By Hannes Wagener - 2015
This is a Splunk modular input add-on for IBM Websphere MQ.
Currently two data inputs are supported. One for creating events from messages on IBM Websphere queues and another for channel status statistics.
Created from the Splunk modular input examples.
include_payload=false/true
- Include the message payload in the event. Default: trueuse_mqmd_puttime=false/true
- Use the message put time as the event time. Default: true include_mqmd=false/true
- Include the MQMD in the event. Default: false pretty_mqmd=false/true
- Use textual descriptions for MQMD values. Default: truemake_mqmd_printable=false/true
- Escape non text values in the MQMD. Default: true payload_limit=1024
- How many bytes of the payload to include in the splunk event. Default: 1024 (1kb) encode_payload=false/base64/hexbinary
- Encode the payload. Default: false make_payload_printable=false/true
- Escape non text values in the payload. Default: truelog_payload_as_event=false/true
- If false do not log the payload as a name/value pair. Default: falsepayload_quote_char='/"
- Use a specific character to quote the "payload" kv value. Default: " (double quote)include_zero_values=true/false
- Include values that are set to zero or default values in the event. Default: falsetextual_values=true/false
- Include the textual description for channel status parameters. Default: trueinclude_complex_top_level = true/false
- Include the complex type top level element when logged.include_bitstream = true/false
- Include the bitstream (base64 or blob) in the splunk event.write_events = true/false
- Write out the events to disk. gzip_events = true/false
- Gzip the events written to disk.write_events_folder = "/opt/brokerevents"
- Directory to which events must be written. Any modular input log errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log. Debug logging can be "enabled by changing the "ExecProcessor" property under "Server logging" to DEBUG.
index=_internal component=ExecProcessor mq_ta
The number one problem most people experience with the installation is finding a compatible ctypes library for Splunk's Python2 interpreter(particulary _ctypes.so).
Splunk's Python2 interpreter was built using UCS2 whereas most of the recent builds on Ubuntu, CentOS, RHEL, etc. is built using UCS4 thereby making the two incompatible. Splunk V8 comes with the ctypes library installed for both the Python2 and Python3 interpreters by default making the installation much simpler. But earlier versions of Splunk does not include a ctypes library by default.
The easiest way to see whether a Python interpreter was built using UCS2 or UCS4 is to check the sys.maxunicode
value.
For a UCS2 build the value returned will be 65535. On a UCS4 build the value returned will be 1114111.
For instance - running the python2 interpreter that comes with Splunk:
$ /opt/splunk/bin/python2
Python 2.7.15 (default, Jun 24 2019, 17:39:18)
[GCC 5.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import sys
print sys.maxunicode
65535
The 65535 value means that Splunk's Python2 interpreter was built using UCS2.
The quickest way to determine if a _ctypes.so was built using UCS2 or UCS4 is to simply print the enclosed strings and searching for "UCS".
For instance - a _ctypes bullt using UCS4(incompatble with Splunk's Python2) will have the following output:
$ strings _ctypes.so | grep UCS
PyUnicodeUCS4_AsWideChar
PyUnicodeUCS4_FromEncodedObject
PyUnicodeUCS4_FromWideChar
PyUnicodeUCS4_AsEncodedString
PyUnicodeUCS4_FromUnicode
A version that will be compatible with Splunk's Python2 will have output that looks as follows:
$ strings lib-dynload/_ctypes.so | grep UCS
PyUnicodeUCS2_AsWideChar
PyUnicodeUCS2_FromEncodedObject
PyUnicodeUCS2_FromWideChar
PyUnicodeUCS2_AsEncodedString
PyUnicodeUCS2_FromUnicode
PyUnicodeUCS2_FromWideChar
PyUnicodeUCS2_FromUnicode
PyUnicodeUCS2_FromEncodedObject
PyUnicodeUCS2_AsWideChar
PyUnicodeUCS2_AsEncodedString
PyUnicodeUCS2_AsWideChar
PyUnicodeUCS2_FromEncodedObject
PyUnicodeUCS2_FromWideChar
PyUnicodeUCS2_AsEncodedString
PyUnicodeUCS2_FromUnicode
NOTE: If no strings containing "UCS" was found the library is NOT compatible and almost certainly a Python3 version that cannot be used with Python2.
./configure --enable-unicode=ucs2
You are free to use this code in any way you like, subject to the Python & IBM disclaimers & copyrights. I make no representations about the suitability of this software for any purpose. It is provided "AS-IS" without warranty of any kind, either express or implied.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.