Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gcusello
gcusello
Esteemed Legend
Member since:
02-01-2019
yesterday
Community Statistics
| Posts | 10089 |
| Solutions | 1637 |
| Karma Given | 177 |
| Karma Received | 2820 |
| Member Since | 01-02-2019 |
Activity Feed
- Posted Re: How to extract JSON arrays in Splunk on Splunk Search. 16 hours ago
- Posted Re: Configuring License Master on New SH Cluster, Deployment Server? on Installation. 16 hours ago
- Posted Re: search subfield from field on Alerting. 18 hours ago
- Got Karma for Re: Lookup or inputlookup. 20 hours ago
- Posted Re: Lookup or inputlookup on Splunk Search. 20 hours ago
- Posted Re: Lookup or inputlookup on Splunk Search. 20 hours ago
- Posted Re: search subfield from field on Alerting. 22 hours ago
- Got Karma for Re: Connecting to indexer without public ip. 23 hours ago
- Posted Re: Connecting to indexer without public ip on Deployment Architecture. 23 hours ago
- Got Karma for Re: Connecting to indexer without public ip. yesterday
- Posted Re: Dropdown in Table column on Dashboards & Visualizations. yesterday
- Posted Re: Help with monitor input blacklist on Getting Data In. yesterday
- Posted Re: Dropdown in Table column on Dashboards & Visualizations. yesterday
- Posted Re: Can Splunk observability be used on non cloud application? on Installation. yesterday
- Posted Re: Connecting to indexer without public ip on Deployment Architecture. yesterday
- Posted Re: How to backup splunk-var data? on Splunk Search. yesterday
- Posted Re: How would you update customized app in clustered environment? on All Apps and Add-ons. yesterday
- Posted Re: How would you update customized app in clustered environment? on All Apps and Add-ons. yesterday
- Posted Re: How would you update customized app in clustered environment? on All Apps and Add-ons. yesterday
- Posted Re: having questions related to upload data on Splunk Cloud Platform. yesterday
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-02-2016
05:28 AM
sorry but there was a mistake copying the regex:
\n*(?<myfield>.*Failed\))\n*
Bye.
Giuseppe
... View more
09-02-2016
04:14 AM
as already asked renjith.nair, Splunk always gives a timestamp to every log, you cannot have logs without timestamp.
I assume that you are using Splunk to create reports on non-event data probably from a DB (we sometimes used Splunk to do this).
In this case you have to know the period in which you ingested the data and use this time in the timerange to use in the the search.
After this you have to create a normal search like
index=my_index | top 10 host
Bye.
Giuseppe
... View more
09-02-2016
04:06 AM
To integrate the other indexer in the search head you have only to insert it in the search peers list of each search head.
if you want to insert it also in the indexer cluster you have to follow the related procedure you already used for the other indexers.
remember that the old logs cannot be replicated.
bye.
Giuseppe
... View more
09-02-2016
03:53 AM
try this
\n*(?.Failed))\n
you can test it on https://regex101.com/
Bye.
Giuseppe
... View more
08-17-2016
09:04 AM
Set your tags starting from eventtypes creation, assigning a tag to an eventtype as you want complex, don't start from creating a new tags, you'll reach your target.
Bye.
Giuseppe
... View more
08-17-2016
08:41 AM
Your regex seems to be correct (backslashes before underscore aren't needed).
verify sourcetype.
bye.
Giuseppe
... View more
08-17-2016
08:35 AM
Without a log example I can only suppose that you did some of my same old errors:
wrong sourcetype
wrong regex
Had you verified your regex in Splunk or regex101.com?
can share an example?
bye.
Giuseppe
... View more
08-17-2016
03:14 AM
You can do it also using web interface:
Settings -- Forwarder and Receiving -- Configure Forward
Bye.
Giuseppe
... View more
08-12-2016
08:57 AM
it's the same thing :
Client Computer : (? .)\n
Object DN : (? .)\n
Object Class : (? .)\n
Object GUID : (? .)\n
Action : (? .)\n
Old Value : (? .)\n
New Value : (? .)\n
Request ID : (? .)
You have to extract every field inserting \n at the end
Bye.
Giuseppe
... View more
08-12-2016
08:51 AM
Insert in your html tags the following line
<ul>
<a target="_blank" href="/app/atm">ATM Monitoring</a>
</ul>
where atm is the main directory of the app.
Bye.
Giuseppe
... View more
08-12-2016
08:44 AM
If you want to extract only the string after message= but not the other lines, you have to insert \n at the end of your regex, see below:
Message=(?.*)\n
if you want to try this regex use https://regex101.com/
Bye.
Giuseppe
... View more
08-12-2016
03:39 AM
What is your problem? Can you explain it?
Splunk usually manage upgrade of a single file with insert of new lines, without particular configurations.
Are you using a Forwarder or is a local file?
Bye.
Giuseppe
... View more
08-11-2016
11:48 PM
You can also modify it in your searches at search_time:
| eval yourfield=if(yourfield="WARNING","WARN",yourfield)
in this way tou maintain logs as originals and show them as you want
Bye.
Giuseppe
... View more
08-11-2016
01:33 AM
Sure, because Splunk Universal forwarder optimize and compress data before send them to the Indexer.
In addition, you can configure a network bandwidth value so you don't fill your network.
see:
- http://blogs.splunk.com/2011/10/24/choosing-a-forwarder-or-not/
- http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/useforwarders
Bye.
Giuseppe
... View more
08-11-2016
12:29 AM
I had a similar problem and I solved it loading data in a separate index instead a lookup table.
Bye.
Giuseppe
... View more
08-11-2016
12:27 AM
insert your request in the Partner Portal as an enhancement.
Bye.
Giuseppe
... View more
08-10-2016
07:15 AM
I used tscollect.
your_search | table fields... | tscollect namespace=blueacoat_stats
and in searches I used
| tstats count FROM blueacoat_stats | ...
Bye.
Giuseppe
... View more
08-10-2016
07:09 AM
Using Summary indexing I found a large benefit in terms of performances (also ten times quicker!), for example with BlueCoat logs that have billions of events every day!
Problems are that it's impossible to delete a part of summarized logs, but only the full tsixd file (I asked to Splunk to take in consideration the opportunity to insert the delete functionality), this means that you cannot do errors in summarizing, because you cannot delete them.
In addition using Summary indexing there is a delay in data access because logs are indexed two times and you have to wait that logs are indexed before to summarize them.
In my case I have a larger delay because I have to be sure that logs are really all arrived before summarizing.
There aren't many checks on the summary indexing operation, so there is the risk to index twice a log or lost it.
At the end there is a greater disk space occupation, but in my case is less of the problem.
In conclusion: use it because is really useful but attention!
Bye.
Giuseppe
... View more
08-10-2016
12:09 AM
try something like this
index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Calling translate" | eval nsearch="search1" | append [ search index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Message translation is successful" | eval nsearch="search2" ] | append [ search index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation | eval nsearch="search3" ] | stats count by nsearch
Bye.
Giuseppe
... View more
08-09-2016
11:42 PM
And in addition, if you modify or add a .conf file, you have to restart Splunk!.
Bye.
Giuseppe
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Karma from
Karma given to
