All Apps and Add-ons

AMQP Messaging Modular Input: Importing MQ messages into Splunk, why is the payload or body of the message empty?

spervaiz_splunk
Splunk Employee
Splunk Employee

We are using a RabbitMQ server (amqp) as data source. Our previous experiments led us to the Splunk AMQP Messaging Modular Input add-on and we have already received messages.
 
The RabbitMQ server is supplied on the other side by a Linux Syslog-ng service. This creates the AMQP message as follows.
 
An AMQP message is sent in which all relevant data are fed into the header data of the message properties.

DATE:       Oct 6 14:10:06
FACILITY:   syslog
HOST:       logserver
MESSAGE:    syslog-ng starting up; version='3.5.6'
PID:        1432
PRIORITY:   notice
PROGRAM:    syslog-ng
SEQNUM:     1
SOURCEIP:   127.0.0.1
TAGS:       .source.s_src

The payload or message body of the message, on the other hand, is empty. Splunk does not interpret this data easily.
 
We need the information as Splunk must be configured to correctly interpret the AMQP messages / Best practices if the application is known.

0 Karma

Damien_Dallimor
Ultra Champion

Post your inputs.conf stanza you setup.
Also post any log error messages : index=_internal error ExecProcessor amqp.py

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi spervaiz,

Seems you have already installed the AMQP Messaging Modular Input and received data through it. Have you configured the add-on properly? As this is a Modular Input , you can then configure your AMQP inputs via Manager->Data Inputs->AMQP. The field entry should be straightforward and intuitive for anyone with basic experience with AMQP.
If the add-on configuration does not work for your data format, you can also create your own custom sourcetype so that Splunk can correctly perform field extraction and transformation of your data.

Hope it helps. Thanks!
Hunter Shen

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...