Include values that are set to zero or default values in the event. Default: false
  • textual_values=true/false - Include the textual description for channel status parameters. Default: true


  • IBM Message Broker Monitoring event handler.
  • Parses a Message Broker monitoring event and extracts the required fields.
  • Supported options:
  • include_complex_top_level = true/false - Include the complex type top level element when logged.
  • include_bitstream = true/false - Include the bitstream (base64 or blob) in the splunk event.
  • write_events = true/false - Write out the events to disk.
  • gzip_events = true/false - Gzip the events written to disk.
  • write_events_folder = "/opt/brokerevents" - Directory to which events must be written.


Any modular input log errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log. Debug logging can be "enabled by changing the "ExecProcessor" property under "Server logging" to DEBUG.


  • You are using Splunk 6+
  • Look for any errors in $SPLUNK_HOME/var/log/splunk/splunkd.log
  • Enable debug logging by changing the "ExecProcessor" property under "Server logging" to DEBUG. This will output some debug at various places in the code.
    Search for the following in Splunk: index=_internal component=ExecProcessor mq_ta
  • Ensure that the PyMQI and ctypes libraries can be imported when using the Splunk Python interpreter. See the "ctypes" specific section below.
  • Ensure that the IBM Websphere MQ libraries are available to the user which runs Splunk.

How to find a Splunk Python2 compatible "_ctypes.so" (pre Splunk V8)

The number one problem most people experience with the installation is finding a compatible ctypes library for Splunk's Python2 interpreter(particulary _ctypes.so).

Splunk's Python2 interpreter was built using UCS2 whereas most of the recent builds on Ubuntu, CentOS, RHEL, etc. is built using UCS4 thereby making the two incompatible. Splunk V8 comes with the ctypes library installed for both the Python2 and Python3 interpreters by default making the installation much simpler. But earlier versions of Splunk does not include a ctypes library by default.

Determining what type of _ctypes.so you require.

The easiest way to see whether a Python interpreter was built using UCS2 or UCS4 is to check the sys.maxunicode value.
For a UCS2 build the value returned will be 65535. On a UCS4 build the value returned will be 1114111.

For instance - running the python2 interpreter that comes with Splunk:
$ /opt/splunk/bin/python2
Python 2.7.15 (default, Jun 24 2019, 17:39:18)
[GCC 5.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import sys
print sys.maxunicode

The 65535 value means that Splunk's Python2 interpreter was built using UCS2.

Determining if an existing _ctypes.so was built using UCS2 or UCS4

The quickest way to determine if a _ctypes.so was built using UCS2 or UCS4 is to simply print the enclosed strings and searching for "UCS".

For instance - a _ctypes bullt using UCS4(incompatble with Splunk's Python2) will have the following output:
$ strings _ctypes.so | grep UCS

A version that will be compatible with Splunk's Python2 will have output that looks as follows:
$ strings lib-dynload/_ctypes.so | grep UCS

NOTE: If no strings containing "UCS" was found the library is NOT compatible and almost certainly a Python3 version that cannot be used with Python2.

Where to find a compatible _ctypes.so

  • Upgrade to Splunk V8. All you will require is the pymqi library as Splunk V8 comes with the ctypes library pre-installed.
  • The ctypes library that comes with Splunk V8 is compatible with earlier versions of Splunk (Only verified on Splunk 7.1+ - however technically it should work on any Splunk Python2 that is built using UCS2).
  • Build your own on your own platform! If you download the Python2 source code you can build your own "UCS2" Python2 (and the subsequent _ctypes.so) by setting the "--enable-unicode=ucs2" option on the "configure" step. eg.
    ./configure --enable-unicode=ucs2
  • Some users have commented that on Ubuntu some of the "Steam" apps contain a compatible _ctypes.so. This is unconfirmed and seems to be version and app dependent. I found a few _ctypes.so libraries on on my system (Ubuntu 18.04) however all of them was built using UCS4 instead of the required UCS2.
  • Send me an email and I can help you find or build one for your platform. I do not like sending prebuilt libraries about as there are implications (eg. security, compatibility, etc.) I prefer not to be involved with as a 3rd party. I prefer you help yourself!


You are free to use this code in any way you like, subject to the Python & IBM disclaimers & copyrights. I make no representations about the suitability of this software for any purpose. It is provided "AS-IS" without warranty of any kind, either express or implied.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.