Splunk AMQP Messaging Modular Input v1.7.7

IMPORTANT

The Python code in this App is dual 2.7/3 compatible. This version of the App enforces Python 3 for execution of the modular input script when running on Splunk 8+ in order to satisfy Splunkbase AppInspect requirements. If running this App on Splunk versions prior to 8 , then Python 2.7 will get executed.

Overview

This is a Splunk Modular Input Add-On for indexing messages from an AMQP Broker.It utilizes the RabbitMQ Java client library(v5.12.0) , but can be used against any AMQP v0-9-1, 0-9 and 0-8 compliant broker.

What is AMQP ?

From Wikipedia : http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol

Examples of AMQP Brokers

Dependencies

Binary File Declaration

This App contains a custom modular input written in Java

As such , the following binary JAR archives are required

Setup

Activation Key

Logging

Modular Input logs will get written to $SPLUNK_HOME/var/log/splunk/amqpmodinput_app_modularinput.log

These logs are rotated after a max size of 5MB with a backup limit of 5.

Setup logs will get written to $SPLUNK_HOME/var/log/splunk/amqpmodinput_app_setuphandler.log

These logs are rotated daily with a backup limit of 5.

The Modular Input logging level can be specified in the input stanza you setup. The default level is INFO.

You can search for these log sources in the _internal index or browse to the Logs menu item on the App's navigation bar.

Any Splunk internal errors can also be searched like : index=_internal amqp.py ERROR

JVM Heap Size

The default heap maximum is 64MB. If you require a larger heap, then you can alter this in $SPLUNK_HOME/etc/apps/amqp_ta/bin/amqp.py

JVM System Properties

You can declare custom JVM System Properties when setting up new input stanzas. Note : these JVM System Properties will apply to the entire JVM context and all stanzas you have setup

Customized Message Handling

The way in which the Modular Input processes the received AMQP messages is enitrely pluggable with custom implementations should you wish.

To do this you code an implementation of the com.splunk.modinput.amqp.AbstractMessageHandler class and jar it up.

Ensure that the necessary jars are in the $SPLUNK_HOME/etc/apps/amqp_ta/bin/lib directory.

If you don't need a custom handler then the default handler com.splunk.modinput.amqp.DefaultMessageHandler will be used.

This handler simply trys to convert the received byte array into a textual string for indexing in Splunk.

App Object Permissions

Everyone's Splunk environment and Users/Roles/Permissions setup are different.

By default this App ships with all of it's objects globally shared (in metadata/default.meta )

So if you need to limit access to functionality within the App , such as who can see the setup page , then you should browse to Apps -> Manage Apps -> AMQP Messaging Modular Input -> View Objects , and adjust the permissions accordingly for your specific Splunk environment.

Troubleshooting

Support

BaboonBones.com offer commercial support for implementing and any questions pertaining to this App.