Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About RicoSuave
RicoSuave
Builder
Member since:
10-02-2015
10-27-2020
Community Statistics
| Posts | 204 |
| Solutions | 33 |
| Karma Given | 3 |
| Karma Received | 288 |
| Member Since | 10-02-2015 |
Activity Feed
- Karma Re: Search Head Cluster member removal for p_gurav. 06-05-2020 12:49 AM
- Got Karma for Re: How do bundles work?. 06-05-2020 12:48 AM
- Got Karma for Re: How do bundles work?. 06-05-2020 12:48 AM
- Got Karma for Re: How do bundles work?. 06-05-2020 12:48 AM
- Got Karma for Re: How do bundles work?. 06-05-2020 12:48 AM
- Got Karma for Re: How do bundles work?. 06-05-2020 12:48 AM
- Got Karma for Re: How can I determine the lag between when an app's scheduled search is supposed to run and when it actually runs?. 06-05-2020 12:48 AM
- Karma Re: How to use srchFilter to anonymize data based on role? for RicoSuave. 06-05-2020 12:47 AM
- Karma Re: is there a limit on the number of files splunk can monitor? for RicoSuave. 06-05-2020 12:47 AM
- Got Karma for Re: How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?. 06-05-2020 12:47 AM
- Got Karma for Re: How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?. 06-05-2020 12:47 AM
- Got Karma for Re: How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?. 06-05-2020 12:47 AM
- Got Karma for Re: How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?. 06-05-2020 12:47 AM
- Got Karma for Re: How do I display a list of PIDS for all searches running in my environment with a timerange of all-time?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
- Got Karma for Re: Who is Carlos Danger and where can I buy his boots?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 4 | |||
| 4 | |||
| 1 | |||
| 5 | |||
| 3 | |||
| 2 | |||
| 3 | |||
| 5 | |||
| 11 |
12-02-2014
02:15 PM
Can you post a sample of the applogs events?
... View more
12-02-2014
01:55 PM
Oh, try DELIMS = ","
... View more
12-02-2014
01:07 PM
Have you tried setting KV_MODE = AUTO? Setting it to NONE disables field extraction for that sourcetype.
... View more
09-23-2014
10:09 AM
1 Karma
this hath to be the most epic answereth ev'r. thou sir art a winn'r!
... View more
08-05-2014
07:43 AM
Have you checked your indexers in the cluster to make sure it did not get pushed out? Usually we will just warn about typos in conf files though this shouldn't prevent a bundle from being pushed out.
... View more
03-21-2014
12:05 PM
5 Karma
Now configurable in web.conf. From web.conf.spec:
splunkdConnectionTimeout = <integer>
* Number of seconds to wait before timing out when communicating with splunkd
* Must be at least 30
* Values smaller than 30 will be ignored, resulting in the use of the default value
* Defaults to 30
... View more
03-21-2014
11:36 AM
1 Karma
In previous versions of splunk, we have overridden the SPLUNKD_CONNECTION_TIMEOUT value in the __init__.py file due to long waits on our UI. I am currently working on applying our changes in Version 5 and making them "work" for Version 6. I am looking to apply this change, but I see the following comment about that parameter in the file:
# while this is no longer a constant, we don't know if any externally developed modules were referring
# directly to the constant, so leave the variable in constant ALL-CAPS style
SPLUNKD_CONNECTION_TIMEOUT = 30
I am concerned mostly because it says "this is no longer a constant". Is this just because I can pass timeout in with my rest call now? Looking at the code, it seems that if timeout is not set, then it will use the value for SPLUNKD_CONNECTION_TIMEOUT . I want to make sure that splunk doesn't set this anywhere else (that we would need to change) when it does its own internal rest calls.
... View more
- Tags:
- splunkweb
02-20-2014
11:02 AM
2 Karma
BOOYAH!!!!
... View more
01-15-2014
09:34 AM
so you're saying there's a chance!
... View more
10-28-2013
11:37 AM
1 Karma
The following configuration worked for me:
[multitest]
header.start = "Timestamp"
header.linecount = 1
header.tokens = _tokenize_, -1," | "
body.tokens = _tokenize_, -1, " | "
This will remove the hearder automatically from the results and then split each line into a separate event when using the following search sourcetype="multikvtest" | multikv conf=multitest
If you want to filter the results further by field value, you will only be able to do so by piping to the search command
Example:
| multikv conf=multitest | search field=value
... View more
10-08-2013
09:45 AM
It stands for User Interface: http://en.wikipedia.org/wiki/User_interface
... View more
06-26-2013
05:55 AM
1 Karma
Yes. Using Rest via the search language to hit the indexer endpoint. the following search will do the trick
| rest /services/data/indexes | chart sum(currentDBSizeMB) by splunk_server
Selected timeframe will not have an effect.
... View more
05-08-2013
08:56 AM
This has been answered here: http://splunk-base.splunk.com/answers/83394/reached-end-of-stream-error-troubleshooting
... View more
05-06-2013
02:07 PM
5 Karma
Does the splunk DB connect app encrypt communication between splunk and the Database(s) it's connected to?
... View more
- Tags:
- Splunk DB Connect 1
05-03-2013
10:15 AM
3 Karma
Hello folks,
My forwarders monitor several thousand oracle logs daily that rotate out at a high frequency. As such, my fishbucket index is growing at a steady pace. Currently it sits at 200MB+ on my forwarders. I understand that this is considered small, relatively speaking, but do to policies in place, i can't allow the splunk forwarder to take up this much space on the system it is sitting on. Is there a way to delete records out of the fishbucket and reclaim space? I am well aware that this could lead to reindexing. just an fyi.
... View more
04-22-2013
09:05 AM
2 Karma
In the past, i have seen these messages before in splunkd.log and usually across two components; tcpoutput and PipelineInputChannel components. A couple of questions:
What does this error mean?
Am i losing data?
What are the recommended troubleshooting steps?
If i were to file a support case, besides a diag, is there anything else i should provide?
... View more
- Tags:
- messages
04-18-2013
10:09 AM
3 Karma
I recently noticed that when using chrome and viewing the splunk documentation, the body of the selected topic is now displayed under the table of contents. This is very annoying, especially if viewing the search command reference since i have to scroll ten miles to view the body. Btw, that new font hurts my soul.
What's going on?
... View more
- Tags:
- documentation
04-11-2013
10:40 AM
5 Karma
I sometimes receive the following error message in my shp environment (4.3.5) when executing a search:
ERROR: Reached end-of-stream while waiting for more data from peer . Search results might be incomplete.
I would like to know a few things about this message and how to find the root cause
What does this message mean?
What are the possible reasons for this message appearing?
Would streaming vs non streaming commands have an effect here?
What steps should i take to troubleshoot this and what logs would give me more insight into the error (besides splunkd.log)
If i were to open a case with support, besides a diag, what else should i provide?
... View more
- Tags:
- error
04-02-2013
10:16 AM
Latencies are not stored anywhere. Your approach is correct, however you should be running this report in realtime using the all time (real time) dropdown option. This is to ensure that all incoming events are shown regardless of their extracted time stamp. Note that the latency measured here is affected by how old your events are when you expose them to Splunk. Alternatively, the SOS app includes a distributed indexing performance view that will show you realtime latency and is powered by this search
index=* OR index=_internal
| eval latency=round((_indextime - _time),2)
| eval seconds_elapsed=(time() - now())
| eval secs=if(seconds_elapsed<0,"1",seconds_elapsed)
| eval esize=((len(_raw)/1024))
| eventstats max(secs) AS seconds
| eventstats count AS ecount, sum(esize) AS sum_esize $type$
| stats last(ecount) AS "event count"
last(eval(ecount/seconds)) AS eps
last(eval(sum_esize/seconds)) AS KBps
min(latency) AS "minimum latency (seconds)"
avg(latency) AS avglat
max(latency) AS "maximum latency (seconds)"
min(_time) AS oldestTime
max(_time) AS newestTime $type$
| eval avglat=round(avglat,2)
| eval eps=round(eps,2)
| eval KBps=round(KBps,2)
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(newestTime)
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(oldestTime)
| rename newestTime AS "Time stamp of newest event"
oldestTime AS "Time stamp of oldest event"
avglat AS "average latency (seconds)"
eps AS "events per second"
KBps AS "indexing rate (KBps)"
Possible values for $type$: by index | by host | by source | by sourcetype | by splunk_server
You can modify this search to suit your needs.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-27-2020
12:43 AM
|
Karma from
