All Apps and Add-ons

Splunk for TIBCO RVD

OL
Communicator

Hello,

One of my customers is look at capturing TIBCO RVD messages using Splunk. Would anyone have an idea who I could listen to TIBCO? I know that it is a multicast using UDP, but when I configure a UDP input in Splunk, I don't get any message at all. The monitor has been done on a server which is receiving messsage, having the TIBCO RVD receiver down (otherwise port issue).

Regards,
Olivier

Tags (1)

Claw
Splunk Employee
Splunk Employee

This is a summary of Tibco data aquisition schemes I put together for a customer. The sources are from many different Splunk Technical Masters.

If you want to read data from a tibco multicast port then there is an example application here.

http://splunk-base.splunk.com/apps/50964/indexing-events-from-multicast-address

===================================================================

If you want to read the logs from the TIBCO BW engine look here.

http://splunk-base.splunk.com/apps/22276/splunk-for-tibco-businessworks-engine

===================================================================

With TIBCO EMS, create a EMS/JMS client listener (or set of listeners) and dequeue the message into Splunk using a scripted input. You may want to use a forwarder if you need to distribute the data evenly to multiple indexers.

I have a reference implementation that uses Weblogic, but it should be the same concepts. You'll have to modify the listener code to use EMS classes.

http://splunk-base.splunk.com/apps/22388/jms-receiver-for-indexing

For JMX, see if they can get a JMX client from your customer or a Tibco expert that collects statistics and you can modify it to print to standard out and make it into a scripted input. I don't know how much JMX is a standard, but you can show them this app's input to get an idea for what is needed.

http://splunk-base.splunk.com/apps/25505/splunk-for-jmx

===================================================================

If your question is Tibco Common Base Event logs?

The CBE format is specified here:
http://www.eclipse.org/tptp/platform/documents/resources/cbe101spec/CommonBaseEvent_SituationData_V1..., which is a 75 page document with 10 authors, but appears to describe a reasonably simple XML schema. I know we can trivially build a sourcetype around this; the customer's question is whether we already have one.

Here are notes I sent a customer last week from the knowledge I created to sufficiently deliver a sample dashboard that allowed searching of a transaction ID to return all associated workflow events.

"""
props.conf:
REPORT-tibcoFields = xml_extractions

transforms.conf :
[xml_extractions]
REGEX=<ns1:(\S+)[^>]+>([^<]+)<\/ns1
FORMAT=$1::$2
MV_ADD=true

Also, if wanting to do something similar, automagically, using search language, this should do it:
sourcetype=tibco earliest=@d | xmlkv
"""

===================================================================

We did extensive analysis of Tibco logs at Cricket, and we did most everything with xmlkvrecursive from xmlutils. Spath would probably do all of this natively now in 4.3. XML utils is at: http://splunk-base.splunk.com/apps/22338/xmlutils.

The logs had a namespace format similar to what's in your props.conf file. We did not find anything difficult to do.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...