All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hadoop Monitoring:How to get field extraction on index=hadoopmon_metrics?

ThomasControlwa
Path Finder
‎02-27-2018 01:23 AM

Hi @ all,
we'll test the Hadoop Monitoring APP.
- installation is complete, got events in 2 index, like hadoopmon_os & hadoopmon_metrics.
- the index hadoopmon_os seams to work correctly (shows "interested fields")
- the index hadoopmon_metrics got RAW events but without interested fields

samle of inputsconf of the Forwarder installation
for index hadoopmon_metrics
hadoopmon_metrics

# [monitor:///hadoop/logs/hadoop/hdfs/hadoop-hdfs-namenode*.log]
# index = hadoopmon_metrics
# sourcetype = hadoop_namenode
# disabled = 0
# [monitor:///hadoop/logs/hadoop/hdfs/hadoop-hdfs-namenode*.out]
# index = hadoopmon_metrics
# sourcetype = hadoop_namenode
# disabled = 0

Scripted inputs for index hadoopmon_os works fine
Has someone an idea to got fields / extraction of RAW data?

thanks in advance

0 Karma
Reply

mayurr98
Super Champion
‎02-27-2018 03:44 AM

if you are using app then it is in opt/splunk/etc/apps/maprops/default
Well, I Installed Hadoop monitoring app on my local system, and there are no field extractions for the mentioned sourcetypes. So you need to extract it manually. There are field extractions only for OS scripted inputs.

let me know if this helps!

Reply

ThomasControlwa
Path Finder
‎02-27-2018 05:08 AM

I downvoted this post because not helpful, because it doesn't make sense when i'm looking for using the preinstalled frondend. there searches like

[yarn top user]

index=hadoopmon_metrics sourcetype=hadoop_resourcemanager appid=*| top limit=20 user

[yarn success rate]

index=hadoopmon_metrics sourcetype=hadoop_historyserver user=* | eval elapsedtime = finishtime - submittime| table jobname queue user nummaps numreduces status elapsedtime

etc

0 Karma
Reply

mayurr98
Super Champion
‎02-27-2018 05:30 AM

You are looking for a saved search that you will find in /opt/splunk/splunk/etc/apps/maprops/default/savedsearch.conf
in which they have defined display.events.fields = ["host","source","sourcetype","APPID","CONTAINERID","OPERATION","RESULT","USER","TARGET"]

And you should not downvote the post unless it harms your system.
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma
Reply

mayurr98
Super Champion
‎02-27-2018 05:40 AM

Also, does your raw data contains key-value pair i.e. user=value? if it does then Splunk schema automatically extracts key-value pairs.

0 Karma
Reply

ThomasControlwa
Path Finder
‎02-27-2018 05:40 AM

thanks for the TIP,
so I agree that the saved search is there,
but why the following line doesn't work?

index=hadoopmon_metrics sourcetype=hadoop_resourcemanager appId=* | top finalStatus

when I' looking for "index=hadoopmon_metrics sourcetype=hadoop_resourcemanager" there no field extractions just like "appId"

do you have data in your test inv?
cheers, and so sry for downvoting

0 Karma
Reply

mayurr98
Super Champion
‎02-27-2018 05:45 AM

No, I do not have sample data for this, are you running index=hadoopmon_metrics sourcetype=hadoop_resourcemanager in verbose mode?
I am quite sure you are running it in fast mode where you mostly will not see all the fields.
Below time picker can you see three modes? verbose mode will give you all the fields.

0 Karma
Reply

ThomasControlwa
Path Finder
‎02-27-2018 05:50 AM

yes runs in verbose mode, and use environment data of hadoop (just a other team)

0 Karma
Reply

ThomasControlwa
Path Finder
‎02-27-2018 05:56 AM

you are right, there no data with this key-value pair i.e. user=value

many thanks for your support!

0 Karma
Reply

ThomasControlwa
Path Finder
‎02-27-2018 03:36 AM

where i can find the props.conf for sourcetype like:
# hadoop_datanode
# hadoop_namenode
# hadoop_historyserver

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...