Solved: Continuos Monitoring

cpepe · ‎09-11-2013

Hello,

I downloaded the package. I have configured and started. But I have a problem. I would like the add-on always remains active and polling on a queue ActiveMQ. From logging to Splunk, it seems to me that once started immediately stop. you can ensure that the input always remains in "monitoring" on the tail ActiveMQ?

thanks

allenta · ‎09-11-2013

Hi,

The modular input remains connected and consuming messages from the selected queue/topic while Splunk is running. So, once Splunk is started, the consumer should remain connected to ActiveMQ forever. At least for now, the modular input does not reconnect to ActiveMQ/RabbitMQ/whatever if the connection fails, but I don't think that's your problem. Have you checked the ActiveMQ console to check if you can see the incoming connection from Splunk?

Today we have released a new version of the module (v0.4). It adds some extra configuration option and other minor changes. It's not related with your issue, but you can also try to update to the latest version.

View solution in original post

cpepe · ‎09-12-2013

09-12-2013 10:01:28.058 +0200 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/stomp/bin/stomp.py
09-12-2013 10:01:28.058 +0200 INFO ExecProcessor - interval: run once
09-12-2013 10:01:28.190 +0200 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" Established connection to host 10.153.43.240, port 61616
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" An unhandled exception was encountered in the stomp receiver loop
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" Traceback (most recent call last):
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" File "/opt/splunk/etc/apps/stomp/bin/stomppy/connect.py", line 721, in __receiver_loop
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" (frame_type, headers, body) = utils.parse_frame(frame)
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" File "/opt/splunk/etc/apps/stomp/bin/stomppy/utils.py", line 48, in parse_frame
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" frame_type = preamble_lines[first_line]
09-12-2013 10:01:28.202 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/stomp/bin/stomp.py" IndexError: list index out of range

cpepe · ‎09-12-2013

hi, I solved this problem by changing the communication port 61613. Now the problem is that I need to connect on the 61616 where the activemq settles messages. In fact the 61613 I do not see messages while with another tool, connecting me on 61616 I see the messages. How can I fix?

allenta · ‎09-12-2013

Hi,

According with that log, it seems the STOMP modular input dies due to and unhandled exception in the stomp.py library (https://github.com/kwoli/stomp.py). That's the library embedded in the modular input and used to connect to STOMP sources.

Have you updated to the latest release (v0.4)? That version includes and upgrade of the stomp.py library that may fix your problem.

If updating does not fix the issue, could you please provide some information about your configuration (ActiveMQ version, OS, any special configuration, etc.) in order to try to reproduce the problem.

allenta · ‎09-11-2013

Hi,

The modular input remains connected and consuming messages from the selected queue/topic while Splunk is running. So, once Splunk is started, the consumer should remain connected to ActiveMQ forever. At least for now, the modular input does not reconnect to ActiveMQ/RabbitMQ/whatever if the connection fails, but I don't think that's your problem. Have you checked the ActiveMQ console to check if you can see the incoming connection from Splunk?

Today we have released a new version of the module (v0.4). It adds some extra configuration option and other minor changes. It's not related with your issue, but you can also try to update to the latest version.

allenta · ‎09-12-2013

I see. It seems your issue is not related with the modular input, but with your specific ActiveMQ configuration. I think the best approach will be debugging the access to ActiveMQ using a Python script that mimics the modular input.

I have created a small script you can use for that. Please, check it out in https://gist.github.com/carlosabalde/956af228116cd638ff0a . Adjust your host, port and queue/topic name. Execute it in a terminal an we'll probably get an idea of what's going on looking at the stomp.py debug messages.

Note the script depends on the stomp.py library.

cpepe · ‎09-12-2013

if I connect on 61613 I have no errors, but I have the need to connect on the 61616 where the activemq settles the messages

cpepe · ‎09-12-2013

Thank you. In the next message will mold errors

Continuos Monitoring

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes