All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Folks, Does anyone have idea of files with extension (dot).lock Thanks
Hi, let's say we have events with _raw data like this: <XY>aaa,bbbb,priority,high<XY>aaa,bbb,login,failed<XY>aaa,bbb,user,johndoe<XZ> The events can include a random amount of this patter... See more...
Hi, let's say we have events with _raw data like this: <XY>aaa,bbbb,priority,high<XY>aaa,bbb,login,failed<XY>aaa,bbb,user,johndoe<XZ> The events can include a random amount of this pattern. Is it possible to create an automatic field extraction to get: priority = high login = failed user = johndoe So position 3 of the pattern should set the fieldname while position 4 sets the value. Thankd in advance
Please note that I want the JSON path expression and want to break this before ingesting it splunk and not to use spath after ingesting JSON [ { ... See more...
Please note that I want the JSON path expression and want to break this before ingesting it splunk and not to use spath after ingesting JSON [ { "ticket_id":"423535", }, { "ticket_id":"422946", }, { "ticket_id":"272791", }, { "ticket_id":"240391", }, ] Break it as Event1: { "ticket_id":"423535", } Event 2: { "ticket_id":"422946", } Event 3: { "ticket_id":"272791", } Event 4: { "ticket_id":"240391", }
I have several service templates which are in the status of "Sync Scheduled" I've left them some time with no change. What trouble shooting steps can I take? ie. How can I find out when they are ... See more...
I have several service templates which are in the status of "Sync Scheduled" I've left them some time with no change. What trouble shooting steps can I take? ie. How can I find out when they are scheduled to sync? How can I force a sync? How can I see any sync errors? ( think I know this, but for completeness...) What are the common causes of service templates not syncing promptly? What is the expected time to wait before they sync?
Syslogs are sent on UDP port 514 towards Syslog-ng But we have experienced if tcp for port 514 is not working/not open, syslogs are not transferred As soon tcp is fixed, syslogs start transferr... See more...
Syslogs are sent on UDP port 514 towards Syslog-ng But we have experienced if tcp for port 514 is not working/not open, syslogs are not transferred As soon tcp is fixed, syslogs start transferring and validation is successful ! Can someone explain why it is like this/how this works?
Hi, I try to monitor Microsoft-Windows-Shell-Core/AppDefaults directory. I tried adding it to Splunk_TA_windows by adding an input stanza in inputs.conf looking like: [WinEventLog://Mic... See more...
Hi, I try to monitor Microsoft-Windows-Shell-Core/AppDefaults directory. I tried adding it to Splunk_TA_windows by adding an input stanza in inputs.conf looking like: [WinEventLog://Microsoft-Windows-Shell-Core/AppDefaults] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index=test_windows But no data is indexed. I also tried [WinEventLog:Microsoft-Windows-Shell-Core/AppDefaults], makes no difference. Data is displayed within the event viewer. Since its a non-default input channel I assume there is no default channel in the Splunk_TA_windows?? Any help is appreciated. Thank you David
Does anyone know the plan to support python3 in Splunk 8.x? I assume everyone want to use app in Splunk 8.x. Thanks, Satoshi
Hi Is there a search in splunk which I can run from search head which will show me all splunk enterprise devices?
Hi,  We have a dashboard that gains data from many of our health rules and counters which are working and reporting properly but when accessing reports, we get the errors below: In serv... See more...
Hi,  We have a dashboard that gains data from many of our health rules and counters which are working and reporting properly but when accessing reports, we get the errors below: In server log can be found (but we're not using EUM!): [#|2020-01-27T08:23:15.248+0100|INFO|glassfish 4.1||_ThreadID=786;_ThreadName=Thread-10;_TimeMillis=1580109795248;_LevelValue=800;|08:23:15.248 [__ejb-thread-pool6] DEBUG com.appdynamics.eum.client.EUMClient - Request failed: com.appdynamics.eum.rest.client.exception.UserErrorClientException: ApiError: requestId=null httpStatus=401 apiErrorCode=UNAUTHORIZED userMessage='Credentials are required to access this resource.' additionalInfo=[null] at com.appdynamics.eum.rest.client.ClientErrorHandler.apiErrorToClientEx(ClientErrorHandler.java:138) at com.appdynamics.eum.rest.client.ClientErrorHandler.parseHttpEx(ClientErrorHandler.java:151) at com.appdynamics.eum.rest.client.ClientErrorHandler.wrapException(ClientErrorHandler.java:110) at com.appdynamics.eum.rest.client.ClientErrorHandler.wrapException(ClientErrorHandler.java:101) at com.appdynamics.eum.rest.client.RestClient.logAndWrapIntoClientException(RestClient.java:384) at com.appdynamics.eum.rest.client.RestClient.getWithAuth(RestClient.java:93) at com.appdynamics.eum.client.EUMClient.getLicense(EUMClient.java:834) -------------------- js-lib-body-concat.js:120 $transition is now deprecated. Use $animate from ngAnimate instead. (anonymous) @ js-lib-body-concat.js:120 :8090/controller/auth?action=login:1 Failed to load resource: the server responded with a status of 499 (CUSTOM) js-lib-body-concat.js:120 06:17:08 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.getSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:17:08 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.setSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:17:08 | ERROR | GLOBAL_LOGGER | Flowmap permissions not being retrieved; using defaults (anonymous) @ js-lib-body-concat.js:120 apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) js-lib-body-concat.js:120 06:17:16 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.getSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:17:16 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.setSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:17:16 | ERROR | GLOBAL_LOGGER | Flowmap permissions not being retrieved; using defaults (anonymous) @ js-lib-body-concat.js:120 apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) :8090/controller/#/location=APP_EVENT_VIEWER_MODAL&timeRange=Custom_Time_Range.BETWEEN_TIMES.1580274943887.1580273143887.30&application=69&eventSummary=212136564&dbMonitoringMode=false:1 Autofocus processing was blocked because a document already has a focused element. :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: PIE (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 06:57:59 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 07:07:01 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.getSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 07:07:01 | WARN | GLOBAL_LOGGER | MainDashboardControllerBase.setSelectModePreference Warning: Pseudo abstract method invoked. (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 07:07:01 | ERROR | GLOBAL_LOGGER | Flowmap permissions not being retrieved; using defaults (anonymous) @ js-lib-body-concat.js:120 apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) :8090/controller/restui/event_reactor/create:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 07:45:47 | ERROR | GLOBAL_LOGGER | Server error: At least one action has to be set (anonymous) @ js-lib-body-concat.js:120 apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: PIE (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:09:21 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 apm.luxmed.pl/:1 Failed to load resource: the server responded with a status of 404 (Not Found) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:27:50 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/widgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: TIMESERIES_GRAPH (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: PIE (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource, widgetType: null (anonymous) @ js-lib-body-concat.js:120 :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) :8090/controller/restui/dashboards/healthListWidgetData:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120 js-lib-body-concat.js:120 08:27:51 | ERROR | GLOBAL_LOGGER | Server error: No active user found for the requested resource (anonymous) @ js-lib-body-concat.js:120
We have a few different requirements. i)Upload multiple (buckets)TB of legacy Standalone buckets to the index that is already migrated to the remote store. ii)Upload a few legacy Standalone bucket ... See more...
We have a few different requirements. i)Upload multiple (buckets)TB of legacy Standalone buckets to the index that is already migrated to the remote store. ii)Upload a few legacy Standalone bucket to an index after it has already migrated.
RHEL is logging the following BUG messages about splunkd. What is causing the messages below and is it possible to get rid of? [1727668.161046] BUG: Bad page state in process splunkd pfn:8f4dff... See more...
RHEL is logging the following BUG messages about splunkd. What is causing the messages below and is it possible to get rid of? [1727668.161046] BUG: Bad page state in process splunkd pfn:8f4dff [1727668.161179] BUG: Bad page state in process splunkd pfn:8f4dff [14504.793522] BUG: Bad page state in process splunkd pfn:5fe7ff [23422.728374] BUG: Bad page state in process splunkd pfn:7fb9ff [23715.520026] BUG: Bad page map in process splunkd pte:80000007fb9ff867 pmd:9e2bfa067 [23716.559558] BUG: Bad rss-counter state mm:ffff90cacf603e80 idx:1 val:1 [35263.003389] BUG: Bad page state in process splunkd pfn:104e5ff [35263.013216] BUG: Bad page state in process splunkd pfn:104e5ff [35263.345612] BUG: Bad page map in process splunkd pte:800000104e5ff867 pmd:1c1364f067 [35424.226028] BUG: Bad rss-counter state mm:ffff90cad47692c0 idx:1 val:1 [41421.719447] BUG: Bad page state in process splunkd pfn:184d5ff [41900.738755] BUG: Bad page map in process splunkd pte:800000184d5ff867 pmd:8557fa067 [41900.908281] BUG: Bad rss-counter state mm:ffff90cad2478000 idx:1 val:1 [69954.896470] BUG: Bad page state in process splunkd pfn:14547ff [70469.640548] BUG: Bad page map in process splunkd pte:80000014547ff867 pmd:204ffb0067 [70469.857925] BUG: Bad rss-counter state mm:ffff90cad476d780 idx:1 val:1 [298884.607524] BUG: Bad page state in process python pfn:7fb9ff [2350298.243523] BUG: Bad page map in process splunkd pte:80000005fe7ff867 pmd:c523f2067 [2350298.349462] BUG: Bad page state in process splunkd pfn:5fe7ff [2350302.811096] BUG: Bad rss-counter state mm:ffff90cacf20be80 idx:1 val:1 [31342.326253] BUG: Bad page state in process splunkd pfn:8e11ff [31342.326457] BUG: Bad page state in process splunkd pfn:8e11ff [31342.716486] BUG: Bad page map in process splunkd pte:80000008e11ff867 pmd:1ecb3cf067 [31408.697173] BUG: Bad rss-counter state mm:ffff8880946da580 idx:1 val:1
Access the Splunk dashboard from an external page: If i am using some application's webpage and if i click on some button it should navigate to splunk html version dashboard with out asking for sp... See more...
Access the Splunk dashboard from an external page: If i am using some application's webpage and if i click on some button it should navigate to splunk html version dashboard with out asking for splunk credentials. Please help on this.
Hi, Can't see any contact details, but just noticed the app https://splunkbase.splunk.com/app/4761/ has a spelling mistake in the description in the overview. Cisco Threat Response Add-On for ... See more...
Hi, Can't see any contact details, but just noticed the app https://splunkbase.splunk.com/app/4761/ has a spelling mistake in the description in the overview. Cisco Threat Response Add-On for Splunk provides a custom search command allowing users to query Cisco Treat Response for targets and verdicts from observables within a Splunk instance. "Treat" I am pretty sure should be "Threat" David
I have the below query to calculate events not reporting for last 24 hours. I want to calculate the difference between current time and Last event time and then display the difference in days. This ... See more...
I have the below query to calculate events not reporting for last 24 hours. I want to calculate the difference between current time and Last event time and then display the difference in days. This is the query i have. Somehow it diff field is empty. Please help | metadata type=sourcetypes index=* | search sourcetype!=*too_small | where lastTime < (now() - 86400) | convert ctime(lastTime) as Last_Time timeformat="%Y/%m/%d %H:%M" | eval diff=tostring(now() - Last_Time,"duration") | fields sourcetype Last_Time diff | sort -Last_Time
We have been using daily CSV exports from our "X" monitoring servers that we then display on our performance board each morning. The" X" server runs an export of current tickets at 06:30 each morni... See more...
We have been using daily CSV exports from our "X" monitoring servers that we then display on our performance board each morning. The" X" server runs an export of current tickets at 06:30 each morning which is exported to a CSV in a location monitored by Splunk. Recently, the records have been indexed at inconsistent times, causing issues with our graphs. Although the report always runs at 0630, some records are not being indexed until 12:00 the same day Note: The csv files are consistently created at 0630 and then not touched until they're rotated out after 7 days. Eg. 34 events are indexed at 6:30 everyday and 8 events are being indexed at 12 the same day, when further analysed we noticed fields were truncated for one of those 8 events. so tried adding truncate =0 in props.conf and could see all fields being indexed correctly however still facing issues with timestamp for those 8 events. Could anyone please help or guide me to resolve this timestamp issue? Thanks in advance The below defined props deployed to HF and UF(note: we are not deploying any configs to our indexers) [sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=csv KV_MODE=none category=Structured FIELD_DELIMITER=, disabled=false pulldown_type=true
In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders. [splunktcp://9997] disabled = 0 Am I able to add additional stanza(s) to the inputs... See more...
In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders. [splunktcp://9997] disabled = 0 Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed) i.e. [tcp://10.1.1.1:9997] index=windows source=10.1.1.1 Thanks
The Lookup cache has been generated with 90 days baseline before Search 2 in which "dest" field is not "null" for any user and the "dest" field is expected not to be "null" at anytime. then later, it... See more...
The Lookup cache has been generated with 90 days baseline before Search 2 in which "dest" field is not "null" for any user and the "dest" field is expected not to be "null" at anytime. then later, it is saved as report and scheduled to run every hour (Query 2). Search 1: index=x | stats count earliest(_time) as firstTime latest(_time) as lastTime last(dest) as new_dest by user | outputlookup test.csv Search 2: index=x | stats count earliest(_time) as firstTime latest(_time) as lastTime last(dest) as new_dest by user | inputlookup append=t test.csv | eval destination = coalesce(new_dest,dest) | stats min(firstTime) as firstTime, max(lastTime) as lastTime values(destination) as Destination by user | outputlookup test So the issue is, when it runs for last hour, the "dest" field in the lookup gets updated for users who were seen in last hour only and "dest" becomes null for rest of the users after appending. so the need is to retain the old "dest" values for users who have not seen in the last hour, but I don't see any issue with "_time" fields.
Hi All i have a requirement to upgrade splunk forwarder from 7.1 to 7.3.3, I will use sccm to upgrade to 7.3.3, experts please help me with silent string without reboot option to perform the upgrad... See more...
Hi All i have a requirement to upgrade splunk forwarder from 7.1 to 7.3.3, I will use sccm to upgrade to 7.3.3, experts please help me with silent string without reboot option to perform the upgrade.
whenever my results have more than 2 numbers like in 29-01 OB or 03-02 CS/OB , the data is not presented
Best way to alert on a new source file for a specific sourcetype? Bonus point if we can include the parent directory of where the source file is located. An appliance called "AWS Elemental Live... See more...
Best way to alert on a new source file for a specific sourcetype? Bonus point if we can include the parent directory of where the source file is located. An appliance called "AWS Elemental Live" that encodes and streams video, creates a new directory and a set of logs for every scheduled event. Something like this: # ls -l /opt/elemental_se/web/log/10000/job_2035/ total 120 -rw-rw-r-- 1 elemental apache 36168 Jan 28 00:55 20200128T005500_emecmd.xml -rw-rw-r-- 1 elemental apache 44368 Jan 28 02:05 20200128T005501_eme.log -rw-rw-r-- 1 elemental apache 32955 Jan 28 02:05 20200128T005501_eme_ve.log -rw-rw-r-- 1 elemental apache 2618 Jan 28 02:04 20200128T005501_ingest_2046.log How do I create an alert whenever that happens? The alert ideally should be something like this: Splunk is reporting that "job_2035" has started recording on $host$ ... (then I could try to also alert on the end of the recording if I could figure out how) (I haven't found unique or common enough events in those logs - "recording started" or some such - so I could alert on those events rather than on the source file creation. So the alert condition must be the fact of a new source file creation.) Thanks!