All Apps and Add-ons

datasource configuration problem

tletat92
Engager

Hi,

It seems to be exactly what I'm looking for : the screenshot are great !

I'm trying to test IMI, and have some comments/questions about datasource configuration form :

  • "Introscope Host" : the default port for webservice is 8081 (and not 8080)
  • "Metric Regex" & "Agent Regex" : the examples displayed in the input form should be swapped.
  • "Output Regex" : I don't understand what it is. Can someone give an example ?

Thanks in advance,
TLT

snowtom17
New Member

hey,
has someone found the right way how the input parameters must be maintained in the splunk?
thanks for your help
thomas

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're adding on to an old question, which means you're unlikely to get a satisfactory response. You should post a new, more specific question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I had similar questions so I emailed the author. Here is his response.

Credentials are in the top section for all inputs :

[introscope]
soapTemplate = <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:met="http://metricsdata.webservicesimpl.server.introscope.wily.com">   <soapenv:Header/>   <soapenv:Body>      <met:getMetricData soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">         <agentRegex xsi:type="xsd:string">$agentRegex</agentRegex>         <metricRegex xsi:type="xsd:string">$metricRegex</metricRegex>         <startTime xsi:type="xsd:dateTime">$startTime</startTime>         <endTime xsi:type="xsd:dateTime">$endTime</endTime>         <dataFrequency xsi:type="xsd:int">$dataFrequency</dataFrequency>      </met:getMetricData>   </soapenv:Body></soapenv:Envelope>
offset = 2
interval = 5
dataFrequency = 60
username = xxx
password = xxx
introscope_path = /introscope-web-services/services/MetricsDataService
sourcetype = introscope

 Then you have a section per source, where you can indicate the index and eventually credentials, if you have specific ones for that input.

[introscope://i_kihub-mq]
disabled = 0
index = i_kihub
introscope_host = introscopeti.sbb.ch:8080
agentRegex = (.*)WebSphere MQ and Message Broker Integration(.*)
metricRegex = (.*)\|KIHUB.([^|]*)\|Status:Current Queue Depth
outputElement = metricName
outputRegex = Queues\|(?P<queue>KIHUB[^\|]*)\.L
dataFrequency = 60
interval = 5
introscope_path = /introscope-web-services/services/MetricsDataService
offset = 2
password = xxx
soapTemplate = <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:met="http://metricsdata.webservicesimpl.server.introscope.wily.com">   <soapenv:Header/>   <soapenv:Body>      <met:getMetricData soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">         <agentRegex xsi:type="xsd:string">$agentRegex</agentRegex>         <metricRegex xsi:type="xsd:string">$metricRegex</metricRegex>         <startTime xsi:type="xsd:dateTime">$startTime</startTime>         <endTime xsi:type="xsd:dateTime">$endTime</endTime>         <dataFrequency xsi:type="xsd:int">$dataFrequency</dataFrequency>      </met:getMetricData>   </soapenv:Body></soapenv:Envelope>
sourcetype = introscope
username = xxx

Then agent, and metricRegex, are the regex you see in introscope when you make metric grouping.

OutputElement decide if you want the agent or the metric name as field in the results. Depending on what you are getting from Introscope, sometimes the agent is the same for all result (by mq) so you will want to take the metricRegex as field, and for cpu and so one, most of the time is the agent interesting….

 Then you can specify a regex in order to only take a part of that field (property outputRegex).  Tthis allows you to only store whats needed.

In my example, I store only the name of the queue, out of the introscope path : Introscope…/ / QueueMnanager blabla…/Queues|QueueName|Status:Current Queue Depth

This got me started. I'm still experimenting with my configuration to find the best settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma

cjmckenna
New Member

Bringing up an old thread here but hoping someone can help. Got this add-on installed and configured fine. Using tcpdump I can see the SOAP request get sent to Introscope and I can see a good SOAP response come back with the metrics data in it but all I get in the splunkd log is the following. Hoping someone has some ideas or maybe the author will see this....

03-15-2016 16:22:27.603 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" Traceback (most recent call last):
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" File "/Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py", line 368, in
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" do_run()
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" File "/Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py", line 244, in do_run
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" IntroscopeResponseHandler (res,config)
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" File "/Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py", line 180, in IntroscopeResponseHandler
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" href.append(md.attributes['href'].value[1:])
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" File "/Applications/Splunk/lib/python2.7/xml/dom/minidom.py", line 522, in getitem
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" return self._attrs[attname_or_tuple]
03-15-2016 16:22:27.604 -0400 ERROR ExecProcessor - message from "python /Applications/Splunk/etc/apps/introscope_ta/bin/introscope.py" KeyError: 'href'

0 Karma

kotte819
New Member

I have the Introscope Modular Input app configured, but its printing none = 0 values in splunk.I believe the I output regex is wrong

2017-03-27T14:58:00.000Z None=0 None=0 None=0 None=0

agentRegex = (.)|WebLogic|(.)
metricRegex = JMX|(.):HoggingThreadCount
outputElement = metricName
outputRegex = JMX|(.
).L

Actual Output value on Introsocpe Console is this, how do i get the outputRegex in above config
JMX|com.bea|Name=ThreadPoolRuntime|ServerRuntime=(.*)|Type=ThreadPoolRuntime:HoggingThreadCount = 10

0 Karma

StaceyKing1975
New Member

Thanks Hmozaffari!!! Its been a while since I have been able to touch on this, appreciate the response. 🙂

0 Karma

StaceyKing1975
New Member

I am also having issue with some of the input fields. I am not sure I understand the output regex. Could you give a little more detail on how you got that part to function? (I am totally new at this, so my question probably sounds a bit dumb)

Thanks 🙂

0 Karma

hmozaffari
Path Finder

After Introscope App receives the response you may not be interested in the whole XML response . The output Regex allows you filter portion of response. for example Regex bellow grabs whatever is between and

<metricValue xsi:type="xsd:string">(?P<filtered_value>[^ (]+)<\/metricValue>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...