Splunk® Supported Add-ons

Splunk Add-on for IBM WebSphere Application Server

Configure global settings, HPEL inputs, and server log inputs for IBM WebSphere Application Server

Configuring your HPEL inputs and your file monitor inputs for your server log files requires for several steps. You can perform all of this configuration using configuration files.. You can use a deployment server for configuring the add-on on your forwarders or configure it directly on the forwarders using the configuration files.

Prerequisites:

  • Ensure you have configured your IBM WebSphere application servers to enable logging for the logs you want to collect with the add-on as described in Configure IBM WebSphere to produce data for the Splunk Add-on for IBM WebSphere Application Server.
  • If you are using a Universal Forwarder, you must be using Python version 3.7 or 3.9 to forward or collect HPEL logs.
  • In the newer versions of the Splunk Universal Forwarder versions 9.x and above, the management port is not enabled by default, this is required for the IBM WebSphere Application Server add-on. To activate the management port in Splunk Universal Forwarder follow these steps:
  1. For Linux, add the following to splunkforwarder/etc/system/local/server.conf:
    [httpServer] mgmtMode = tcp
  2. In splunkforwarder/etc/system/local/web.conf, add the following (update the management port):
    [settings] mgmtHostPort = 127.0.0.1:8089
  3. For Windows, add the following to SplunkUniversalForwarder\etc\system\local\server.conf:
    [general] python.version=unspecified

  4. Add the following line to set the PYTHONPATH of your Python installation in the .conf file:
    SplunkUniversalForwarder\etc\splunk-launch.conf PYTHONPATH= < path to your python installation>

Configure HPEL and server log inputs using configuration files

Follow these steps to configure your global settings and your HPEL and/or server log inputs using the configuration files.

Configure global settings and HPEL settings in local/ibm_was.conf

1. Copy $SPLUNK_HOME/etc/apps/Splunk_TA_ibm-was/default/ibm_was.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_ibm-was/local/.

2. Provide the root installation directory of your IBM WebSphere application server for the argument was_install_dir.

3. All other parameters are optional. Refer to the table for information about each one.

Section Argument Description Default
Global settings index The index in which to store data collected with the Splunk Add-on for IBM WebSphere Application Server. main
was_install_dir Required. The installation directory of your IBM WebSphere application server. On Windows, the WebSphere installation path should include all spaces. For example: C:\Program Files (x86)\IBM\WebSphere. None
log_level The logging verbosity for the the add-on. INFO
HPEL settings excluded_profiles Profiles to exclude from HPEL data collection separated by commas. For example, MyProfile.*,OtherProfile. None
excluded_servers Servers to exclude from HPEL data collection separated by commas specified in the format <Profile>:<ServerDir>. E.g., ProfileA:ServerA1,ProfileB:ServerB3 None
start_date HPEL logs start date (UTC) in "MM/dd/yy H:m:s:S" format. For example, 6/29/15 00:00:00:000. Note that you can configure this only before you enable the input for the first time. 1 day ago
level Set a single log level to collect from the HPEL log data. This argument overrides any values in min_level and max_level. None
min_level Set a minimum log level to collect from the HPEL log data. Ensure the min_level is set to a lower level than max_level to define a valid range. INFO
max_level Set a maximum log level to collect from the HPEL log data. Ensure the max_level is set to a higher level than min_level to define a valid range. FATAL
duration The collection interval for the HPEL input. 60


4. To collect the data for this sourcetype you need to enable IBM WAS Input from either the UI or backend:

  • From UI: Data inputs > Splunk Add-on for IBM WebSphere Application Server > Enable 'was_data_input'.
  • From Backend: You can enable this stanza from $SPLUNK_HOME/etc/apps/Splunk_TA_ibm-was/local/inputs.conf > [ibm_was://was_data_input]


Configure the file monitoring stanzas for server logs in local/inputs.conf

From the version 5.0.0, we have provided default file monitoring stanzas for each sourcetype in default/inputs.conf. You can enable these stanzas in the local/inputs.conf to start the data collection. These default stanzas will leverage the WASHOME environment variable of an IBM WAS server for the file and directory path in them. Please note that we have provided separate stanzas for windows OS and "non" windows OSs because these OSs use different separators in their file paths. Examples:


Windows OS

[monitor://$WASHOME\...\derby.log]

crcSalt = SOURCE

followTail = 1

sourcetype = ibm:was:derby

disabled = true

index = default


Unix and Linux based OSs

[monitor://$WASHOME/.../derby.log]

crcSalt = SOURCE

followTail = 1

sourcetype = ibm:was:derby

disabled = true

index = default

In the local/inputs.conf, enable the stanzas as per your OS.


For example, when using Windows OS:

[monitor://$WASHOME\...\derby.log]

disabled = true

Make sure that the WASHOME environment variable is properly configured on the system having the IBM WAS server. For windows OS, set the variable in System Properties -> Environment Variables -> System Variables For other unix and linux based OS, set the variable in the .profile file on your system.

The setting followTail = 1 will let you skip over data in files, and immediately begin indexing current data, i.e. it will not ingest the already present data in files but will only ingest new data to those files after enabling the stanza.

Validate the inputs

To validate that all of the inputs you configured are working correctly, go to the Search and Reporting app and search for the source types listed on the source types page that match the inputs that you configured.

Last modified on 16 September, 2024
Configure JMX inputs for the Splunk Add-on for IBM WebSphere Application Server   Enable saved search for the Splunk Add-on for IBM WebSphere Application Server

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters