All Apps and Add-ons

How to configure the JMS Messaging Modular Input to monitor and parse Websphere MQ Statistics in a readable format?

butzowj
Path Finder

Hello -

I have successfully installed the JMS Messaging Modular Input with the intention of monitoring Websphere MQ statistics. (e.g. Queue Depth, Oldest Message Age, etc...). I am able to successfully pull test messages off the queue and index them with Splunk.

However, when I pull messages off the statistics queue, the format is crazy, and looks like this:

Fri Aug 05 13:21:06 EDT 2016 name=QUEUE_msg_received event_id=ID:414d512051756575654d6772202020205d9a9f572010d5f4 msg_dest=SplunkStatsQueue msg_body=$� D�0QueueMgr                                         �  2016-08-05 � 13.20.36 �  2016-08-05 � 13.21.06 ��K D�0SplunkQueue                                      � 2016-08-01   �13.26.01�� ����� �� ��� �����K D�0SYSTEM.ADMIN.STATISTICS.QUEUE                    � 2016-08-01   �13.23.02�� ��"���� �|� �|�� �����K D�0SYSTEM.ADMIN.COMMAND.QUEUE                       � 2016-08-01   �13.23.01�� ����� �X� �X�� �����K D�0AMQ.MQEXPLORER.416946394                         � 2016-08-05   �10.15.48��+ �\ ����� ��u�� ��u�� �����

Is there something I am missing that will translate this message format into readable statistics? Perhaps a setting on the MQ side?

Thanks
JB

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

My MQ days date back to when it was still called MQSeries, but if I remember correctly, the message format of the statistics queue contains binary fields. There is a PCF header at the beginning of the payload and the remaining message parts contain fields that are not MQFMT_STRING. In order to make them readable, you probably need to provide a Java message handler that translates the non-readable fields into strings.
You may find that the methods available here will help you pull out the fields of those statistics messages by name.

I hope that gets you pointed in a good direction.

View solution in original post

0 Karma

Damien_Dallimor
Ultra Champion

Preferable to do something on the MQ side , but if you can't then something you can do with the JMS Mod Input is plug in your own custom message handler to pre process the raw received data before indexing in Splunk. In your case this custom message handler would decode your non-Ascii payload for you.

alt text

Requires only simple Java coding skills. Here is a simple example of a custom handler.
You implement the handleMessage method and do something with the received Message object , then output the event to Splunk.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

My MQ days date back to when it was still called MQSeries, but if I remember correctly, the message format of the statistics queue contains binary fields. There is a PCF header at the beginning of the payload and the remaining message parts contain fields that are not MQFMT_STRING. In order to make them readable, you probably need to provide a Java message handler that translates the non-readable fields into strings.
You may find that the methods available here will help you pull out the fields of those statistics messages by name.

I hope that gets you pointed in a good direction.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...