Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Universal Forwarder with WebSphere App Server

glitchcowboy
Path Finder
‎08-27-2012 11:30 AM

I'm confused by the documentation. In some places it says you need a Heavy Forwarder to use the WAS app, yet in the release notes it says you can do it with a UF. The installation instructions say to stop the forwarder and in the next phrase they say to install the s....

So, This is what I have:

indexer : Has the splunk_app_was app installed

indexer : Has splunk_forwarder_addon_was app in deployment-apps so it gets deployed to the WAS server

WAS server : Has splunk_forwarder_addon_was installed in $SPLUNK_HOME/etc/apps (deployed by indexer)

I've set up the inputs.conf on the WAS server under splunk_forwarder_addon_was/local the best that I can.

I've read that CreateIputs.jar will create it for me, but so far I can't get it to run -- and I'm honestly not sure if it should run on the Indexer or the WAS server, though it only makes sense to run it on the WAS server.

Can anyone unmuddle this for me?

Reply

raj_mpl
Path Finder
‎08-12-2018 04:52 AM

so is it good to just install universal forwarder rather than going for the addon?

0 Karma
Reply

rgantly_splunk
Splunk Employee
Splunk Employee
‎08-28-2012 02:24 PM

Heavy forwarder of light forwarder?

Just to confirm, the current version of Splunk for WAS can be installed on a universal forwarder. There is no dependency on a heavy forwarder. The installation scripts for the latest release are Java based and only depend on the Java version on your WAS box. Product versions prior to the latest release had a dependency on the heavy forwarder ONLY if you you wanted to run the installation scripts. The scripts were Python based and Python was only bundled with the heavy forwarder. I hope this provides some clarity.

What to install where

  • Splunk App for WebSphere Application Server (splunk_app_was-2.0.1-133054.tar.gz) - Download and install this App on Splunk indexers and /or search heads.
  • Splunk Forwarder Add-on for WebSphere Application Server (splunk_forwarder_addon_was-2.0.1-133049.tar.gz): Download and install this Add-on onto a Splunk forwarder installed on a WAS machine to collect log and configuration data. NOTE: You don't have to stop the forwarder, but sometimes it's easier to do things this way so that you remember to restart it after deploying the Forwarder Add-on so that the changes take effect.
  • Splunk FA Add-on for WebSphere Application Server (splunk_fa_addon_was-2.0.1-133049.tar.gz) Install this FA Add-on on a Splunk indexer or a non WAS box with a Splunk forwarder installed.

About the install script

CreateInputs.jar is a Java based command line tool that automatically creates the inputs.conf file for you in $SPLUNK/etc/apps/splunk_forwarder_addon_was/local. Run it on your WAS box. You must have:

  • JRE version 1.5 or later installed on your WAS box. You can use the Java version included with WebSphere, located in /opt/IBM/WebSphere/AppServer/java/bin/java. You can also use any installed Java version. The tool has been tested with JRE version1.5 and above.
  • Know the host name of the WAS box. Get the correct host name for the WAS box from the serverindex.xml file stored under any profile. It must be of the format that WebSphere uses to store it. For example, you can find it in /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/splunkwasCell01/nodes/splunkwasCellManager01/serverindex.xml.
  • Know the installation path to the WAS profiles on this WAS box.Find the profile directory of your WAS installation on the WAS box, for example, /opt/IBM/WebSphere/AppServer/profiles.

To populate your views and drop-downs

After installing the components, did you run the following saved searches in Splunk App for WAS?

  • In the Views menu, click Saved searches, then click setup_dropdown
  • In the Views menu, click Saved searches, then click setup_log
Reply

ChrisG
Splunk Employee
Splunk Employee
‎09-04-2012 11:01 AM

Documentation is updated to reflect this information, including the following: "You must install the Splunk Forwarder Add-on for WAS on the Splunk forwarder on the WAS Deployment manager for the application to work. Additionally, install this Add-on on the Splunk forwarders on each WAS App server machine from which you want to collect log data."

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-27-2012 12:34 PM

I'm at just about the same setup spot as you. The CreateInputs.jar needs to run on a machine running WebSphere. From there, you can take the produced inputs.conf, edit as necessary, and add that into your app pushed via deployment server. This appears to work fine on a UF, because the java program replaces some Python that existed prior.

Reply

glitchcowboy
Path Finder
‎08-28-2012 03:37 AM

Thanks! I thought I had the right architecture, but some of the docs were, as I already said, ambiguous. I was using the default AIX java (/usr/bin/somewhere) which didn't understand java -jar. I used the java in ...WebSphere/java/bin/ and that worked.

However, I'm getting some data and a search for index=websphere shows that I'm indexing loads of it, but some of the views are pretty sparse and the drop-downs are consistently void of any options. I'm only indexing one WAS server with 4 independent WAS instances on it. Do your drop-downs show anything?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...