Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About TStrauch
TStrauch
Communicator
Member since:
03-16-2016
06-05-2020
Community Statistics
| Posts | 71 |
| Solutions | 18 |
| Karma Given | 15 |
| Karma Received | 56 |
| Member Since | 03-16-2016 |
Activity Feed
- Got Karma for Re: How can I send logs from one universal forwarder to two different indexers depending on the logs type?. 12-24-2024 04:09 PM
- Got Karma for Re: why splunk doesn't resolve stats count on postprocess ?. 10-16-2023 05:07 AM
- Got Karma for Re: How can I send logs from one universal forwarder to two different indexers depending on the logs type?. 06-27-2022 01:10 AM
- Got Karma for Re: How do I monitor Forwarded Events logs on Windows?. 02-24-2021 08:33 AM
- Got Karma for Re: I can't get the App for VMWare to install,Can,t get App for vmware installed. 06-24-2020 10:10 AM
- Karma Re: How do I prevent my license master / Deploy Server / Management Console system from having the Indexer and Search Head roles for DMohn. 06-05-2020 12:48 AM
- Karma Re: How to edit my time_prefix and time format in props.conf? for DMohn. 06-05-2020 12:48 AM
- Karma Re: How to expand macros in a Splunk search? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: How to expand macros in a Splunk search? for inventsekar. 06-05-2020 12:48 AM
- Karma Re: How do I get splunk to use the timestamp of my data for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to connect a standalone search head to an indexer cluster? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Why am I unable to search my JSON log file without using spath, even after configuring my props.conf? for DMohn. 06-05-2020 12:48 AM
- Karma Re: How can I send logs from one universal forwarder to two different indexers depending on the logs type? for raindrop18. 06-05-2020 12:48 AM
- Karma Re: How to filter out local firewall events I don’t want Splunk to index? for gcusello. 06-05-2020 12:48 AM
- Karma Re: Moved to search head cluster but I receive error: "Please make sure that the pass4SymmKey setting in server.conf, under [general], is the same for the License Master and all its slaves" for lukejadamec. 06-05-2020 12:48 AM
- Karma Re: Can move_policy actually move things? for skoelpin. 06-05-2020 12:48 AM
- Karma Re: How to extract a field that is changing position in the logs? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to enable the Search Assistant in 6.5.0? for inventsekar. 06-05-2020 12:48 AM
- Karma Re: Search heads re-indexing files continously for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: Which properties are available for a Universal Forwarder in Props/Transforms ? for martin_mueller. 06-05-2020 12:48 AM
Topics I've Started
No posts to display.
10-24-2016
11:58 PM
Hi,
verify that the splunk run user have the permission to read wmi data. If the splunk run user is not a domain admin you must verify that it has the permission to gather wmi information.
for additional information read the docs.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowseventlogdata
kind regards
... View more
10-24-2016
11:19 PM
try sk314´s way. this is explained in props.conf documentation.
... View more
10-24-2016
09:57 AM
1 Karma
Add this to the sourcetype stanza in props.conf
EXTRACT-bpc = \<BusinessPartnerCode\>(?<BusinessPartnerCode>\d{6})\<\/BusinessPartnerCode\>
Or you take the way above for extraction during the search.
... View more
10-24-2016
08:26 AM
3 Karma
Ok thats the reason why.
you defined the parameter sourcetype with values that are not known by the splunk app for *nix.
The searches are based on sourcetypes.
Take the inputs.conf provided with the Splunk_TA_nix and configure it on your ufs.
After this you have the correct sourcetypes defined the Splunk App for *nix will show results.
kind regards
... View more
10-24-2016
08:02 AM
1 Karma
Hi jeremeek,
just check out this.
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Createandmanagedatabaseinputs#Advanced
regards
... View more
10-24-2016
07:51 AM
1 Karma
Correct. Splunk has no mechanism to move files around in the filesystem.
... View more
10-24-2016
07:43 AM
please give me an example of the input.conf stanza for your inputs on the uf´s
... View more
10-24-2016
07:41 AM
Hi, yes its a little much to explain everything here 😉 But simply have a look at the documentation. Its pretty straight forward.
http://docs.splunk.com/Documentation/AddOns/released/NetFlow/Configureinputs
There you will find everything you need to know to configure the add-on.
kind regards
... View more
10-24-2016
07:31 AM
On which way the other nix logs get into your splunk environment?
... View more
10-24-2016
07:21 AM
1 Karma
Hi,
how does your input.conf stanzas look like?
Have you defined the sourcetype in the input stanza?
... View more
10-24-2016
06:12 AM
Nice then just add the pass4SymmKey attribute to your [shclustering] stanza and/or to your [clustering] stanza and it should be fine.
... View more
10-24-2016
05:14 AM
Your query i fine. The problem is that there are no events before today.
You specified index=<> host=<>. Probably the host was added to your splunk environment today? Or you create the index today?
The only thing i can tell you is... You have no data in your Splunk environment matchting the SPL-query.
index=<> host=<>
until today. 🙂
... View more
10-24-2016
04:56 AM
Hi,
try to put in the pass4SymmKey in cleartext to all Splunk instances again. (SH,CM,IDX,LicenseMaster) and restart splunkd. There must be a discrepancy.
What Versions are your Splunk Instances running?
kind regards
... View more
10-24-2016
04:39 AM
Hey Binay,
are you sure that you have events in the specified timerange? By setting Last 7, Last 30, Last 4 hours etc.. you automatically get events from today.
It looks like there are simply no events.
Whats the first event displayed by setting last 7 days with the following search string?
index=<> host=<> | sort _time
... View more
Hi Giuseppe,
i found this in the Splunk Wiki. Hope this helps.
http://wiki.splunk.com/Community:Splunk_Alert_MIB
kind regards
... View more
10-20-2016
11:22 PM
1 Karma
Hi,
im imported your test data with your given sourcetype. Works quite fine. All fields are extracted and there are no problems with searching.
Do you have a distributed environment? Make sure your Forwarders Input Stanzas are configured with the above sourcetype. Make sure the props.conf is available on your indexers.
kind regards
... View more
10-20-2016
12:45 PM
7 Karma
Hi,
yes you can do this.
You need to create two output.conf stanzas
[tcpout:south]
server=server_south:9997
[tcpout:east]
server=server_east:9997
Then you need to do a TCP_routing in inputs.conf
[monitor://path/myapp1.log]
_TCP_ROUTING = south
[monitor://path/myapp3.log]
_TCP_ROUTING = east
Hope this helps. You have to create a input stanza for each log in this example. But can also do the matching via Regex to reduce the amount of input stanzas.
kind regards
... View more
10-20-2016
12:09 PM
1 Karma
Hi,
the splunkd.log on your indexers should be indexed automatically. You can find them by searching index=_internal. There you will find all internal splunk logdata.
For getting the internal logs of your searchhead to the indexer tier look at this. This works similar for your master node.
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata
kind regards
... View more
10-20-2016
11:51 AM
Hi,
look at that probably it can help.
https://answers.splunk.com/answers/6714/extracting-field-from-source-for-indexing.html
regards
... View more
10-20-2016
11:33 AM
1 Karma
Hey, i tested the download. Just works fine. Do you have some restrictions on your network?
... View more
10-20-2016
11:24 AM
Oh sorry, i did not know that you have to purchase it. But i looked at the site of unityjdbc. Theres seems to be a free trial version of the driver.
http://www.unityjdbc.com/download.php?type=mongodb
Hope this will help you.
... View more
10-20-2016
09:24 AM
Hi,
the Add-on you searching for is Splunk DBConnect v2. It gives you the possibility to import/export database information. By default there is no support for MongoDB.
But there seems to be a solution.
Follow this link.
https://answers.splunk.com/answers/418125/splunk-db-connect-2-what-is-the-serviceclass-for-m.html
also take a look at that
http://www.unityjdbc.com/mongojdbc/setup/mongodb_jdbc_splunk_dbconnect_v2.pdf
kind regards
... View more
10-17-2016
11:31 AM
Ok i found a way you can do it.
Define your Tranforms.
Go to Data --> Sourcetypes --> Select the sourcetype on which you want to add the Transfomrations --> Click edit --> click advanced --> click "new setting"
Fill the first Field with "REPORT-yourreportname" and the second with "yourtransformationname"
this works. i tested it.
... View more
10-17-2016
04:18 AM
Hi,
try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New
"myregex" in source
looks something like this then.
(?<newfield>.*) in source
regards
... View more
10-17-2016
03:33 AM
Hi,
try this.
Settings --> Fields --> Field extractions --> New --> Type (Dropdown) Select "Uses Transform".
You can use multiple Transforms separating them by comma.
regards
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
