Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About juniormint
juniormint
Communicator
Member since:
05-31-2013
06-05-2020
Community Statistics
| Posts | 82 |
| Solutions | 6 |
| Karma Given | 19 |
| Karma Received | 18 |
| Member Since | 05-31-2013 |
Activity Feed
- Karma Re: efficient search to retrieve information about user sessions with errors for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Can I specify different authentication mechanisms for the Web UI and Admin port? for martin_mueller. 06-05-2020 12:47 AM
- Got Karma for Re: Who do saved scheduled searches run as?. 06-05-2020 12:47 AM
- Got Karma for Re: Who do saved scheduled searches run as?. 06-05-2020 12:47 AM
- Got Karma for Who do saved scheduled searches run as?. 06-05-2020 12:47 AM
- Got Karma for Who do saved scheduled searches run as?. 06-05-2020 12:47 AM
- Karma Re: How to edit authentication.conf via Rest (round 2)? for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: How can I generate a list of users and assigned roles? for somesoni2. 06-05-2020 12:46 AM
- Karma Re: How does role composition work? for lguinn2. 06-05-2020 12:46 AM
- Karma Re: how can I get the value of a user embedded field named "index"? for yannK. 06-05-2020 12:46 AM
- Karma Re: index time transform covering multiple destination indexes for yannK. 06-05-2020 12:46 AM
- Karma Re: How can I purposely duplicate events to multiple indexes? for ShaneNewman. 06-05-2020 12:46 AM
- Karma Re: How to build a tranform which applies to a events with a field value found in a provided list for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: How to I trigger reload of authentication configuration programmatically? for MuS. 06-05-2020 12:46 AM
- Karma Re: How can I set host for TCP input to deploy client machine? for grijhwani. 06-05-2020 12:46 AM
- Karma Re: Is there a search or other way to easily list the indexes I am permissioned to search? for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Can I edit authentication.conf via rest? for MuS. 06-05-2020 12:46 AM
- Karma Re: Can you uninstall the universal forwarder from a script? for antlefebvre. 06-05-2020 12:46 AM
- Karma Re: Can you override host for an input? for chris. 06-05-2020 12:46 AM
- Karma Re: Can the universal forwarder route based on field found in the log message? for kristian_kolb. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-11-2014
06:31 AM
I would like to generate a plot of cpu utilization over time. I have some permon events coming in that look like
02/11/2014 09:21:04.315
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=0.0084302548057690885
and so I can easily enough write the following search
source="perfmon:cpu" | timechart span=15m avg(Value) as CPU
The problem I perceive is that I think permon:cpu is an instantaneous value. If so then the rate at which the agent reports sends updates (or events) sets a minimum detectable load. Basically I'm saying that if I am only getting a cpu event every 5 min, then chances are I would never see a 30sec spike in cpu utilization. I could just up the cpu event rate to someting like 10 sec (to detect 30 sec spikes), but I am wondering if there is another approach that will not involve increasing the number of cpu events dramatically?
... View more
11-26-2013
08:06 AM
Upvoting because @lguinn's comments seem very relevant...and probably accurate
... View more
11-26-2013
08:05 AM
@lguinn: Am I missing functionality or approaches that handle large numbers of sources with different access groups better?
... View more
11-26-2013
05:13 AM
@lguinn: It's a balance though. My use case is that I will have many sources (>500), each with potentially different and overlapping sets of users with search access.
The daily data rate for each source is between 0 and about 10000 events.
Generally, events are only relevant for a day or two...so historical searches are the exception.
Should I really set up 500 indexes? Or would one index with all of the sources be better?
... View more
11-25-2013
07:17 PM
User1 filter (source=XYZ_App1 OR source=XYZ_App2)
User2 filter (source=* OR source=XYZ_App1)
User3 filter (source=XYZ_App1 OR source=123_test)
User4 filter ((source=XYZ_App1 AND ERROR) OR (source=123_test AND INFO))
Applied to whatever combined set of indexed the roles can search.
... View more
11-22-2013
12:35 PM
1 Karma
Yes. $1 will contain the value inside the parenthesis.
... View more
11-22-2013
12:33 PM
1 Karma
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data.27s_input
I think the index and forward option is what is shown on this page
... View more
11-22-2013
12:26 PM
http://docs.splunk.com/Documentation/Splunk/6.0/Security/Aboutusersandroles#How_users_inherit_search_filter_restrictions
I read the blurb above, but still find myself with questions.
Not using inheritance, but rather composition.
What would I expect to happen if:
Role A : gives search on index XYZ, with search filter "source=XYZ_App1"
Role B : gives search on index XYZ, with search filter "source=XYZ_App2"
Role C : gives search on index XYZ, with no search filter
Role D : gives search on index 123, with search filter "source=123_test"
Role E : gives search on index XYZ, with search filter source=XYZ_App1 ERROR
Role F : gives search on index 123, with search filter source=123_test INFO
User1 is assigned Role A and Role B
User2 is assigned Role A and Role C
User3 is assigned Role A and Role D
User4 is assigned Role E and Role F
What will the effective search filter be for these users?
Any advice in the way of gotchas around composing roles?
... View more
11-20-2013
06:36 AM
That is great and would work for my stated problem...I think. What is the index and forward option?
... View more
11-19-2013
07:13 PM
I'm interested in both approaches..can you point me at relevant doc pages? or provide an example?
... View more
11-19-2013
02:07 PM
I realize this will incur twice the license usage...but lets ignore that fact for a moment.
How can I get an event into two indexes?
My events are coming from a universal forwarder with a default index of "ABC" and source="XYZ".
On the indexer I have indexes "ABC" and "DEF".
What I would like is to send all source XYZ events to the ABC index and a subset to DEF.
... View more
- Tags:
- multiple-indexes
11-19-2013
09:43 AM
Will $1 still contain the field value?
... View more
11-19-2013
08:16 AM
I have a index time transform which is a bit loose in what it matches. I would like to limit it to a whitelist of indexes that I want to match against. I would very much appreciate your help with creating a clean regular expression to achieve the goal.
So I think I want REGEX = match any event with a embedded field of the form index="SomeIndexName" where SomeIndexName in (App1,App2,App3).
My current transform
[MyTransform]
REGEX=.index="(.?)"
DEST_KEY=_MetaData:Index
FORMAT=$1
CLEAN_KEYS
MV_ADD=0
... View more
11-04-2013
05:53 PM
@gkanapathy gave what seems to me the simplest, performant answer, so thanks! Love all the other answers too with diff takes on it.
... View more
11-04-2013
05:50 PM
For my purposes this seems like the simplest and it is very quick to return. Thanks! @gkanapathy
... View more
10-24-2013
06:11 AM
3 Karma
I have a multiple index system where some roles can search some indexes and other roles other indexes. My personal user has several roles with access to multiple indexes. There are enough of them that I sometimes want to review the list for reference.
Is there a search or some other nice way to the list of indexes I am allowed to search?
... View more
09-26-2013
01:12 PM
does the order of listing them matter? should it be
[mysourcetype] TRANSFORMS-index_routing = MyTransform, MyTransform_all
... View more
09-26-2013
08:18 AM
2 Karma
I have events with a field that contains a desired destination index (see index=* below).
[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=jumbled message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"
I'm currently using a transform like the following, and it works quite well to get events into their correct index.
[MyTransform]
REGEX = .*index="(.*?)"
DEST_KEY = _MetaData:Index
FORMAT = $1
At least most of the time. Occasionally an event arrives whose index field names an index which doesn't exist (either because the name is wrong or I forgot to create the index). In this case the above transform appears to simply generate an error in the internal index and otherwise drop the data.
Is there another way to do this that would drop messages which failed match an existing index into some catch all index of my choosing?
Something like FORMAT if ($1).exists $1 else myDefaultCatchAllIndex
... View more
08-28-2013
06:56 PM
I have a dedicated machine for my splunk forwarder configuration deployment server. I would like to send the deployment related logs to another Splunk instance which serves as my indexer/search node.
Any idea how to do this?
... View more
- Tags:
- deployment
- forwarding
08-28-2013
06:48 PM
The problem is that connections from the same machine (localhost) would not appear as the hostname from dns. It happens to be the case that all connections to this input are from localhost, so the following is an acceptable solution.
[tcp://12345]
connection_host = none # you need this
sourcetype = log4j
source = mysource
host = $decideOnStartup # and this
... View more
08-21-2013
05:37 AM
Seems like this is what I am seeking
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsc
host =
If set to '$decideOnStartup', will be interpreted as hostname of executing machine;
such interpretation will occur on each splunkd startup. This is the default.
... View more
08-21-2013
05:27 AM
I am not quite following. My guess is that that what I have above in my app will use the host data of what is connecting to the TCP input. What I want is to override and use the hostname of the forwarder.
I get that I can do the following and the host field will be set to "THISMACHINE" but what I want is something like host = %HOSTNAME%. Is is possible to do this?
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE
... View more
08-20-2013
07:31 PM
forgot to mention these are windows machines
... View more
08-20-2013
07:29 PM
I'm using the configuration deployment server to manage a bunch of forwarders. One of the apps that they get has inputs.conf with a stanza like this
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
I would like to do something to override the host to the forwarder machine address, but don't know if its possible. How would do this? Seems like it should be accessible since its effectively a constant.
[tcp://12345]
connection_host = dns
sourcetype = log4j
source = mysource
host = THISMACHINE
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
Karma given to
