Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About dglass0215
dglass0215
Path Finder
Member since:
12-16-2014
05-21-2025
Community Statistics
| Posts | 53 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 2 |
| Member Since | 12-16-2014 |
Activity Feed
- Posted Re: OpenSSL < 1.0.2zk vulnerability on Splunk 9.2.2 on Splunk Enterprise. 10-31-2024 08:11 AM
- Posted Re: Transpose - Include data in column vs row on Splunk Enterprise. 07-18-2024 12:38 PM
- Posted Transpose - Include data in column vs row on Splunk Enterprise. 07-18-2024 12:02 PM
- Posted Re: v9.1 upgrade issues - Why does Top tool bar shows Loading? on Splunk Enterprise. 08-30-2023 11:59 AM
- Posted Dashboard Studio - Marker Map - Drilldown? on Dashboards & Visualizations. 12-29-2022 08:14 AM
- Posted Re: Active Directory Credentials on Splunk Enterprise. 09-12-2022 11:26 AM
- Posted Active Directory Credentials- How do I prevent AD disabling accounts? on Splunk Enterprise. 09-06-2022 12:26 PM
- Posted Cell background color - Stats Table on Splunk Search. 04-28-2021 06:36 AM
- Posted Re: Query Performace on Splunk Search. 04-28-2021 06:23 AM
- Posted Re: Query Performace on Splunk Search. 04-28-2021 06:22 AM
- Posted Query Performace on Splunk Search. 04-27-2021 11:02 AM
- Posted Are the App Data Input fields extractable? on Splunk Search. 03-19-2021 10:34 AM
- Posted Re: Role Capability to Query Lookup on Security. 03-19-2021 10:19 AM
- Posted Re: Role Capability to Query Lookup on Security. 03-19-2021 09:22 AM
- Posted Re: Role Capability to Query Lookup on Security. 03-19-2021 09:07 AM
- Posted Role Capability to Query Lookup on Security. 03-19-2021 08:48 AM
- Posted csv lookup number vs string on Splunk Search. 09-30-2020 09:39 AM
- Posted Linux dashboards on Dashboards & Visualizations. 09-24-2020 09:37 AM
- Got Karma for Re: Finding out which users have certain software installed. 06-05-2020 12:51 AM
- Got Karma for Re: Finding out which users have certain software installed. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-08-2020
09:26 AM
Hello,
i am trying to understand the documentation surrounding SHOULD_LINEMERGE. It says the default is SHOULD_LINEMERGE = true and BREAK_ONLY_BEFORE_DATE = true. If my understanding is correct this means that if a logfile has multiple lines, the multiple lines will be part of one event that is indexed up until the next date/timestamp is found and then that would be another event.
I have a logfile with the following two lines:
2019-12-30 09:16:41:908: Requestor: IMM_Mobile, IsLocal: False
2019-12-30 09:16:41:908: 637132942019089151: Scanned CID: BARCODE:
However, they get indexed as one event and this is not what I want. A previous suggestion to me was to make SHOULD_LINEMERGE = false, however I do not think I want to do that because there are certain entries in the logfile that do span multiple lines.
Any assistance is greatly appreciated!
David
... View more
01-02-2020
10:58 AM
While this might be slightly useful it does not answer my question. Do you know why the two lines above are one event? And do you know how I can fix it? Thanks!
... View more
12-30-2019
09:33 AM
Hello,
I have a file monitor for a log file where I am getting indexed data with multiple lines. Example of one event:
2019-12-30 09:16:41:908: Requestor: IMM_Mobile, IsLocal: False
2019-12-30 09:16:41:908: 637132942019089151: Scanned CID: BARCODE:
Now i notice that it is the same time but they should still be separate events. i have read where someone suggested SHOULD_LINEMERGE = false, however if I am reading the documentation correctly, the SHOULD_LINEMERGE = true and BREAK_ONLY_BEFORE_DATE = true being the defaults should be processing the above as two separate events. What am I misunderstanding?
I am hesitant to configure SHOULD_LINEMERGE = false because I think it may be needed for other events that span multiple lines.
only other thing I can think of is possibly my props/transforms might be screwing with the data in some other way. Below are what I think are the relevant portions of my props/transforms:
Props:
[mySourceType]
TRANSFORMS-set= setnull,setparsing
TRANSFORMS-sourcetype= setNewSourceType
Transforms:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \b(?:offline|online|\d{4}-d{2}-d{2}\s+\d{2}:\d{2}:\d{2}:\d{3}:\s+\d{18}:\s)\b
DESK_KEY = queue
FORMAT = indexQueue
[setNewSourceType]
REGEX = \b(\d{4}-d{2}-d{2}\s+\d{2}:\d{2}:\d{2}:\d{3}:\s+\d{18}:\s)
FORMAT = sourcetype::NewSourceType
DEST_KEY = MetaData:Sourcetype
Thanks for any assistance!
David
... View more
11-11-2019
09:48 AM
Thanks Giuseppe this is very helpful! I do realize a sample of my data would useful, it is just tough to do so since I am in a disconnected environment. Basically it is as simple as Host, TimeStamp, onlineStatus. I do not have a username field, nor do I (at least at this moment in time) care about the duration of offline. I just want to know if an offline has occurred without a corresponding online. Your second query above looks like it would almost do what I need! However couldn't that query wind up showing an online event depending on how the timeframe of the query was setup?
Thanks Again!
... View more
11-08-2019
09:25 AM
Hello,
I have a sourcetype which has data telling me if something goes offline and then when it comes online.
I am trying to write a search that only shows the most recent offline event where a newer online event has not yet occurred.
Any help is appreciated!
... View more
09-18-2019
07:05 AM
I think this is the problem! Gotta love splunk answers! Faster response then actual support!
However why would I have multiple machines with the same GUID in instance.cfg, and more importantly, What do i do to fix it?
Thanks!
... View more
09-17-2019
08:48 AM
Hello,
When I view the deployment clients under forwarder management, not all my clients are being displayed. Every time I add a client, I can see that the client indeed does download the apps but is not displayed as a client. Currently the deployment server lists 40 clients. And every time I add a client it just stays at 40. Any help is appreciated.
David
... View more
08-26-2019
11:07 AM
Thanks! This definitely works. Still would like to know what was wrong with what I originally had but at least this works!
... View more
08-26-2019
08:00 AM
Hello,
I have my props/transforms setup so that it routes data to specific indexes (For the most part) based on hostname. This was working great until I realized that it was also including data that was meant for internal indexes like _internal. Specifically for splunkd sourcetype. This was making my license utilize way more data than it should have been. So I added a prop for [splunkd] sourcetype to route data to _internal. This is now working for alot of my hosts but for some reason there are still 4 indexes receiving data that should be routed to _internal, they are indexes named mhh, irw, lvn, lee. Any help is much appreciated. Props and transforms below:
PROPS:
[HawkeyeIOLS]
TRANSFORMS-set= setnull,setparsing
SEDCMD-DOB = s#DOB/\d{8}#DOB/[REDACTED]#g
SEDCMD-SEX = s#SEX/.#SEX/[REDACTED]#g
SEDCMD-RAC = s#RAC/.#RAC/[REDACTED]#g
[splunkd]
TRANSFORMS-set_index_internal = set_index_internal
priority=10
[host::(5050-LANE|5050-RGWS)]
TRANSFORMS-set_index_5050 = set_index_bel
[host::irw*]
TRANSFORMS-set_index_irw = set_index_irw
[host::mhh*]
TRANSFORMS-set_index_mhh = set_index_mhh
[host::mcn*]
TRANSFORMS-set_index_mcn = set_index_mcn
[host::lee*]
TRANSFORMS-set_index_lee = set_index_lee
[host::lvn*]
TRANSFORMS-set_index_lvn = set_index_lvn
[host::riv*]
TRANSFORMS-set_index_riv = set_index_riv
[host::con*]
TRANSFORMS-set_index_con = set_index_con
[host::ann*]
TRANSFORMS-set_index_ann = set_index_ann
[host::bel*]
TRANSFORMS-set_index_bel = set_index_bel
[host::apg*]
TRANSFORMS-set_index_apg = set_index_apg
[host::hol*]
TRANSFORMS-set_index_hol = set_index_hol
TRANSFORMS:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \b(?:offline|online|HTTP 502 Bad Gateway|CheckUpdate: Error)\b
DEST_KEY = queue
FORMAT = indexQueue
[set_index_internal]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = _internal
[set_index_con]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = motco
[set_index_ann]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = ANN
[set_index_bel]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = BEL
[set_index_apg]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = APG
[set_index_hol]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = HOL
[set_index_irw]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = IRW
[set_index_mhh]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mhh
[set_index_mcn]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mcn
[set_index_lee]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = lee
[set_index_lvn]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = lvn
[set_index_riv]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = riv
... View more
07-19-2019
07:15 AM
Thanks! Works great!
... View more
07-18-2019
12:51 PM
Hi @jnudell_2, According to all the documentation (And my training courses) this looks like it should work, however it is not working for me. I have a bunch of other props/transforms that work correctly, I just added the default stanza to the bottom. That shouldn't be an issue right? How does one go about debugging props/transforms? I did a btool check and that didn't return anything.
... View more
07-17-2019
09:26 AM
Thanks for your reply! Yes I agree with you that it is very intrusive. I just thought that this would be a quick way for me to help get data to the right index and then fine tune it from there. Basically we have about 10 different locations with possibly adding up to 100 more locations and every host at each location begins with a 3 character acronym of the location. So this would be a quick and dirty way to make sure the data is getting to the proper index. I think it will eventually need to be expanded on.
... View more
07-17-2019
08:04 AM
Hello,
I am trying to implement setting a specific index based on part of the hostname. For ALL of my data that I index I would like the index to be the first three characters of the hostname. is it possible to make this global and not on a source/sourcetype basis?
Any help is appreciated!
Davis
... View more
- Tags:
- splunk-enterprise
04-01-2019
06:21 AM
I have the events already indexed in Splunk. So I can already query if the service is offline or online. The problem comes with a methodology for alerting via email. I could simply just run an alert every 5 minutes and send an email however would you really want to receive an email every 5 minutes telling you the service is down?
That's what I am trying to avoid. To figure out a way to make sure we get an email just once when offline and then an email once back online.
Thanks!
... View more
03-27-2019
08:03 AM
Hello,
I have a log file that I am indexing that has events that log the word "offline" and the word "online". I want to be alerted when the event offline occurs so I am currently searching for "offline" in my sourcetype and sending out an email. Then I want to be alerted when the event online occurs. Simple right? Similar query similar alert.
The problem is that when the log file has the word offline, it has it in there MANY times until the word online occurs. And I don't want to bombard email every 5 minutes with another alert. So I have been playing around with throttling however this is not perfect and I can miss a real offline alert.
Can anyone help with coming up with a search and alert methodology that will be full proof in making sure I always get an alert when offline and an alert when online?
Thanks!
... View more
- Tags:
- alerting
04-29-2015
10:46 AM
I do not see where this percentage that you speak of is located, However, It does show some data now. However it seems like it is only showing data from today even if I choose something like Year to date. Also under top operating systems it just shows "compatible" whereas I would have expected something like Windows 7.
... View more
04-29-2015
09:05 AM
That is what I did and then I started getting data on the real-time tab, but no data elsewhere.
... View more
04-29-2015
08:54 AM
Excellent! Thank you very much! I now am able to see data in the real-Time but the rest still shows no data. I have disabled and re-enabled acceleration on the data model and have waited more than 20 minutes. Is there anything else I need to do in order to see data on the other tabs?
... View more
04-29-2015
08:01 AM
Any other assistance you can provide?
... View more
04-28-2015
10:01 AM
I meant to say that the source was W3SVC1 (surrounded with * at beginning and end. The post is just not displaying the star).
Either way, I Changed the source to C:\inetpub\logs\LogFiles\W3SVC1* (Slashes are being stripped out from this path)
This is not exactly what is listed in the Available host and source combinations as this lists a different source for each different day of IIS logs. Source Examples:
C:\inetpub\logs\LogFiles\W3SVC1\u_ex140630.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex140701.log
(Slashes are being stripped out from these paths)
etc.
Then I ran lookups again (Generate User Sessions still looks like it returns no results). Then I rebuilt the data moidel. Still no dice.
Again, Thanks for your continued assistance!
... View more
04-28-2015
09:35 AM
Some more information for you:
Under Setup -> Websites I have configured a website with Source=W3SVC1
Under Setup -> Lookups -> Generate User Sessions it returns data but Generate Pages does not return data.
... View more
04-28-2015
08:30 AM
Hi J!
Thanks for your reply. I do get results when searching tag=web and the Data Model named Web is accelerated. What other details can I provide to you?
Thanks!
... View more
04-28-2015
07:53 AM
My sourcetype is correctly set to "iis". I just find it odd that I have a new source added each day. So that means after a year I will have 365 sources from monitoring the log file directory. Just seems silly to me. But thanks for your answer.
... View more
04-28-2015
07:30 AM
I have Splunk set to monitor the folder that stores my IIS logs. It is currently working, however, since there is a new log file created daily, each one is considered a source. So when I look at my data summary I have 215 sources and counting since each day a new one is added. Is this the way it is supposed to be?
... View more
04-28-2015
06:53 AM
Well that is a shame because it doesn't sound like there are too many users who have been able to get it to work.
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-21-2025
06:49 PM
|
Karma given to
