Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About fk319
fk319
Builder
Member since:
10-19-2010
03-18-2021
Community Statistics
| Posts | 144 |
| Solutions | 10 |
| Karma Given | 66 |
| Karma Received | 43 |
| Member Since | 10-19-2010 |
Activity Feed
- Posted Re: How to use same set of filter value on multiple Dashboard on Splunk Dev. 03-16-2021 12:37 PM
- Posted Re: Pyton SDK custom command runing distributed instead of local only on Splunk Dev. 03-16-2021 12:34 PM
- Posted Running a script on the Search Head initiated from browser on Splunk Dev. 03-16-2021 09:58 AM
- Posted Re: Sending Splunk email alert with variable email address and variable subject values. on Splunk Enterprise. 08-11-2020 11:39 AM
- Posted Re: Splunk 8.0 sendemail/subsearch issues after upgrading on Splunk Search. 07-15-2020 01:25 PM
- Karma Re: Deployment Server - when app is redeployed, what is overwritten for Lowell. 06-11-2020 05:59 AM
- Karma Re: Use lookup table to populate otherwise empty rows for rmmiller. 06-05-2020 12:51 AM
- Karma How to disable realtime searches for the power user role? for skoelpin. 06-05-2020 12:49 AM
- Karma Re: App.conf version is empty on .spl file for dnamal. 06-05-2020 12:49 AM
- Got Karma for Re: What is the correct way to remove an item from restmap.conf ?. 06-05-2020 12:49 AM
- Got Karma for Re: Background color in navbar is gone in 7.1 and 7.2. 06-05-2020 12:49 AM
- Got Karma for using sendemail in a dashboard. 06-05-2020 12:49 AM
- Got Karma for using sendemail in a dashboard. 06-05-2020 12:49 AM
- Got Karma for Re: Background color in navbar is gone in 7.1 and 7.2. 06-05-2020 12:49 AM
- Karma Re: How abort a search based on a condition? for mmol. 06-05-2020 12:48 AM
- Karma How abort a search based on a condition? for reed_kelly. 06-05-2020 12:48 AM
- Karma Re: What is the difference between the metasearch and tstats commands? for cpride_splunk. 06-05-2020 12:48 AM
- Got Karma for Simple XML strips onclick from HTML button. 06-05-2020 12:48 AM
- Got Karma for Simple XML strips onclick from HTML button. 06-05-2020 12:48 AM
- Got Karma for Re: Simple XML strips onclick from HTML button. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 2 | |||
| 1 |
01-30-2012
09:29 AM
I have the same issue, and I was looking for you to solve my problem for me. I tried to set up a search and store the sumary index on one of the search heads. I set up an index on the one SH and I use a pool for my SHs. The problem is the other SH wants to run it and seems to be doing so, it is just not saving the data.
... View more
01-25-2012
06:01 AM
Kristian,
I think 'different' is the wrong word. From what I have read they use different stanzas and can thus be placed in the same field.
From what I have found so far, my apps/.../props.conf has not made it to my Search Heads.
... View more
01-25-2012
05:09 AM
I have the UF sending the data, I just cant seem to get my props.conf on my indexer to be applied.
From your second link, I think I should be looking at the search head and not the indexer. (I am using Transforms and Reports).
Let me chew on this for a few hours, thank you Kristian.
... View more
01-25-2012
04:09 AM
We are converting from a single Splunk instantance to a cluster. At this time we are also implementing Universal Forwarders on several of our application servers.
I have several props.conf and transforms.conf rules written for the old system that I would like to implement on the new system. So far I have been unable to get the rules to activate.
1) I am able to select the index in which I want the logs to go to, but this has only been successful by defining them on the UF. I have tried several different configuration for inputs.conf in my app on the splunk indexers, but to know avail.
2) Also I would like to push files from the distrubtion server to the UFs. I have been able get the files over by including the host as part of the distrubtion class, but I have been unable to craft an inputs.conf and outputs.conf file that will work both on the UFs and the Indexers.
Anyone have some suggestions?
... View more
08-30-2011
06:50 AM
if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.
... View more
08-29-2011
06:46 AM
Splunk provides dashboards to display search activity, http://localhost/en-US/app/search/search_detail_activity I would suggest looking through these and finding something that is close and looking at the searches.
... View more
08-29-2011
06:37 AM
Can you include the character that is before the first field in DELIMS?
or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?
... View more
08-29-2011
06:26 AM
You need to do two searches. First do a real time serach on some of your data, then do a typical search. If the realtime results are not procesed imeadiatly, you are using cpu resources for the search.
I have seen on my system during the day, of up to 15 minutes. Note that the delay is normal and the logs are just indexed late.
We have 3 log entries for some of our events, A detailed start, detailed end, and a summary end. I have written queries where I look for all three. In our case, there are times that we loose logs, so I know our system is over loaded.
... View more
08-29-2011
06:17 AM
right before your sendmail command, try using 'fields <field_list>'
... View more
08-24-2011
08:47 AM
" If you go over 500MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer times in the 30 day period. "
http://docs.splunk.com/Documentation/Splunk/4.1.5/Installation/MoreaboutSplunkwithaFreeLicense
I think the same or similiar is true for Enterprise Licenses.
... View more
08-24-2011
08:43 AM
1 Karma
The Data will continue to be indexed. I think you have 3 or 5 over the limits and then your indexes will be unsearchable, except for a few internals.
... View more
08-24-2011
04:58 AM
ok, I was think about this a different way, could you take your list of fields as just one field and search to see if you have a regex of '=[^O]' ?
... View more
08-24-2011
04:46 AM
how about instead of putting them in a seperate field, use the same field.?
at the moment I am not sure, but if you know the total and the number of OK's are not the same then error, or regex out the OK and report what is left over?
Probably not very helpfull, but maybe someone else can expand on this idea...
... View more
08-23-2011
11:52 AM
We have the same issues, but out system is severly overloaded.
... View more
08-23-2011
06:14 AM
1 Karma
First, when you do a 'stats' you can use the as option, 'stats count as "DayShift" by _time'.
I am thinking that I would redo your query a bit.
index=MyApp earliest=-30d@d-14h | eval Shift=if(10<=date_hour and date_hour<22,"Day","Night") | timechart span=1d count by Shift
... View more
08-23-2011
06:04 AM
1 Karma
I think transaction is the correct direction.
What I would suggest that you look for is a transaction that has a message [list] that has more than one "log in" and a "time out".
... View more
08-08-2011
07:33 AM
I know that when I display my page, I see my user name. I looked and python has several known variables.
$SPLUNK_HOME/share/splunk/search_mrsparkle/modules/nav/AccountBar.html
so, it seems possiable to do your search with the username, at least in python.
... View more
08-05-2011
12:17 PM
1 Karma
Interesting, it can be done, but there is a bit of work.
First, you will need to Splunk to use the mailbox as a source of logs (input.config). Then you will heve to teach Splunk to parse an mbox file so that each message is a single record (props.config and transform.config), LINEBREAKER I think it is called may be of value.
Is it sensable, that is up to you, it realy is not that hard, just getting splunk to understand mbox format, which is well defiend.
... View more
08-05-2011
10:39 AM
search | transaction maxspan=5m field.
I suppose you knew that already, what you need is to have a common field between the logs. You will need to the rex command to help you along here. Usually there is some identifier, like ID or client ip.
... View more
08-05-2011
04:31 AM
I would be using a distributed search.
I am not sure what the difference between your two questions.
... View more
08-04-2011
07:35 AM
We are looking at merging Splunk instances between different data centers and having a single Search head cluster.
I am concerned that having the Search and Indexer so far, 20-40 ms ping times, will cause an issue.
So how far apart can the systems be? We are looking at having our indexers in a few different locataions.
-- Frank
... View more
- Tags:
- indexer
- search-head
08-03-2011
07:36 AM
It seems to me that you can set up a new app and display a message and link to the new server. (I guess you can auto refrish the new server if you like.) Then change your selected users to use this new app as default. This will do the trick if they just log in, but if they have a link to a specific view, it wont.
... View more
08-01-2011
08:42 AM
I am reviewing the scheduled jobs on our Splunk system and I noticed that several people are running the same query many times and extracting something slightly different each time.
With each query taking 5-10 minutes each in the off hours, I can save a lot of time by running the search only once. I can do this in a view, but don't know how to do it in a search.
Any suggestions?
... View more
