Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionSPLUNK for JMX can be used to poll local or remote JMX Management Servers running in Java Virtual Machines across your entire infrastructure and index MBean attributes and outputs from MBean operations. Welcome to SPLUNK 4 JMX v1.5.3 OVERVIEW This SPLUNK app provides the means to :
Tested to date against Hotspot ,JRockit and IBM J9 JVM's. Currently supports the following JMX Connectors :
This app is basically a custom scripted input comprising of a bash/bat script and a Java program. I have bundled it up as an app for convenience Also refer to the application's "docs" directory for :
INSTALLATION
The SPLUNK4JMX app sets up a custom index(index=jms) and a custom script input (sourcetype=jmx) that parses and executes an XML config file INSTALLED COMPONENTS The only components you really need to know about are in the SPLUNK_HOME/etc/apps/SPLUNK4JMX/bin directory
CONFIG.XML Note : also refer to the configuration schema documentation in the docs directory Included in the SPLUNK4JMX app distribution is a comprehensive sample config.xml "jmxpoller" is the root xml element A custom formatter can be specified.Only 1 may be specified for the entire configuration. A custom transport can be specified.Only 1 may be specified for the entire configuration. Refer to the javadoc API in the docs directory for viewing bundled Formatter and Transport implementations or the signature 1 or more "jmxserver" elements can be included in this XML defintion ie: if you need to accesss multiple different jmx sources within the same scheduled execution "jmxuser" and "jmxpass" are optional , if not specified, they will be ignored "host" can be a hostname, dns alias or ip address. "jmxport" is the JMX server port to connect to. "protocol"(default is rmi) is the jmx service protocol to use : rmi, iiop and mx4j specific protocols soap, hessian etc.. For more advanced finer grained control over the format of the jmx service URL you can also specify the "stubSource"(default is jndi), "encodedStub" and url "lookupPath"(default is jmxrmi). Or, to facilitate complete user flexibility, you can enter the full jmx service url as a raw string using the "jmxServiceURL" attribute. This is raw jmx service url in standard format "service:jmx:protocol:sap" If this attribute is set, it will override any other set connection related attributes("host", "jmxport", "protocol", "stubSource", "encodedStub" and "lookupPath") You can also attach directly to a locally running JVM process by specifying the Process ID in the "pid" attribute. For more dynamic flexibility,rather than specifying a static Process ID value in the config xml , you can also specfy the name of a PID file that contains the JVM's Process ID. You can also specify the path to a command to execute to output the JVM's PID. Example : ps -eafH | grep "java" | grep -v "grep" | awk '{print $2}' Look at the example xml config file in the bin/config directory for usage examples. Groups of jmxserver's that share that same mbeans can be grouped together in a cluster element, At index time the "host" field is extracted and transformed into the SPLUNK internal host value. "jvmDescription" is just meta data, useful for searching on in SPLUNK where you might have multiple JVM's on the same host By default, no timestamp is added , instead relying on the SPLUNK index time as the event time. For MBean definitions , standard JMX object name wildcard patterns * and ? are supported for the "domain" and "properties" attributes If no values are specified for the "domain" and "properties" attributes , the value will default to the * wildcard The MBean's canonical objectname will be written out to SPLUNK. If you would like the components of the MBean canonical objectname broken out into individual fields, then there is a custom formatter available <formatter className="com.dtdsoftware.splunk.formatter.TokenizedMBeanNameFormatter" /> Single, composite and tabular MBean attributes are supported. You can set the "dumpAllAttributes" value to true and all of an MBean's attributes will be extracted. ie: dump all the attributes in the java.lang domain ie: dump all the attributes in all of the cassandra domains Or you can specify each individual attribute you want to extract using the "attribute" element. For attributes that are multi level ie: composite and tabular attributes , then you can use a ":" delimited notation for specifying the attribute name. MBean operation invocation is supported. The following parameter types are supported :
Internally these get autoboxed into their respective Object counterparts. See config_operations_example.xml for usage scenarios. Example output line (default formatter) host=damien-laptop,jvmDescription="My test JVM",mbean="java.lang:type=Threading",count="47" SUPPORTED RETURN DATA TYPES FOR OPERATIONS AND ATTRIBUTES Simple, Composite and Tabular MBean data structures are supported. The value obtained from the Attribute or as the return type of an Operation can be : 1. Any primitive type(Object wrapped) Collection types will be recursively deeply inspected, so you can have Collections of Collections etc.. JVM "ATTACH" NATIVE LIBRARYS When connecting directly to local JVM using a process ID, native librarys are used. You shouldn't need to do anything, they are loaded automatically. Windows : JRE_HOME/bin/attach.dll NOTE : For some reason the Linux "attach" library is only packaged in the JRE that is part of a JDK install. Weird. CREATING ADDITIONAL CONFIGURATION FILES If required, you can easily create more config files to run at different schedules by "cloning" JMX SERVERS To set up a JMX server for remote access via jvm system properties at startup, see this : MX4J SUPPORT If you wish to use MX4J as your JMX implementation for remote connectors(rmi and iiop) or use any of the MX4J specific JMX connectors(soap, burlap, hessian, local), then it is simply a matter of using the poll_mx4j_jmx script rather than the standard poll_jmx script. For more details about MX4J browse here : http://mx4j.sourceforge.net Note : If using any of the HTTPS connectors(soap+ssl, hessian+ssl, burlap+ssl), the root certification authority must be present in the trusted certificates, normally stored in the "$JAVA_HOME/jre/lib/security/cacerts" file. ADDING JAVA CLASSES TO THE APPLICATION CLASSPATH You can dump a jar file in the "SPLUNK_HOME/etc/apps/SPLUNK4JMX/bin/lib/ext" directory and it will be automatically loaded. ADDING JAVA CLASSES TO THE BOOT CLASSPATH Any classes that you need prepended to the java bootclasspath should be put in "SPLUNK_HOME/etc/apps/SPLUNK4JMX/bin/lib/boot". LOGGING By default , "error" level log events will be written to SPLUNK_HOME/etc/apps/SPLUNK4JMX/logs TRANSPORTS Bundled with the release are transport implementations for :
These 3 transports also use appenders/loggers in log4j.xml to facilitate their functionality
TROUBLESHOOTING
Versions and Release Notes
Version 1.5.3 (current version - updated Apr 15, 2012)
release notes:
++added a configuration parameter(stripPattern) for Formatter declarations in config.xml that allows you to specify a regex pattern, or list of patterns, that if matched will strip the matched text from the raw MBean attribute/operations values++
Version 1.5.2
(updated Mar 19, 2012)
release notes:
++just a tweak to the build, some files were erroneously getting CHMOD'd executable in the tarball++
Version 1.5.1
(updated Mar 19, 2012)
release notes:
++Converted all the demo views to Advanced XML and added in dynamic time,host,jvm selectors++The new Advanced XML views use output generated by the TokenizedMBeanNameQuotesStrippedFormatter, this is the formatter now declared in the example config xml files, the DefaultFormatter is still available if you were using and still want to use that, but won't work with the new Advanced XML demo views++
Version 1.5
(updated Feb 14, 2012)
release notes:
++Refactored core engine so you can plugin both custom Formatters and custom Transports++Bundled STDout(default), Splunk Rest, TCP,Syslog,File Transport implementations++added ability to add parameters to Formatter and Transport declarations++3 bundled Formatters can be customised with various different parameters in the configuration xml file, such as the ability to prepend a date and specify the date format pattern++updated docs
Version 1.4
(updated Jan 31, 2012)
release notes:
Added a setup screen ++ Added a MAX_TIMESTAMP_LOOKAHEAD setting in props.conf to prevent erroneous epoch time rsolutions from non time fields ++ Added links in navigation bar to pdf/html docs
Version 1.3.4
(updated Jan 11, 2012)
release notes:
++minor adjustment to logging, no more daily rolling files , now only keeping 1MB with 1 backup as the JMX logs get indexed by Splunk anyway ++ documentation housekeeping
Version 1.3.3
(updated Nov 15, 2011)
release notes:
+ More robust handling of primitive type arrays + All Formatter implementations now strip out all newlines and tabs from attribute values and replace with single space characters, thus flattening out all possible attribute values into a single line
Version 1.3.2
(updated Sep 22, 2011)
release notes:
+++Added several new demo views, tables, charts...notably, CPU usage per JVM(based on the same algorithm that JConsole uses to derive the JVMs cpu usage), garbage collection, memory pools/memory managers , more thorough OS and Runtime metrics, enhanced connectivity errors page.+++no changes to core engine or config schema, so full backward compatibility maintained
Version 1.3.1
(updated Aug 10, 2011)
release notes:
Tweaked the demo forms and navigation bar >>Added a data input to monitor the splunk4jmx error logs and also added view on the navigation menu that reports on jmx connection errors.
Version 1.3
(updated Jul 18, 2011)
release notes:
Docs updated
Version 1.2.9
(updated Jul 18, 2011)
release notes:
Fixed minor bug in poll_mx4j_jmx.sh script
Version 1.2.8
(updated Jul 17, 2011)
release notes:
Added an optional "Formatter" implementation that rather than outputting the mbean name as a single canonical string, breaks up the mbean name into its constituent parts and outputs as individual fields.In your config XML file you can use this formatter by declaring.....<formatter className="com.dtdsoftware.splunk.formatter.TokenizedMBeanNameFormatter" />
Version 1.2.7
(updated Jul 16, 2011)
release notes:
Added support for discovering and extracting ALL attributes of an MBean.Provides an alternative to having to explicitly declare each attribute you want to extract.
...a few examples....
dump the attributes from every MBean from every domain :
<mbean domain="*" properties="*" dumpAllAttributes="true" />
....
dump the attributes from all MBeans in the java.lang domain :
<mbean domain="java.lang" properties="*" dumpAllAttributes="true"/>
...
dump the attributes from all MBeans in all of the cassandra domains :
<mbean domain="org.apache.cassandra.*" properties="*" dumpAllAttributes="true" />
Version 1.2.6
(updated Jul 13, 2011)
release notes:
MX4J support is now implemented, in addition to the standard JSR160 rmi and iiop connectors , there are now MX4J http/https connectors (hessian, burlap and soap). If your target JVM is using MX4J 3.0.2+ as its JMX implementation, then you can use these additional connectors.
In my testing, these http connectors all work well for simple attributes.
Hessian/Burlap work well with CompositeData attributes, but not so with TabularData attributes
Soap seems to have issues with CompositeData and TabularData attributes.
I would recommend the hessian connector if using an http based connector.
I have also updated the lib layout and scripts to allow easier addition of custom jar files, 3rd party jar files etc...
All documentation updated.
Version 1.2.5
(updated Jul 04, 2011)
release notes:
>>Tested against IBM J9 JVMs >>Fixed bug with multiple cluster elements in config xml file >> Tidied up processing of TabularData
Version 1.2.4
(updated Jun 30, 2011)
release notes:
>>>Added more thorough Java Collection type support for Attribute value and Operation return types. >>>Can now deal with Arrays, Lists, Maps, Sets and recursively deeply inspect Collections of Collections.>>>Docs updated.
Version 1.2.3
(updated Jun 27, 2011)
release notes:
Added support for JMX operations , updated documentation.
Version 1.2.3
(updated Jun 27, 2011)
release notes:
Added support for JMX operations , updated documentation.
Version 1.2.2
(updated Jun 25, 2011)
release notes:
Created a PDF User Guide
Version 1.2.1
(updated Jun 19, 2011)
release notes:
Added the notion of a "cluster" of JMX servers to the configuration schema.
This will be beneficial when you have many JVMs with the same MBeans ie: JEE App server clusters, large scale deployments of Hadoop/Cassandra nodes on commodity hardware, JVM's across dev/test/qual/prod environments etc..
So the "cluster" element allows you to declare the MBean attributes to extract just once, followed by a list of the JMX servers.Avoids unnecessary repetition and potential bloating of the config file.
For direct attachment to a local JVM using the Process ID , you can now also specify a script to execute to obtain the PID.
This is specified in the "pidCommand" attribute of the jmxserver.
ie: on *Nix a command such as
ps -eafH | grep "com.foo.MyMainClass" | grep -v "grep" | awk '{print $2}'
could be put in a script and used to output the Process ID of the JVM with main class "com.foo.MyMainClass" to STDOUT
Added some more documentation
javadoc API for creating a custom Formatter implementation
schema documentation for the configuration XML
Version 1.2
(updated Jun 14, 2011)
release notes:
Added XSD and XSD validation for the config XML
Tidied up bin/config and bin directorys
Changed scripts to take the name of the config file as an argument(set from SPLUNK Manager) , rather than as a variable in the script itself.
Adding logging for error level events
Added Java API to allow users to create a custom "Formatter" for SYSOUT lines that are fed into SPLUNK indexing
Logic to write out host name when connecting to localhost or 127.0.0.1
Version 1.1.2
(updated Jun 10, 2011)
release notes:
Tweaked windows script
Version 1.1.1
(updated Jun 10, 2011)
release notes:
Tweaked packaging
Version 1.1
(updated Jun 10, 2011)
release notes:
1. Added a script to provision running on Windows Operating Systems
2. Added functionality to connect directly to a locally running JVM using the JVM's Process ID or by looking up the Process ID from a PID file. This alleviates the need to remotely enable your JMX server for simple local access.
3. All features tested and working on Windows and Linux , HOTSPOT JVMs.
Version 1.1
(updated Jun 10, 2011)
release notes:
1. Added a script to provision running on Windows Operating Systems
2. Added functionality to connect directly to a locally running JVM using the JVM's Process ID or by looking up the Process ID from a PID file. This alleviates the need to remotely enable your JMX server for simple local access.
3. All features tested and working on Windows and Linux , HOTSPOT JVMs.
Version 1.0.2
(updated Jun 03, 2011)
release notes:
Updating screenshot for splunkbase page
Version 1.0.2
(updated Jun 03, 2011)
release notes:
Updating screenshot for splunkbase page
Version 1.0.1
(updated Jun 03, 2011)
release notes:
Added a screenshot to the release
Version 1.0.1
(updated Jun 03, 2011)
release notes:
Added a screenshot to the release
Version 1.0
(updated Jun 01, 2011)
|
Great App, Thanks. Wondering what the best way is to combine generated properties (i.e. properties service=DataNode,name=DataNodeActivity-worker*) to a single mbean. As it is right now each host has a new mbean for its own jvm (worker1,2,3,etc.)
Thanks again
A few different ways to go about this using the stats/chart/tiemchart search functions in Splunk...do you want to combine by "summing" the attributes together or by "listing" the attribute values ?
... mbean="hadoop:service=DataNode,name=DataNodeActivity-worker*" | eval mbean_combined_tag="data_node_workers" | stats sum(field_a) sum(field_b) by mbean_combined_tag,_time
... mbean="hadoop:service=DataNode,name=DataNodeActivity-worker*" | eval mbean_combined_tag="data_node_workers" | stats list(field_a) list(field_b) by mbean_combined_tag,_time
Hi vbo,
I can't seem to reply directly in line to your post, hence this new post.
I had to really scratch my head on this one.I've never seen this before.
Regardless of whether you are polling simple,composite or tabular Mbean attributes or outputs from Mbean operations ,the default formatters in SPLUNK 4 JMX do not output any datetime fields.Instead relying on the index time for the value of the "_time" field in Splunk.
So on a hunch , I took the value heapCommitted="1216348160" , and parsed this as an epoch time:
Java code :
long timestamp = 1216348160;
Date date = new Date(timestamp*1000);
SimpleDateFormat sdf = new SimpleDateFormat("yyyy.MM.dd HH:mm:ss");
System.out.println(sdf.format(date));
Output : 2008.07.18 14:29:20
That output time looks pretty darn close to what you are seeing.
So I would suggest that somewhere in your Splunk setup you probably have an index time "time transform" rule that is for whatever reason pattern matching heapCommitted="1216348160"
Damien D.
this is a very useful app, but I have a problem getting the memory data (I only tried the example config.xml) into splunk.
All the memory related attributes are added at 7/18/08 4:29:20.000 AM instead of today. The rest of the data is properly indexed and displayed in the dashboards. The only difference that I can see is that the Memory attributes are composites, so I tried removing all composite attributes and now the index date is correct but I still don't understand why.
this an example of a line that does not get indexed properly (output of poll_jmx.sh): host=myhost,jvmDescription="jonas",mbean="java.lang:type=Memory",heapCommitted="1216348160",nonHeapMax="243269632",nonHeapUsed="137309128",objectsPending="0",heapUsed="563289552",nonHeapCommitted="137723904",nonHeapInit="67272704",heapInit="536870912",heapMax="1216348160"
====> follow up on the reply of Damien (just above this post, I do not know how to reply on a post either...) It seems indeed that the indexer is desperately looking for a timestamp and "1216348160" looks good enough as a date for him! (then the indexer uses the last timestamp it "found" for the following events)
I added MAX_TIMESTAMP_LOOKAHEAD=1 to the [jmx] stanza in props.conf to prevent him from trying to look for any timestamp in the data and now everything works fine! thanks
Hi rjyetter,
I can't seem to reply directly in line to your post, hence this new post. Are you referring to Splunk as a whole or just the Splunk for JMX app ? I am not familiar with New Relic so I couldn't really offer an objective comparison.
Regards, Damien D.
Great product - we are using it to monitor our top tier applications. How does this compare to something like "New Relic?"
Awesome App - was able to use it to grab stats from Weblogic and provide my dev teams with an great insight into our applications without giving them admin!
Brian
Nice one!!
PS : don't forget to vote !
Great App! It is working fine, like +1
That's what I like to hear :)
Certainly.
With Websphere family products(App Server, ExtremeScale Grid...) and Weblogic , SPLUNK for JMX has the flexibility to be easily configured with the proprietary JMX client side jars from these vendors(I can't ship these), any additional command line options and custom JMX Service URLs.
In fact, if you can connect JConsole to WAS and Weblogic, then you should also be able to connect SPLUNK4JMX.
There's a bit of literature online, google "Websphere Jconsole" or "Weblogic Jconsole", useful for figuring out what jars are needed and what the format of the JMX URL should be. I tend to use JConsole or JRockit Mission Control when I am setting up SPLUNK4JMX config files to figure out what attributes and operations I am interested in Splunking.
You can also , at a simple level, declare JVM system propertys to enable remote JMX on the target Websphere/Weblogic app, and "bypass" their proprietary JMX implementation ie:
-Dcom.sun.management.jmxremote.port=34345 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false
This should give you access to the "java.lang" MBeans (memory, garbage collection, cpu, threading etc...).I used this approach for a customer with a Websphere ExtremeScale deployment, and also the Websphere mbeans were available.
This is actually a question I get quite a bit. In the next release of SPLUNK4JMX I am going to package a "how to" guide for later versions of WAS,Weblogic and JBoss , and also some example SPLUNK4JMX config files.
Most other JVM apps (Tomcat, Cassandra, Solr, Mule, Hadoop MR/Hbase etc...) are very trivial to connect to.
DD.
Can this same app be used against Websphere or Weblogic?
Asking the audience...would anyone like Jolokia support added in SPLUNK 4 JMX ?
Currently I have not added it because the Jolokia HTTP connector is not a JSR160 implementation and I already have 3 other HTTP connectors(soap, hessian, burlap by way of MX4J) implemented that are JSR160 compliant.
That being said, Jolokia is a very nice JMX adaptor with a few features above and beyond the JSR160 spec...so I'd be happy to consider integrating it if anyone wants it.
DD.
