Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About splunker12er
splunker12er
Motivator
Member since:
03-11-2014
06-07-2022
Community Statistics
| Posts | 307 |
| Solutions | 14 |
| Karma Given | 65 |
| Karma Received | 53 |
| Member Since | 03-11-2014 |
Activity Feed
- Got Karma for Re: Heavy Forwarder Costs and Licenses. 06-14-2024 07:54 AM
- Karma Has anyone seen this Error message: Monotonic time source didn't increase; is it stuck? for tywhite. 06-05-2020 12:49 AM
- Karma Re: Search head cluster failure with 2 of 3 nodes - Can the user access Search head ? for tiagofbmm. 06-05-2020 12:49 AM
- Got Karma for Re: How to monitor log files from /tmp/folder_name with a Universal Forwarder?. 06-05-2020 12:49 AM
- Got Karma for Re: Nothing gets indexed for unknown reason. 06-05-2020 12:49 AM
- Got Karma for Re: Is there SPL to hard code search mode?. 06-05-2020 12:49 AM
- Got Karma for Re: Is there a way to use some sort of regular expression with field aliases?. 06-05-2020 12:49 AM
- Got Karma for Re: How to get the difference between 2 queries?. 06-05-2020 12:49 AM
- Got Karma for Re: strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: What is this (search_startup_time) field in _audit index ?. 06-05-2020 12:49 AM
- Got Karma for Re: Advantages of rolling over warm bucket to cold bucket.. 06-05-2020 12:49 AM
- Got Karma for Re: How to setup auto search based on login name?. 06-05-2020 12:49 AM
- Got Karma for Re: Alert if Fortigate and Clearpass events match. 06-05-2020 12:49 AM
- Karma Extract a field using rex for davidda. 06-05-2020 12:48 AM
- Karma Why am I getting "bucket not serviceable" errors on an indexer cluster master and replication is failing for some buckets? for austinament. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-07-2015
12:35 AM
this is very much accpeted ...;)
... View more
01-07-2015
12:16 AM
Excellant..Thank you MuS
... View more
01-07-2015
12:04 AM
Okay. If I forward all the splunk instances _internal logs to my 2 indexers.,
First of all when I forward _internal logs of splunk instances to indexer - they will get indexed in indexer which consumes license volume
To which index I should forward ? (_internal ?)
3a. If I should not use license query against metrics.log on the search head ., what is the source that I should use to run the query ?
3b. what is the concept in moving the other splunk instances log to central indexers ?
... View more
01-05-2015
11:28 PM
1 Karma
Deployment Setup:
License Master Server -1
********************
Splunk Indexer - 2
Splunk Search head - 1
Heavy Forwarder - 2
I have pointed all the instance to my license master server.
currently , I do calculate the daily license usage of splunk by Indexers , by running the below query in License Master Server :
index=_internal source=*license_usage.log* type=Usage earliest=@d |bucket _time span=1d |stats sum(b) AS volume_bytes by _time host pool i |eval volume_GB=round(volume_bytes/1024/1024/1024,3) |rename i AS indexer_GUID |JOIN indexer_GUID [|REST /services/licenser/slaves | table title label|rename title AS indexer_GUID| rename label AS indexer_name]|timechart values(volume_GB) by indexer_name usenull=f useother=f
Search head & Heavy forwarder doesn't consumes license quota - But license_usage.log files still logs some bytes. (why ?)
_internal logs doesnt consumes any license quota.
query 1:
I would need to monitor the license usage by hosts. where should I run the query ?
Every splunk instance has the license_usage.log file, does all the files captures the usage ?
Do I need to run the below query in each indexers and the total sum ? What is the right way ?
License usage by host :
index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
... View more
01-05-2015
06:43 PM
Deployment setup has a license master where all the instances are connected to master.
Recently, we had a technical issue where one of the indexers lost connection with the license master server which went unnoticed and caused problems.
Is there an internal query to monitor the status and report via email when a license slave is loses connection with the master?
... View more
01-05-2015
06:34 PM
I have verified under the location : /opt/splunk/var/run/tmp/SearchHeadCfg
bundles are not found for TA-addons. Only for sos can be seen
... View more
01-05-2015
06:33 PM
serverclass.conf
I use the below config to push apps from my deployment server to the clients .
sos - App has been pushed successfully.
TA-* - i have many TA-add-ons in deployment server under the mentioned location. those apps are not pushed. Do i need to write separate stanzas? Or wildcards should work?
[serverClass:SearchHeadCfg]
repositoryLocation = /opt/splunk/etc/apps
whitelist.0 = 10.0.10.101*
[serverClass:SearchHeadCfg:app:sos]
stateOnClient = enabled
restartSplunkd = true
[serverClass:SearchHeadCfg:app:TA-*]
stateOnClient = enabled
restartSplunkd = true
... View more
12-28-2014
10:56 PM
Is there any possibility to keep the same sourcetype ?
... View more
12-20-2014
09:34 AM
I would like to know the possibility to limit the splunk license consumption based on host.
There are 50 hosts sending logs to my heavy forwarders. Out of that I want to limit the license usage consumption for some 10 devices (by hostname)
Say, 10 Gb maximum limit for each device, over that i want to stop indexing for those devices and throw a license usage warning message
Currently, there is an option to control license usage at Indexer level, but is there any option to control at host level ?
Please advise.
... View more
Labels
- Labels:
-
license
12-16-2014
02:08 PM
When i set the frozenTimePeriodInSecs value to 1 month, (for eg.) indexed data will start to delete from the start of the next month.
In that case, does indexed data roll from hot to warm, then warm to cold, then cold to frozen?
By default, the maximum size of hot bucket is 750 mb / 90 days before it rolls from Hot to Warm.
Also, the number of Warm databases is 300/ 90 days by default. The older db will start to roll from WARM to Cold database.
By default after 6 years, splunk deletes the data (i.e. frozen)
If this is the case, when my retention period is short, will the data directly be deleted from hot/warm ?
Please advise.
... View more
12-16-2014
01:46 PM
2 Karma
1. Controlling the size of a hot bucket :
maxDataSize = auto | auto_high_volume
auto = 750 mb auto_high_volume = 10 Gb
maxHotSpanSecs = <positive integer>
default value = 90 days
If i set both the parameters, which takes the first precedence ?
Does changing maxDataSize paramter's value to higher one , requires tuning of other parameters also , accordingly?
2. Performance of Search query
when i make the maxDataSize = auto_high_volume i.e 10Gb
where a hot bucket will grow to a size of 10Gb , till that period it retains in hot bucket ., Will the search be faster , since the data available in HOT bucket ?
... View more
Labels
- Labels:
-
index
11-23-2014
06:20 AM
Did you tried using "Forwarder management" dashboard available in splunk web UI
distributed environment -> Forwarder management
Using "deployment Server" - Use separate serverclass stanzas to push configs to splunk UF. - easy to manage and deploy apps.
... View more
11-23-2014
03:27 AM
I agree with seperate index concept. But according to our business case we have less no. Of indexes. This design was proposed by splunk expert from Splunk corp.
... View more
11-23-2014
01:22 AM
After I restore the archived data in thawed path and rebuild the index - Splunk recognizes the data.
What is the life-time of the data residing in the thawed path? Is there any default retention period for this?
By default splunk data rotation (hotdb->warmdb->colddb(deleted after 6 years))
Now, I place the buckets inside a thawed path and rebuilt it. How is that default policy is applied here?
... View more
11-22-2014
11:41 PM
Also, I need an answer for this,
If a customer leaves in 6 months (where he already subscribed for 1 year retention) - How to physically delete his data from the disk. Since Index-12-Month contains data of other customer too. I need selective deletion
Please advise
... View more
11-22-2014
11:35 PM
Scenario:
I have index structure based on retention policy.
(Eg: 12-Months-Index,24-Months-Index,36-Months-Index,5-Years-Index)
If a customer subscribes for a retention period of 12 months I will direct this customer log to my first index.
Let say, if the customer wants to continue his subscription for another 2 years , I will direct the logs to 2nd index, more over in case if the customer wants his past 1 year also(for a statistical purpose) , I want to move the indexed data from 12-Months-Index to 24-Months-Index directory.
For this purpose , I want the data movement from one index to another index.
NOTE : For providing a managed security services - Splunk ES application is deployed - where there are number of correlation search queries are running , in case if i separate the customer into separate indexes(in that case the index number will get increased), I have a problem of search query performance slow down(index=cust1 OR index=cust2 Or index-custN). To overcome this , we have a setup of indexes based on retention policy.So index number will be less
... View more
11-22-2014
06:20 AM
This is sample example. But this very much needed in my business case for managed security services , I would receive logs from 100s of hosts, where based on some criteria I will be placing logs under certain index name. Later,
I would need to identify and delete the logs of particular hosts (physically)
Or, I would need to move the indexed data of a particular host to another index (this is my use case)
... View more
11-22-2014
06:02 AM
Setup :
Index name : A
Index name : B
host : a1,a2
Requirement:
a1,a2 hosts ----->forward logs to index 'A' .
I want to separate/move 'a2' related events to index 'B' after 30 days.
Work around :
Roll the hot buckets from index 'A' and move to the index 'B'
Delete the 'a1' related events via search query by 'can_delete' role. (query : index=B host=a1|delete)
But still host : a1 indexed data is available in the index 'B' buckets
where in my case , i have a problem considering my disk space . So i need to delete the data from buckets also.
Is there any options available ?
Also , when i copy the warm buckets into index B - Immediately its available in search query. Does rebuild/restart not necessary here?
... View more
11-22-2014
02:00 AM
When I try export , it gives me the following :
[root@test-machine]# /opt/splunk/bin/splunk cmd exporttool ../../db_1409651281_1409651235_37/ /export.csv -et 1409651235 -lt 1409651281 -csv
Using logging configuration at /opt/splunk/etc/log-cmdline.cfg.
no events
What does this shows no events - But actually events are present in this bucket.
I'm using splunk v6.2
... View more
11-13-2014
11:01 PM
Did you search for all time?
Did you see any errors at splunkd.log ?
Are you using universal forwarder ?
- Check for the outputs.conf file for the correct IP of the indexer your are forwarding .
... View more
11-13-2014
10:54 PM
Location : dispatch directory
Default storage period : 7 days (later it will be deleted)
... View more
11-12-2014
05:24 AM
I refer the doc foe EVAL statement. When i create a calculated field using EVAL statement , this can be reused right?
Is this a available as a index time extracted field/search time ? I am little confused in this. Please advise.
EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output
to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if
they are run in parallel, rather than in any particular sequence.
For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x"
will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before
lookups. This means that:
* You can use a field alias in the eval statement for a calculated field.
* You cannot use a field added through a lookup in an eval statement for a calculated
field.
eg:
EVAL-Result=Price+Tax
Can Result value be re-used?
... View more
