Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About mikelanghorst
mikelanghorst
Motivator
Member since:
11-03-2010
08-29-2025
Community Statistics
| Posts | 286 |
| Solutions | 20 |
| Karma Given | 360 |
| Karma Received | 229 |
| Member Since | 11-03-2010 |
Activity Feed
- Got Karma for Re: What are the ports that I need to open?. 04-16-2025 05:18 AM
- Posted Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI on Deployment Architecture. 04-02-2025 03:34 PM
- Karma Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI for jwestbank. 04-02-2025 03:33 PM
- Got Karma for Re: What are the ports that I need to open?. 01-06-2025 02:51 AM
- Posted Re: Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 02:21 PM
- Posted Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 03-17-2022 07:11 AM
- Got Karma for Re: What are the ports that I need to open?. 08-18-2021 05:28 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-19-2021 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 07-28-2020 03:20 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-13-2020 10:52 PM
- Karma Re: Lookup File Editor in Search Head Cluster - "The requested lookup file does not exist" for LukeMurphey. 06-05-2020 12:49 AM
- Karma Re: New forwarder: An Admin password is required??? for xpac. 06-05-2020 12:49 AM
- Karma Re: Where to add certificate info for port 8089? for dwaddle. 06-05-2020 12:48 AM
- Karma Re: what could be the reason for some splunk sessions observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format)? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to upgrade Splunk forwarders from a deployment server installed on a separate VM? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: What are my options to specify the user to start splunk service as on linux for yannK. 06-05-2020 12:48 AM
- Karma Re: Community Supported apps - should they have an external repo for the community to assist in improving? for Damien_Dallimor. 06-05-2020 12:47 AM
- Karma Re: Filtering out 90% log events from indexing for dshpritz. 06-05-2020 12:47 AM
- Karma Re: Splunk installed failed to create splunk account on RHEL for grijhwani. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 |
06-22-2012
11:42 AM
When you're searching you're still seeing current data from the old location, or are you simply saying that you can still search for the old location?
... View more
06-22-2012
11:06 AM
you could use the command: | extract reload=T
But I've seen that will still take a bit before the new fields show up when I modify the config files directly.
... View more
06-22-2012
09:54 AM
1 Karma
The best would be to set your whitelist/blacklists to only grab .log files and ignore .log.gz, that said Splunk should open the file then determine based upon checksums that it's already been read.
... View more
06-22-2012
09:48 AM
1 Karma
Yes, the splunk license manager doesn't care whether you exceed by 10MB or 500GB, the violations count the same. As long as you don't have 3 violations in 30 days, you'll be fine. Just get all your data in within the 2 days.
... View more
06-22-2012
09:46 AM
1 Karma
The only saved searching it should be doing is in dashboard reports, or if you link to a saved result set. You could run the search directly if that's the case.
I'd start with ensuring the regex being used is actually correct. Find the regex created in the props or transforms and add it to your search using the rex command.
... View more
06-22-2012
09:36 AM
1 Karma
I'd probably use:
rex field=source "(?i)\/export\/data\/history\/(?P [^_]+)_(? \w+)"
Splitting out both host and user
... View more
06-22-2012
09:31 AM
1 Karma
There is the PDF Report Server app available from Splunkbase PDF app link unfortunately that only works for scheduled reports. That said I've been told that they do realize that PDF's are a pain point right now and they do intend to add in the near(?) future a more functional PDF capability.
... View more
06-16-2012
10:22 PM
1 Karma
I expect he's likely still under the trial, and wants to convert early or doesn't know that it will convert on it's own. Cervelli explains it well here:
link text
To paraphrase, under the license page there should be an option to convert from the trial to free.
... View more
06-16-2012
10:18 PM
interval is generally in seconds unless you specify in crontab format:
interval = [ | ]
* How often to execute the specified command (in seconds), or a valid cron schedule.
* NOTE: when a cron schedule is specified, the script is not executed on start-up.
* Defaults to 60 seconds.
I'm not sure how the passAuth actually functions, but I would expect (since I'm not seeing additional information for configuring sudo) that it can't elevate it's priviliges, but only drop from root to another user. You could wrap it in another script to use sudo.
... View more
06-13-2012
11:09 AM
6 Karma
| stats count | eval msg = if(count == 0, "No Msg!","Msgs Exist!") | table msg
Building from the mighty hexx's answer, I put in an if statement to only show "No Msg!" if there were indeed no events. eval msg="No logs!" would display the no log message even when it does return.
... View more
06-07-2012
09:09 PM
pointing out that "cmd btool" is especially helpful in that it will show you the resulting configuration when you may have multiple apps' configuration files.
... View more
06-07-2012
08:57 PM
4 Karma
Also in $splunk_home/etc/system/local/web.conf if for some reason you don't have the UI.
mgmtHostPort = IP:port
* Location of splunkd.
* Don't include http[s]:// -- just the IP address.
* Defaults to 127.0.0.1:8089.
... View more
05-22-2012
07:44 PM
The Web Intelligence app is available link text
The app isn't necessary to index Apache data, it just provides additional reports based upon the data.
... View more
05-22-2012
07:34 PM
Did you look at all the fields, not just those shown on the left? Click Edit, and in the pop-up window that field should already be extracted as "correlator".
Splunk should automatically extract a value any time it sees a key=value. How it determines what are "interesting fields" I'm not sure.
... View more
05-22-2012
07:24 PM
1 Karma
Did you specify during install to monitor anything? For the windows installer it will ask, but for the *nix installs it doesn't actually monitor anything outside of itself. I've seen that happen to quite a few new users that come into the #splunk IRC channel.
To verify what you are monitoring on the forwarder, you can run the following from a command window: splunk cmd btool inputs list --debug
This will show you every input, along with what app is implementing it.
Also, you can search the _internal index for data by adding: index=_internal to your search.
... View more
05-15-2012
08:47 AM
1 Karma
Not sure about merging the data to a new event, but "| transaction Correlation_Id" (without the quotes) will group the 2 events together allowing you to search/report on them as a single event.
... View more
05-11-2012
02:50 PM
Seems closer, but it's retaining the closing quote.
... View more
05-11-2012
01:31 PM
while regexr accepts it just fine, passing this to rex fails with:
Error in 'rex' command: Encountered the following error while compiling the regex '(?:(?:"(? [^"]+)")|(? [^\s]+))': Regex: two named subpatterns have the same name
... View more
05-11-2012
01:19 PM
1 Karma
Finally got one working as I want:
(?:\"(? [^\"]+)\"|(? [^\s]+))
Or not, RegExr and Expresso works ok with this, but Splunk Rex command fails due to multiple blocks.
... View more
05-11-2012
12:28 PM
2 Karma
For this sample data:
172.21.174.78 - "/dc=com/dc=caiso/OU=people/CN=Bob User" [11/May/2012:11:27:40 -0700] "POST /APP/ClientWebService HTTP/1.0" 200 439 "-" "Mozilla/3.0 (compatible; Indy Library)"
172.21.174.78 - mlanghor [11/May/2012:11:27:40 -0700] "POST /APP/ClientWebService HTTP/1.0" 200 439 "-" "Mozilla/3.0 (compatible; Indy Library)"
172.21.174.78 - - [11/May/2012:11:27:40 -0700] "POST /APP/ClientWebService HTTP/1.0" 200 439 "-" "Mozilla/3.0 (compatible; Indy Library)"
For some of our webserver logs, we are logging the DN from the user certificate with %{SSL_CLIENT_S_DN}x.
The default extraction for user is [[nspaces:user], so essentially (? [^\s]+).
In trying to extract the different variations for the user field I came up with:
(?<user>([^\"\s]+|\"[^\"]+\"))
But that includes the " as part of the field. I'm haven't been able to come up with a regex that"
when the first character is a " grab everything but not including the "'s, otherwise, grab everything till the next space.
... View more
- Tags:
- regex
05-09-2012
01:20 PM
If you have the host extracted as a field, it should be included in the results by default. If host isn't extracted you could either create a props entry or use |rex to extract it on the fly.
... View more
05-09-2012
01:13 PM
Seeing that many messages a day, I would be concerned that the larger queue size would just delay the issue, since it seems it isn't getting the data output to disk quickly enough.
... View more
05-09-2012
10:04 AM
1 Karma
As djalton mentions as a separate answer, using bash will allow tab-completion.
Solaris's default shell is still Bourne, which doesn't have that functionality.
... View more
05-09-2012
09:14 AM
4 Karma
http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/BindSplunktoanIP
You should be able to set SPLUNK_BINDIP=127.0.0.1 in $splunk_home/etc/splunk-launch.conf so it will only bind to localhost.
... View more
04-26-2012
02:59 PM
Thanks, hadn't thought of using transaction. A bit more filtering and this will work great. Just that one step took the results from 5k, down to 342 results.
... View more
