Version 1.0, 10 November 2015
These instructions are for the setup of the free splunk app called Monitoring of IBM Integration Bus V10+ Message flow stats (IIBMonFree) available from Square Bubble. We assume you have installed the app before you reached here.
We recommend you read all the instructions before you start the install. Items in quotes such as 'this' are labels that appear literally as directed.
To ensure you have installed the app, navigate to the landing page. This can be done using the one of the following methods
It is a good idea to bookmark the landing page as you will return to it many times and it also contains a lot of very useful information and links.
In this guide we will cover a basic setup where the Splunk app will directly connect to the IBM Integration Bus embedded MQTT Server and an advanced setup where data will pass through an intermediary.
This diagram shows a basic setup:
To set this up, you need to enable the flow stats to be sent via the embedded MQTT server and enable the MQTT server to listen on an interface that the splunk server can connect to.
By default, we found that the MQTT server is configured to listen on the loopback address (127.0.0.1). Unless you are running splunk on the same server, you need to change the bind address in the file /var/mqsi/components/nodename/config/nodename. To listen on all interfaces set this to 0.0.0.0, otherwise choose the appropriate interface. Then restart the server with the commands:
mqsichangeproperties nodename -b pubsub -o MQTTServer -n enabled -v false
mqsichangeproperties nodename -b pubsub -o MQTTServer -n enabled -v true
On linux, you can also check this is running using the ps command as follows:
[...]$ ps -ef | grep bipMQTT
To work out what port the MQTT server is listening on, use the following command:
mqsireportproperties nodename -b pubsub -o MQTTServer -n port
If you haven't already, you will need to switch on message flow data by using the following command:
mqsichangeflowstats nodename -s -g -j -c active -o json
The above commands should be run from a member of the mqbrkrs group.
To get the data into splunk,
There are a number of options to setup access to facilitate a variety of deployment models, largely to be used where the splunk server is unable to connect to the IIB Server. This may be as a result of networking or security policies. There are 2 intermediaries that can be used (and combined), which include:
The main difference between the two options above is that the Splunk forwarder can be chained (i.e. can be deployed in multiple intermediaries), whereas IIBMonFreeX cannot. We do however recommend the use of IIBMonFreeX as this will not incur any additional license costs.
This diagram shows a possible deployment using IIBMonFreeX
Splunk heavy forwarders are instances of Splunk enterprise that simply forward data. They can be used to overcome networking constraints that prevent a direct connection. In our app, they can be deployed as follows:
To enable this deployment, you need to:
You then need to set up the data input on the intermediary as defined in the basic setup. This is only required to be done on the Splunk forwarder that needs to connect to the MQTT server.
This diagram shows a deployment using both IIBMonfreeX and a Splunk heavy forwarder. This would be applicable where no incoming connections to the MQTT server are permitted and the IIB server does not have connectivity to the Splunk server.
The instructions for setting up this deployment are contained in the previous sections.
To see the data, return to the landing page and select 'Dashboards' | 'Overview Of Message Flow Volumes'. The data should appear here. You can change the time period being displayed at the top of the dashboard, remember to press the 'Submit' for any change to take effect
In addition to the overview dashboard, there are dashboards that allow you to drill down into the number of messages by:
These are available from the landing page and allow further drill down of the data, as well as the time period