About skoelpin

skoelpin · ‎08-07-2015

Thanks everyone. Looks like it's on my end. I'll try from a different pc

skoelpin · ‎08-07-2015

I'm going to the page below and selecting Windows OS, I'm then redirected to the download page and it thanks me for downloading the forwarder but nothing happens.. I've done this countless times in the past with no issues I tried on 3 different browsers with no luck.. Can anyone verify that this is not working? Can I grab the .msi install file from another box and install it on the different server? http://www.splunk.com/en_us/download/universal-forwarder.html

skoelpin · ‎08-07-2015

Thanks for this Gregg, I never knew this existed and would be a great learning tool

skoelpin · ‎08-06-2015

I would leave it.. It's good advice

skoelpin · ‎08-06-2015

Do you mean have 2 separate props.conf files? If so then no. Why don't you just keep it in one file and seperate your stanza by comments with stars in them like this? #************************ # # # Edited by: # Modified index # 8/6/2015 # # #************************* [host:: srv-dcr01] ......... ......... ........

skoelpin · ‎08-05-2015

Can you explain what you mean by filtering. Do you mean linebreaking an event?

skoelpin · ‎08-03-2015

Can you explain the performance cost with opening a file? Would it be a one time thing on the first search or would it be every time? What's the performance hit? Are we talking seconds or minutes?

skoelpin · ‎08-03-2015

Would a case statement be faster then a lookup?

skoelpin · ‎08-03-2015

Do you suggest I put this in a CSV file then do a lookup? Would the search performance be much faster with a lookup compared to a nested-if?

skoelpin · ‎08-03-2015

I wrote this search to look at a user agent string (RTG_Browser) and identify the operating system. I plan on writing another search to identify the browser from the user agent string. I then plan to append these columns to my current query. A regular expression would not work here as it has to be renamed from Windows NT 6.2 to Windows 8. index=access | eval OS = if(match(RTG_Browser,"Windows NT 6.1"), "Windows 7", if (match(RTG_Browser,"Windows NT 6.3") OR match(RTG_Browser,"Windows NT 6.2"), "Windows 8", if (match(RTG_Browser,"Macintosh"), "OS X", if(match(RTG_Browser,"like Mac OS X") OR match(RTG_Browser,"like mac o sx"),"m.iOS", if(match(RTG_Browser,"Android"), "m.Android", if(match(RTG_Browser,"Windows NT 5.1") OR match(RTG_Browser,"Windows NT 5.2"),"Windows XP", if(match(RTG_Browser, "bingbot"), "Bing Bot", if(match(RTG_Browser,"Windows Phone"),"m.Windows", if(match(RTG_Browser, "Windows NT 6.0"),"Windows Vista", if(match(RTG_Browser,"Windows NT 10.0"),"Windows 10",if(match(RTG_Browser, "X11") OR match(RTG_Browser, "Linux"),"Linux",if(match(RTG_Browser,"Googlebot"),"Google Bot","OTHER"))))))))))))

skoelpin · ‎08-02-2015

So this was a proxy issue then?

skoelpin · ‎08-01-2015

You're correct about making changes in the props.conf on the indexer. But you will need to write a regular expression to successfully break those lines so Splunk will see them as a new event ^msg\,\w+

skoelpin · ‎07-31-2015

Glad I could help! Can you clarify your question? You need a Splunk forwarder (usually a universal-forwarder) to forward data to your splunk indexer which makes it available in the GUI. The universal forwarders are light weight and use little resources on a server So if you don't have a forwarder on a server then it will not make it into Splunk, unless you directly upload it..

skoelpin · ‎07-31-2015

You can do both. You can have multiple source-types forwarding to the same index. You define what index they go on the server with the forwarder $Splunk_Home/etc/system/local inputs.conf [sourcetype1] index = indexName [sourcetype2] index = indexName2 If you don't specify an index in your inputs.conf then it will default to index=main

skoelpin · ‎07-31-2015

Excellent suggestion. I'm doing a project related to this and this also solves a secondary problem I have... When users interact with the dashboard, they won't have to know what Windows NT 6.1 is, they can just see Windows 7

skoelpin · ‎07-30-2015

Do 2 separate field extractions.. One for your browser and the other for the OS.. (?P<OSextraction>(?<=Mozilla\/\d\.\d).*(?=)) answers.splunk.com is not allowing the full regular expression to be posted for some reason.. Put < > before and after OSextraction I haven't tested this but it should work.. If not then send a few more lines of sample data and I'll fix it up

skoelpin · ‎07-30-2015

Can you provide us your query and some sample data? You need to group the events together using the Transaction command.. So if you have your eventStart as a seperate event from your eventFinish then the transaction command will group them both as 1 event then you can find the duration So it would look something like this .. | transaction startswith="eventStart" endswith="eventFinish" | timechart avg(duration)

skoelpin · ‎07-29-2015

I have 3 servers which process web service calls and are being indexed by Splunk. I specified their index in the inputs.conf on the forwarder as index=uvtrans and their sourcetype is ATG_Message_Log .. So now I see in Splunk 2 different sources coming in named WinEventLog.Application and WinEventLog.System which are in index=main which means their index was not specified on the forwarder so it defaults there. I'm looking in Splunk_Home/etc/system/local/inputs.conf on all 3 boxes and I do not see anywhere where WinEventLog is located. I've looked through all the conf files and cannot find it. Does Splunk index EVERYTHING on that server regardless if it's been specified in my conf files? How can I exclude the WinEventLog sources from being indexed by Splunk?

skoelpin · ‎07-29-2015

I just looked at the 3 hosts which have the WinEventLog:Application and these are being indexed in index=main while my legitimate events are being indexed in the index I specified in the inputs.conf file.. So maybe this would explain why I can't find it.. But why is data being indexed if I didn't specify the source or sourcetype in the inputs.conf?

skoelpin · ‎07-29-2015

Should I do this on the Indexer or forwarder?

skoelpin · ‎07-29-2015

Yeah I have that pulled open and the sourcetype is already defined as sourcetype=ATG_Message_Log .. I see nothing on any of the boxes which show the source or sourcetype as WinEventLog:Application

skoelpin · ‎07-29-2015

I have a forwarder on 3 different servers which grabs all the data coming from those servers. There is 1 specific sourcetype and source both called 'WinEventLog:Application' which we do not want indexed. Where in the forwarder do I exclude this source/sourcetype from being indexed?

skoelpin · ‎07-22-2015

I see what you're saying, it would be much faster to take a chunk from the large pool then do a transaction which is much slower across that smaller pool to make the search faster. *The token I used in my form which is also in my search is the $ip$ and your search example says to include this in the index=access subsearch.. When I defined the token in my form input, it was taken from the RTG_IPmain which is from the main index. Can you help with making my search work correctly? This is what I have so far ( I stripped off the sort and renames to make it easier to read) (index=access OR index=main) [search index=access | stats count values(RTG_Browser) values(RTG_WebRequest)] | transaction RTG_JSession | search $ip$ | stats count values(RTG_Browser) values(RTG_WebRequest) BY RTG_IPmain | table RTG_IPmain RTG_WebRequest RTG_Browser

skoelpin · ‎07-22-2015

I like your thinking on this and I agree. The transaction command is killing my performance, but it looks like you have a subsearch then pipe that output into the transaction command. Wouldn't a subsearch kill the performance just like having the Transaction command at the beginning?

skoelpin · ‎07-22-2015

Thanks for the input martin_mueller. I've done some reading and I saw that it's not possible to accelerate a search that has a non-streaming command followed by a streaming command which in my case is the Transaction command followed by the Stats command. Can you please clarify what you meant in the second part of you sentence? Did you mean where did I put the token from my form input into my search? If so then it's that search RTG_IPmain=* right after the Transaction command.

Posts	1911
Solutions	211
Karma Given	616
Karma Received	446
Member Since	‎01-02-2015

Online Status	Offline
Date Last Visited	3 weeks ago

How to backfill a ServiceHealthScore in ITSI?

How to add seconds to epoch time using time modifi...

How to send dashboard as a PDF email if condition ...

How to Get Eventgen working?

How to create a second Y-Axis using the downsample...

Why is my Base Search cutting off Fields in the Da...

How to disable realtime searches for the power use...

Service Health Score - No Results Found

Whats the best way to migrate /db from one drive t...

How to re-enable an index that was disabled after ...

Re: Why am I unable to download a Universal Forwar...

Why am I unable to download a Universal Forwarder ...

Re: Can I use splunk for creating arbitrary user i...

Re: The splunk account was deleted from our univer...

Re: Can props.conf and indexes.conf be split for m...

Re: How to extract mail logs (clearswift) and link...

Re: What's a faster search than a Nested IF statem...

Re: What's a faster search than a Nested IF statem...

Re: What's a faster search than a Nested IF statem...

What's a faster search than a Nested IF statement?

Re: Splunk URL not working

Re: How do I troubleshoot linebreak / linemerge is...

Re: Multiple source types to a single listner

Re: Multiple source types to a single listner

Re: How to extract the OS and Browser from a user ...

Re: How to extract the OS and Browser from a user ...

Re: How to get time duration between consecutive e...

Does Splunk Index Everything on the Server?

Re: How to exclude a sourcetype from being indexed...

Re: How to exclude a sourcetype from being indexed...

Re: How to exclude a sourcetype from being indexed...

How to exclude a sourcetype from being indexed?

Re: How To Accelerate a Search?

Re: How To Accelerate a Search?

Re: How To Accelerate a Search?

Join the Conversation