Activity Feed
- Got Karma for Re: Divide by quarter. 10-18-2021 08:23 AM
- Karma Re: Help on Transaction command!! for sideview. 06-05-2020 12:46 AM
- Karma Re: help with sum time between event from other sourcetypes for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Bucket rotation and warm, cold... for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Custom heatmap logic in advanced XML for sideview. 06-05-2020 12:46 AM
- Karma Custom heatmap logic in advanced XML for sideview. 06-05-2020 12:46 AM
- Karma Re: Regex not finding what I'm looking for??? for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: Reducing rentention costs, archiving frozen buckets, running multpiple instances for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: All DB rows get input as one event for ziegfried. 06-05-2020 12:46 AM
- Karma Re: How many field extract in splunk? for cucuro. 06-05-2020 12:46 AM
- Karma Why does custom python script execute twice? for phoenixdigital. 06-05-2020 12:46 AM
- Karma Re: Need Help With Deployment-Server and Deployment-Client configurations for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: Struggling to correlate 2 sourcetypes for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: summary indexing - search with a 2-hour transaction every 5 minutes ? for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Query to analyze if the log size has been decreased over time from hosts for lguinn2. 06-05-2020 12:46 AM
- Karma Re: splunk-sdk-python analytics sample not working for rroberts. 06-05-2020 12:46 AM
- Got Karma for Re: Regex to select string from raw data. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 |
04-01-2013
05:59 AM
[root@dev bin]# telnet 2xx.4x.1x.2x1 9589
Trying 2xx.4x.1x.2x1..
telnet: connect to address 2xx.4x.1x.2x1: Connection timed out
telnet: Unable to connect to remote host: Connection timed out
thanks brother,
can you please tell me how should i solve this issue.
... View more
04-01-2013
03:55 AM
serverclass.conf in my deployment server running in dev.xxxxxxx.com:9553 with the management port 9589
[root@dev etc]# cd system/local/
[root@dev local]# cat serverclass.conf
[global]
whitelist.0=*
restartSplunkd=true
stateOnClient = enabled
[serverClass:devtest]
[serverClass:devtest:app:testapp]
i have my testapp in the deployment-apps/testapp/local
this has outputs.conf which will be deployed to the deployment client in dev.xxxxxx.com:9653 with the management port 9689
@client the deploymentclient.conf is located in /system/local/
root@dev local]# cat deploymentclient.conf
[deployment-client]
disabled = false
[target-broker:deploymentServer]
targetUri = 2xx.4xx.1xx.2x1:9589
i got my testapp @cleint /etc/apps/testapp which will forward data to the deployment server on receiving the output.conf form the deployment-app/testapp/local/output.conf
[root@dev local]# cat outputs.conf
[tcpout]
defaultGroup = testf
disabled = false
[tcpout:testf]
indexAndForward = true
disabled = false
server = 2xx.4x.1xx.2x1:9997
forwardedindex.0.whitelist = testindex
i cant find the outputs.conf in the deployment-clients testapp/local/ path.
i have restarted both the splunk instance
i have checked the status of both deployment client and server from CLI. both is enabled.
i checked the splunkd.log
*i can see warn messages as follows in the deployment-server *
04-01-2013 15:11:25.877 +0530 WARN DeploymentClient - Property targetUri not found. DeploymentClient is disabled.
04-01-2013 15:11:25.877 +0530 INFO LicenseMgr - Initing LicenseMgr
i can see warn messages as follows in the deployment-client
04-01-2013 14:42:17.315 +0530 WARN DeploymentClient - Phonehome thread is now started.
04-01-2013 14:42:29.318 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
04-01-2013 14:42:41.322 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
please let me know to solve this issue, this is a test i am running before moving to production. i need to solve this issue as early as possible !!!
when i am moving to production i will not only send outputs.conf, i will be sending the all the conf files in the local folder to the deployment client, which will index and forward the indexed data back to the deployment server.
happy splunking,
eashwar raghunathan
... View more
03-30-2013
12:38 PM
2 Karma
Hello brother,
use the below search command and the chart formatting options,
| chart count over ID by Action
as a result of this you will get a table view, you have to do the charting stuff manually and save it.
go to the chart formatting options,
Chart type is BAR
then you have to select stacked mode
Stack mode is 100% STACKED
happy splunking brother,
if this helped you dont forget to vote,
yours,
eashwar raghunathan
... View more
03-30-2013
12:06 PM
1 Karma
your props.conf
REPORT-attribute = xmlkv_attribute
your transforms.conf
[xmlkv_attribute]
REGEX = (?i)>([^<]+)<\/\S+:([^>]+)>
FORMAT = $2::$1
MV_ADD = 1
CLEAN_KEYS = 1
this will set your fieldname and value as below
>YOUR_Value</ ns7:YOUR_Fieldname>
hope this would help you,
happy splunking,
eashwar raghunathan
... View more
03-30-2013
11:26 AM
1 Karma
if you want the field for all events which start with the word Switch
EXTRACT-field4= (?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)
... View more
03-30-2013
11:04 AM
you can use OR to do the job
source=visitor OR source=action | rex field=actionVisitorID "^(?P<visitorID>\d+)" | top visitorID
you can also use rename actionVisitorID AS visitorID instead of using rex.
finish your search by | top visitorID
or you can also do a transaction if you want to group the events by visitorID
| transaction visitorID
i hope now you can find the most active users beased on the eventcount or the mvcount of the data field.
... View more
03-30-2013
10:40 AM
the transactions last event and the outer/last event is exactly the same with different timestamps?
please comment the two events i will give you the solution.
... View more
03-29-2013
04:24 AM
did you have a solution for this brother, please let me know
... View more
03-29-2013
03:34 AM
i hope it is because of the TIME ZONE configured incorrectly.
... View more
03-29-2013
03:25 AM
1 Karma
Hello brother,
first you should extract the xml from the event add this line to the props.conf
EXTRACT-xml=(?i)(?P<xml>\<\sevn.+)
now you should use spath and specify the input field as xml
<your search>| spath input=xml
you can find your results in the field name {@evn}.{@att}.{@it}. you can also add path={@evn}.{@att}.{@it} to spath command
the search command you are looking for
use the below search if you did not add the EXTRACT to the props.conf
index=" " sourcetype=" " | rex field=_raw "(?i)(?P<xml>\<\sevn.+)" | spath input=xml | stats sum({@evn}.{@att}.{@it})
use the below search if you have added the EXTRACT to the props.conf
index=" " sourcetype=" " | spath input=xml | stats sum({@evn}.{@att}.{@it})
happy splunking,
yours,
eashwar raghunathan
consider voting if it helped you, thanks...
... View more
03-26-2013
07:15 AM
<\yoursearch> | dedup userid | stats count AS "TOTAL Number of Users Logged in"
or
<\yoursearch> | stats count by userid
<\yoursearch> should have the field userid extracted out from the event. you should comment the event so that i can help you in extraction.
happy splunking
yours,
eashwar raghunathan
... View more
03-26-2013
05:02 AM
sure i can help you with it.
all you have to do is. update your question with one sample event. followed by field=value.
what value should be assigned to what field.
consider creating a new thread so that splunk guys dont get annoyed of hijacking threads.
happy splunking,
comment the link to the new thread hear
yours,
eashwar raghunathan
... View more
03-26-2013
04:58 AM
hey shane, i really dont understand.
can you update your answer with the command of implementing it.
... View more
03-26-2013
04:51 AM
hey NVM,
consider voting if it helped you.
thanks, happy splunking
... View more
03-26-2013
04:40 AM
Extraction are done in index time and search time.
i am also a new to splunk.
if you call a transform.conf variable using REPORT form props.conf it will do the extraction in search time.
if you call a transforms.conf variable using TRANSFORMS from props.conf it will do the extraction in index time.
if you are using TRANSFORMS in your props.conf after the data is indexed make sure you do the following to reindex all the data.
step 1 : stop splunk ./splunk stop
step 2 : clean the index ./splunk clean eventdata <yourindexname>
step 3: start splunk ./splunk start
if you want to clean your full splunk instance replace step 2 by ./splunk clean all
hope this will help you,
yours,
eashwar raghunathan
happy splunking
... View more
03-26-2013
02:46 AM
hello there,
you if you can create a new thread with a sample event in it i can help you with your extract.
you may have to use EXTRACT-xxxxx in props.conf
or you can also use DELIMIT in
DELIMS = ","
FIELDS = "field1", "field2", "field3"
this is transforms.conf
consider voting for the answer above if the answer is correct and helped you.
thank you,
eashwar raghunathan
... View more
03-26-2013
02:30 AM
1 Karma
hi friend, try this in your script.
tar -xvzf /home/ec2-user/$INSTALL_FILE
i am not so sure about this, i think the problem is you the location of the tar.gz file.
if the above does not work. just try to find the wget location and replace it before the install file variable.
yours,
eashwar raghunathan
... View more
03-26-2013
02:15 AM
1 Karma
hello i hope this will help you!!
| eval fieldname =",345,af04,,,01,78932223442,,,_,,24,_" | rex field=fieldname mode=sed "s/(,,,|,,)/,/g s/(^,)//g"
above worked for me in my splunk instance
add this line to your props.conf
SEDCMD-removecommas=s/(,,,|,,)/,/g s/(^,)//g
the above regular expression says if 3 commas or 2 commas found together replace with one comma. then find the coma in the line start and remove it.
yours,
eashwar raghunathan
... View more
03-23-2013
12:37 PM
very nice example, i can now understand and able to write some python scripts using splunk skd. thanks phoenixdigital
... View more
03-23-2013
12:12 PM
hi jtrucks
is this what you are looking for
http://blogs.splunk.com/2011/01/07/splunk-sysadmin-email/
... View more
03-23-2013
12:02 PM
1 Karma
Could you please verify the permissions on the /home/ec2-user/.ssh directory and files contained in it on this instance?
To verify the permissions, you can stop the instance and detach the root volume (make note of the device that it's attached to). Then attach the volume to another instance on an available device. Create a mount point, such as /fixroot, if needed and mount the device to this mount point. Once mounted, cd to /fixroot/home/ec2-user and check the directory and file permissions. The .ssh directory should allow rwx for the user (owner) and the files should be readable only by the user.
Another thing to check while you are there is that the known_hosts file doesn't have duplicate entries for the client you are attempting to connect from.
Once you have done this, you can unmount the volume and detach it from the instance. Then attach it back to the original instance to the device that you noted in the first step and start the instance.
Please let us know the results.
http://d2930476l2fsmh.cloudfront.net/LostKeypairRecoveryOfLinuxInstance.mp4
this video may help you.
thanks to yromaneko(AWS-guy)
... View more
03-22-2013
11:25 AM
hi i am following your post let me know what was the solution to your above mentioned question
... View more
03-21-2013
04:33 AM
I hope you have to add a stanza to related sourcetype in the props.conf in the local directory.
TZ = UTC
if splunk does not recognize the timestamp you have to configure it yourself.
if you dont know to configure the time stamp, you have to add a sample event to your question so that we will help you configure it.
happy splunking!!
... View more
03-21-2013
04:16 AM
find your the sourcetype associated with the log in splunk/etc/apps/your app name(search or any custom app)/local/props.conf
[yoursourcetype]
EXTRACT-startdatetime=(?i)Start\sdate\sand\stime\s(?P<StartDate>\d{1,2}/\d{1,2}/\d{1,4})\s+(?P<StartTime>\d{1,2}:\d{1,2}:\d{1,2}\s\S{2})
EXTRACT-enddatetime=(?i)End\sdate\sand\stime\s(?P<EndDate>\d{1,2}/\d{1,2}/\d{1,4})\s+(?P<EndTime>\d{1,2}:\d{1,2}:\d{1,2}\s\S{2})
append the two lines(EXTRACT) under your sourcetype name, be very careful and make sure that the EVENTS sourcetype matches the one inside the square brackets. If you cant find just create one with the values.
make sure you also check the props.conf in splunk/etc/system/local/ and splunk/user/admin(or your username)/appname(search or custom app)/local/
if you still have some problem
comment.. i will help you.
happy splunking!!!
... View more
03-16-2013
12:28 PM
hey there i hope this would help you.
D?E?N?I?E?D?s?r?c?\s-\s(?<ext_ip>d+.d+.d+.d+):\d{4}
... View more
- « Previous
-
- 1
- 2
- Next »
