Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About splunker12er
splunker12er
Motivator
Member since:
03-11-2014
06-07-2022
Community Statistics
| Posts | 307 |
| Solutions | 14 |
| Karma Given | 65 |
| Karma Received | 53 |
| Member Since | 03-11-2014 |
Activity Feed
- Got Karma for Re: Heavy Forwarder Costs and Licenses. 06-14-2024 07:54 AM
- Karma Has anyone seen this Error message: Monotonic time source didn't increase; is it stuck? for tywhite. 06-05-2020 12:49 AM
- Karma Re: Search head cluster failure with 2 of 3 nodes - Can the user access Search head ? for tiagofbmm. 06-05-2020 12:49 AM
- Got Karma for Re: How to monitor log files from /tmp/folder_name with a Universal Forwarder?. 06-05-2020 12:49 AM
- Got Karma for Re: Nothing gets indexed for unknown reason. 06-05-2020 12:49 AM
- Got Karma for Re: Is there SPL to hard code search mode?. 06-05-2020 12:49 AM
- Got Karma for Re: Is there a way to use some sort of regular expression with field aliases?. 06-05-2020 12:49 AM
- Got Karma for Re: How to get the difference between 2 queries?. 06-05-2020 12:49 AM
- Got Karma for Re: strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: What is this (search_startup_time) field in _audit index ?. 06-05-2020 12:49 AM
- Got Karma for Re: Advantages of rolling over warm bucket to cold bucket.. 06-05-2020 12:49 AM
- Got Karma for Re: How to setup auto search based on login name?. 06-05-2020 12:49 AM
- Got Karma for Re: Alert if Fortigate and Clearpass events match. 06-05-2020 12:49 AM
- Karma Extract a field using rex for davidda. 06-05-2020 12:48 AM
- Karma Why am I getting "bucket not serviceable" errors on an indexer cluster master and replication is failing for some buckets? for austinament. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-10-2015
11:15 PM
Did u tried something like this , in your search query,
your_search_to_filter_bad_login_attempt| stats values(_raw) by _time
Or
your_search_to_filter_bad_login_attempt| table field1, field2, field3
... View more
06-10-2015
11:11 PM
Can you able to search for the logs in search head ? did u take a look at the sourcetype ?
Did u try to validate your inputs.conf & outputs.conf ?
Provide more info. to locate the issue
... View more
06-10-2015
11:07 PM
Hello,
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/your_app/local
You can set any number of attributes , (please refer to the link, http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports) and values following an input type. If you do not specify a value for one or more attributes, Splunk uses the defaults that are preset in $SPLUNK_HOME/etc/system/default/ (noted below).
... View more
06-10-2015
11:01 PM
Is this actually due to the hosts haven't forward any data for indexing ? So license_usage.log file doesn't contain any events during the time-range ?
... View more
06-10-2015
10:57 PM
Thanks for the reply.
Actually , I do see the trend map of the license_usage.log for more than 2 months. (retention policy has been extended)
Time range : April to Jun
I see missing values/blank in between the range.
... View more
06-09-2015
07:51 PM
2 Karma
Add CLI inputs:
./splunk add udp 161 -sourcetype name_of_your_sourcetype
Add inputs via Splunkweb:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SyslogTCP
UDP
[udp://<remote server>:<port>]
<attrbute1> = <val1>
<attrbute2> = <val2>
...
This type of input stanza is similar to the TCP type, except that it listens on a UDP port.
Further reference:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SendSNMPeventstoSplunk
... View more
06-09-2015
07:47 PM
1 Karma
To analyze Windows logs , I would suggest you to install 'Splunk universal forwarder' (http://www.splunk.com/en_us/download/universal-forwarder.html#) choose your os version and type appropriately.
Continue the installation , and it prompts you to monitor for several logs, files , etc.
Configuration , Installation , forwarding, receiving, docs - FYR
http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Setupforwardingandreceiving
http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Configureforwarderswithoutputs.confd
http://docs.splunk.com/Documentation/Splunk/6.2.3/Updating/Exampleaddaninputtoforwarders
... View more
06-09-2015
07:30 PM
just for info., we don't see any connectivity failure between splunk and hosts
... View more
06-09-2015
07:08 PM
I have a Splunk license usage report scheduled on a monthly basis, (usage by host on a daily basis)
Usage details per host:
index=_internal source=*license_usage.log* type=Usage
| eval s=if(s=="","unknown",s)
| eval h=if(h=="","unknown",h)
| timechart span=1d sum(b) AS volume_b by h
Great. Here, I am able to get the Splunk License usage consumption per host on a daily basis, but I do see for some days, the values are blank (neither '0'). Does this mean:
The hosts haven't connected to the license master ?
The hosts haven't sent any logs to the indexer for indexing ?
Your kind reply is much helpful.
Thanks.
... View more
05-13-2015
08:49 PM
I have configured a firewall device (Cisco) to send logs to my splunk indexer .
I receive events in the device timezone (Eg: Timezone : JST (Japan) each events have timestamp)
I am searching events in splunk search head (indexer,search head in UTC Timezone). say Last 15 min -- which means splunk server time last 15 min. i.e. UTC . where i will not see the device logs here.
Later I re-configure my cisco device to UTC timezone.
Now , I can search logs for the device in UTC timezone.
Does the older logs in JST time is still remains in same format (JST) OR it configures to UTC timezone ?
... View more
03-10-2015
10:31 PM
Thanks,. Any advise on the forwarder settings ?
... View more
03-10-2015
09:18 PM
yes, same issue .
Cause 1:
I found from metrics.log and found index queues status is blocked. Forwarder is sending too much of data (suggest a best practice to overcome this..)
Cause 2:
Adding more CPU core would resolve this ?
... View more
03-10-2015
09:14 PM
Any advise on my doubt is much appreciated.
... View more
03-10-2015
09:11 PM
Yes. I found the issue due to IO.
Instead of adding one more indexer to my deployment , can i increase the CPU cores & storage in the existing indexer ?
Will that help to resolve the issue ?
(because , if i add one more indexer, i have to setup distributed search , where in my case indexer & search head is the same server and not too many users for searching.)
... View more
03-05-2015
06:46 PM
I am monitoring some 10 logs files (all the files are continuously open for writing cisco-asa logs)
out of 10 , only 3 files i can able to search in Search head -
I see in heavy forwarder -splunkweb , the below Warning :
Tcp output pipeline blocked. Attempt '300' to insert data failed
Is this due to huge volume of dat being monitored and splunk is unable to forward the logs to indexer for indexing ???
... View more
03-05-2015
06:23 PM
I am using a Heavy Forwarder to monitor cisco-asa logs.
I have 10 cisco-asa firewalls, writing their logs to 10 different syslog files (using syslog log server Eg: 10.0.0.1.log , 10.0.0.2.log ,etc)
I am monitoring all the files, using inputs.conf (monitor stanza)
Only 3 devices logs are monitored. I am unable to search the other logs from the search head.
I'm seeing the error below on the heavy forwarder -splunkweb (Tcp output pipeline blocked. Attempt '1400' to insert data failed.)
Files are continually open for writing. Files grow to a certain size and then roll to .tgz format. New files are open for writing.
... View more
03-04-2015
11:28 PM
Case:
I am gathering logs from a cisco-asa and writing them to a log file . and using monitor stanza i'm monitoring the log file and forwarding the logs to my indexer server via splunktcp://9997
Issue:
but, though data is not visible in splunk search
Findings:
/opt/splunk/bin/splunk list monitor -- showing the monitoring file name
/opt/splunk/bin/splunk list forward-server -- showing the indexer name (Active forwards)
In Heavy forwarder , Im seeing a message "Tcp output pipeline blocked. Attempt '300' to insert data failed."
Though I set my server.conf to:
[queue=parsingQueue]
maxSize = 10MB
still no luck.
Splunk version :
Heavy forwarder : Splunk 6.0.4 (build 207768)
Indexer/search head :Splunk 6.1.1 (build 207789)
No any notable logs in splunkd.log, just found the below in my metrics log:
Metrics Logs:
[root@splunkserver local]# tail -f /opt/splunk/var/log/splunk/metrics.log|grep blocked
03-05-2015 07:15:16.869 +0000 INFO Metrics - group=queue, name=aggqueue, blocked=true, max_size_kb=1024, current_size_kb=1023, current_size=2728, largest_size=2763, smallest_size=0
03-05-2015 07:15:16.869 +0000 INFO Metrics - group=queue, name=indexqueue, blocked=true, max_size_kb=500, current_size_kb=499, current_size=1330, largest_size=1330, smallest_size=0
03-05-2015 07:15:16.869 +0000 INFO Metrics - group=queue, name=typingqueue, blocked=true, max_size_kb=500, current_size_kb=499, current_size=1353, largest_size=1353, smallest_size=0
... View more
02-26-2015
07:37 PM
search source_ip="*" destination_ip="*" destination_port="*" user="*" device_name="*" application="*" sourcetype="fortios5_traffic" | fillnull device_name vdom source_interface source_ip user group destination_interface destination_ip session_type destination_port application service action policy_id bytes_sent bytes_received destination_country | stats count by device_name vdom source_interface source_ip user group destination_interface destination_ip session_type destination_port application service action policy_id bytes_sent bytes_received destination_country _time
where source_ip,destination_ip,destination_port fields are not yet extracted by the sourcetype "fortios5_traffic" ?
... View more
02-26-2015
07:35 PM
No, its not solved yet
... View more
02-20-2015
05:48 AM
This is very similar to the example data. Even i exported the same example data and just tired it with column name different. But , I am not getting the rows colored. Instead some fields bold
... View more
02-20-2015
05:45 AM
Also , from the javascript i wanted to know, (from the 35th Block of code)
tableView.table.addCellRenderer(new CustomRangeRenderer());
tableView.on('rendered', function() {
// Apply class of the cells to the parent row in order to color the whole row
tableView.$el.find('td.range-cell').each(function() {
$(this).parents('tr').addClass(this.className);
});
What is 'rendered' ? Is this common to all examples / I need to modify this ?
... View more
02-20-2015
05:44 AM
I was just trying to use the same example javascript and css with different search query, but i'm not able to get the rows colored.
Please help in this.
Trial.js
require([
'underscore',
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/tableview',
'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc, TableView) {
// Row Coloring Example with custom, client-side range interpretation
var CustomRangeRenderer = TableView.BaseCellRenderer.extend({
canRender: function(cell) {
// Enable this custom cell renderer for both the Age and the State field
return _(['Age', 'State']).contains(cell.field);
},
render: function($td, cell) {
// Add a class to the cell based on the returned value
var value = parseFloat(cell.value);
// Apply interpretation for number of historical searches
if (cell.field === 'Age') {
if (value > 2) {
$td.addClass('range-cell').addClass('range-elevated');
}
}
// Apply interpretation for number of realtime searches
if (cell.field === 'State') {
if (value > 1) {
$td.addClass('range-cell').addClass('range-severe');
}
}
// Update the cell content
// $td.text(value.toFixed(2)).addClass('numeric');
}
});
mvc.Components.get('Trial').getVisualization(function(tableView) {
// Add custom cell renderer
tableView.table.addCellRenderer(new CustomRangeRenderer());
tableView.on('rendered', function() {
// Apply class of the cells to the parent row in order to color the whole row
tableView.$el.find('td.range-cell').each(function() {
$(this).parents('tr').addClass(this.className);
});
});
// Force the table to re-render
tableView.table.render();
});
});
Trial.css
/* Row Coloring */
#highlight tr td {
background-color: #c1ffc3 !important;
}
#highlight tr.range-elevated td {
background-color: #ffc57a !important;
}
#highlight tr.range-severe td {
background-color: #d59392 !important;
}
#highlight .table td {
border-top: 1px solid #fff;
}
#highlight td.range-severe, td.range-elevated {
font-weight: bold;
}
XML:
<dashboard script="Trial.js" stylesheet="Trial.css">
<label>Trial</label>
<row>
<table id="Trial">
<title>Trial</title>
<search>
<query>source="Trial.csv" host="10.0.255.247" sourcetype="csv"|table Timestamp User Age State</query>
<earliest>-24h</earliest>
</search>
<option name="drilldown">none</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</row>
</dashboard>
... View more
- Tags:
- color
- javascript
- table
02-20-2015
02:30 AM
below are my scipt, css, xml file i am not able to load the color in rows.
Please help me in this...
testing.css
.SimpleResultsTable tr td.d[field="log_subtype"][data-value="virus"]{
font-weight: bold;
background-color: #C42323;
color: white;
}
testing.js
if( Splunk.Module.SimpleResultsTable ){
Splunk.Module.SimpleResultsTable = $.klass(Splunk.Module.SimpleResultsTable, {
renderResults: function($super, htmlFragment) {
$super(htmlFragment);
if (this.getInferredEntityName()=="testing") {
this.renderedCount = $("tr", this.container).length - 1;
}
$.each( $('.simpleResultsTable td'), function(index, value) {
$(this).attr('data-value', $(this).text() );
});
}
});
}
xml:
<dashboard script="testing.js" stylesheet="testing.css">
<label>testing</label>
<row>
<panel>
<table id="testing">
<search>
<query>source="/tmp/tests.csv" host="10.0.255.247" sourcetype="csv"| fillnull value=NULL | table log_subtype,device_id,eventSignature</query>
<earliest></earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
</dashboard>
... View more
01-27-2015
10:57 PM
How to get the wget link ?This option was there in the previous site
... View more
01-07-2015
12:43 AM
1 Karma
WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.
Possibilities :
relax the primary search criteria -> (index=* doesnt work)
widen the time range of the search ->(time range chosen in 'all time')
check that the default search indexes for your account include the desired indexes -> (admin role -> using default settings)
what could be the cause ?
Splunk version: Splunk 6.0.4 (build 207768)
Role : License master servers
Slaves version: Splunk 6.2.1 (build 245427)
... View more
