Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Corrupted fields problem

dunyaelbasan
Path Finder
‎06-03-2020 03:59 AM

I have a problem on this search below for last 25 days:

index=syslog Reason="Interface physical link is down" OR Reason="Interface physical link is up" NOT mainIfname="Vlanif*" "nw_ra_a98c_01.34_krtti"

Normally field7 values are like these ones:

Region field7 Date mainIfname Reason count
ASYA nw_ra_m02f_01.34pndkdv may 9 GigabitEthernet0/3/6 Interface physical link is up 3
ASYA nw_ra_m02f_01.34pldtwr may 9 GigabitEthernet0/3/24 Interface physical link is up 2

But recently they wee like this:

00:00:00.599 nw_ra_a98c_01.34_krtti
00:00:03.078 nw_ra_a98c_01.34_krtti

I think problem may be related to:

It started to happen after the disk free alarm. (-Cri- Swap reservation, bottleneck situation, current value: 95.00% exceeds configured threshold: 90.00%. : 07:17 17/02/20)
Especially This is not about disk, it's about swap space, the application finishes memory and then goes to swap use. There was memory increase before, but obviously it was insufficient, it is switching to swap again.
I need to understand: ''Why they use so many resources?''

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:50 AM

It's not clear what problem you're asking about. Is the problem with a Splunk search, your Ethernet interfaces, disk space, swap space, or memory use?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dunyaelbasan
Path Finder
‎06-03-2020 05:55 AM

Especially my purpose is trying to fix irrelevant values on my search results at field 7 side.
I've attached 2 screen shots for clarification.
alt text

alt text

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 07:58 AM

Please share some sample events (not just field7) and the props.conf settings for the sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dunyaelbasan
Path Finder
‎06-11-2020 11:31 AM

I've attached the xample events, one from the normal situation, and one from the problematic situation.

 

https://drive.google.com/drive/folders/1IaswXnbWTORN0ES0NzL0ceDAHr4iIyS6?usp=sharing

 

inside of props.conf:

 

TRANSFORMS-ddos_routing = ddos_routing

TRANSFORMS-ddos_sourcetype_cloud = ddos_cloud

TRANSFORMS-ddos_sourcetype_host = ddos_host

TRANSFORMS-ddos_sourcetype_tms = ddos_tms

TRANSFORMS-ddos_sourcetype_profiled = ddos_profiled

TRANSFORMS-access_routing = access_routing

TRANSFORMS-access_sourcetype_switch = access_switch

TRANSFORMS-access_sourcetype_gpon = access_gpon

TRANSFORMS-access_sourcetype_router = access_router

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...