Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About splunker12er
splunker12er
Motivator
Member since:
03-11-2014
06-07-2022
Community Statistics
| Posts | 307 |
| Solutions | 14 |
| Karma Given | 65 |
| Karma Received | 53 |
| Member Since | 03-11-2014 |
Activity Feed
- Got Karma for Re: Heavy Forwarder Costs and Licenses. 06-14-2024 07:54 AM
- Karma Has anyone seen this Error message: Monotonic time source didn't increase; is it stuck? for tywhite. 06-05-2020 12:49 AM
- Karma Re: Search head cluster failure with 2 of 3 nodes - Can the user access Search head ? for tiagofbmm. 06-05-2020 12:49 AM
- Got Karma for Re: How to monitor log files from /tmp/folder_name with a Universal Forwarder?. 06-05-2020 12:49 AM
- Got Karma for Re: Nothing gets indexed for unknown reason. 06-05-2020 12:49 AM
- Got Karma for Re: Is there SPL to hard code search mode?. 06-05-2020 12:49 AM
- Got Karma for Re: Is there a way to use some sort of regular expression with field aliases?. 06-05-2020 12:49 AM
- Got Karma for Re: How to get the difference between 2 queries?. 06-05-2020 12:49 AM
- Got Karma for Re: strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: What is this (search_startup_time) field in _audit index ?. 06-05-2020 12:49 AM
- Got Karma for Re: Advantages of rolling over warm bucket to cold bucket.. 06-05-2020 12:49 AM
- Got Karma for Re: How to setup auto search based on login name?. 06-05-2020 12:49 AM
- Got Karma for Re: Alert if Fortigate and Clearpass events match. 06-05-2020 12:49 AM
- Karma Extract a field using rex for davidda. 06-05-2020 12:48 AM
- Karma Why am I getting "bucket not serviceable" errors on an indexer cluster master and replication is failing for some buckets? for austinament. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-27-2014
02:43 AM
I tried ,
>splunk list monitor
Its shows the list of files & directories that are being monitored, but still cant view the data in SH. also there is no any errors in splunkd log.
... View more
08-27-2014
02:41 AM
I tried in my windows universal forwarder the script , but cant execute it ,
C:\Program Files\SplunkUniversalForwarder\bin>splunk cmd python "c:\filestatus.py"
CreateProcess: The system cannot find the file specified.
couldn't run "c:\Program Files\SplunkUniversalForwarder\bin\python": The system cannot find the file specified.
... View more
08-27-2014
02:37 AM
Note: A single dot (.) is not a wildcard, and is the regex equivalent of ..
Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:
[monitor://E:\...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.
This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.
... View more
08-27-2014
01:58 AM
1 Karma
I want to monitor XML files residing inside sub-directories.
Files inside Path :
D:\Roll\DIP\SessionLogs\35\1.xml
D:\Roll\DIP\SessionLogs\35\2.xml
D:\Roll\DIP\SessionLogs\35\3.xml
D:\Roll\DIP\SessionLogs\36\1.xml
D:\Roll\DIP\SessionLogs\36\2.xml
D:\Roll\DIP\SessionLogs\36\3.xml
I set inputs.conf: (in Universal forwarder)
[monitor://D:\Roll\DIP\SessionLogs\]
index = myindex
sourcetype = session_log
props.conf (in indexer)
[session_logs]
KV_MODE = xml
I dont get the logs in Search head ? Something am i missing here ..?
... View more
08-27-2014
12:46 AM
Can we able to monitor .pfx - (Certificate file) in splunk
Is there any specific sourcetype already pre-defined for it ?
... View more
08-26-2014
11:44 PM
After installing Splunk Universal forwarder in Windows Server ., how to add monitor stanzas for getting windows application , security, system logs via command line ?
>splunk add monitor
... View more
08-26-2014
06:50 AM
transpose the rows to column values and try with props & transforms.
Key,Date,Value1,Value2
A,Date,5,2
A,Date,6,2
B,Date,1,3
B,Date,6,2
etc..Use ,
|lookup Date as Date Key as Key OUTPUTFIELD Value1,Value2
... View more
08-25-2014
11:43 PM
1 Karma
I send daily 50 GB raw data from my machines to Splunk for indexing
what will be the size of the data after it got indexed ?
Will this be the same 50 Gb or indexed data will have less size ?
... View more
08-21-2014
02:17 AM
1 Karma
Index time field extraction & Search Time field extraction
How do both differ ? Which has less performance impact of search query ?
... View more
08-20-2014
11:24 PM
Did you checked out sideview utils app ?
... View more
08-20-2014
02:44 AM
my query :
'search query' | table Indexer-1,indexer-2,Indexer-3
tabulated the results and using coulmn chart view
... View more
08-20-2014
02:42 AM
I have created a savedsearch which displays the Current license usage indexer wise. ("|rest" query)
x- axis : Indexer-1 , Indexer-2, Indexer-3
Y-axis : Amount of Gb indexed .(Eg : 10,20,30,40,50)
I have created a column chart out of this records. Now, I need to add an overlay threshold line in between this column chart.
Warning threshold : 40Gb
Critical threshold : 45Gb
How do i add these horizontal threshold lines in my column chart ?
Please advise
... View more
08-13-2014
04:26 AM
I tried to tag the field sourcetype as suggested in the link :
[http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Tags][1]
Examples
Example 1: Write tags for host and eventtype fields into tag::host and tag::eventtype.
... | tags host eventtype
index=* | tags sourcetype
but it doesnt created tag::sourcetype
Please help.. Am i missing something ..?
... View more
- Tags:
- tags
08-13-2014
02:29 AM
I do need this generic for all sourcetype. Can i use wildcards in stanza name ?
... View more
08-13-2014
02:17 AM
I need a new field in the name 'Server' from the 'host' field.
... View more
08-08-2014
01:35 AM
"Last 15 minutes" - Is this referring to index time (or) Events time ?
I have hosts located in different timezones, and my Search head & indexers running in GMT TZ.
So,when I do a search for say.,"Last 15 min" , this refers to GMT's timezones last 15 minute ?
I am referring to this since, i might miss data in my search result as host's event time are in their native TZ format which will not be shown for my search
... View more
07-17-2014
12:14 AM
Thanks alot.
... View more
07-14-2014
10:42 AM
No there are no duplicate entries in the lookup table.
I tried dedup but it takes the same time..
For a very long time , still the search query is in parsing state.
... View more
07-11-2014
03:03 AM
I have a lookup table blacklist.csv , which has blacklisted src & dest IPs. Using the below search query , I am listing the events containing blacklisted IPs
index=* sourcetype=pan* [|inputlookup blacklist.csv | fields dest_ip] OR [|inputlookup blacklist.csv | fields src_ip] | table dest_ip,src_ip,status,etc..
My lookup table has 10,000 records, which makes my search slow down. Is there a way optimize the query ?
or any other mechanism to speed up the search ?
... View more
07-10-2014
11:08 PM
1 Karma
|metadata type=hosts earliest=-1d latest=now
This displays the overall eventcounts for the available hosts but not specific to the time range mentioned.
Is there a way to specify the time range for metadata results ?
... View more
06-30-2014
08:51 PM
I do need carefully select the selective Warm dbs and move to the new index folder , and check for bucket_id clash. if any I do need to modify the range accordingly and run the below command :
./splunk _internal call /data/indexes/MY-INDX-NAME/rebuild-metadata-and-manifests
doing so, I can be successful in moving the indexed data from one index to another index. (my case i want the data to be searched in the other index name)
Am i fine with the understanding? please correct me , if i am wrong.
... View more
06-29-2014
07:39 AM
2 Karma
How many number of indexes i can create in an indexer ?
Is there any disadvantages , on too many indexes ?
Keeping all the logs in a single index - would result in performance | slow in processing the search request ?
... View more
06-29-2014
07:28 AM
whether the index name also stored along with the indexed data ? Or it depends on the path where the index resides ?
... View more
06-29-2014
07:26 AM
Is it possible for me to copy the specific Index bucket to another Index path,
Eg:
I want to copy the indexed data from index name 'My-Index-Name-1' to 'My-Index-Name-2'
Just by cut and copy the bucket to new index path, will work ?
Search query: (will this work , after copy ?)
index=My-Index-Name-2 | table _raw
Details:
Index Name ->My-Index-Name-1
State -> Warm
Path -> /opt/splunk/var/lib/splunk/My-Index-Name-1/db/db_1403947472_1403779602_8
... View more
06-29-2014
06:10 AM
How does the results of the correlation events go to "notable" index ?
Is there any configuration file for this ?
Also , If i manually call a correlation search , will that results also goes to notable index?
... View more
