Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About jagadeeshm
jagadeeshm
Contributor
Member since:
06-08-2016
09-17-2022
Community Statistics
| Posts | 127 |
| Solutions | 4 |
| Karma Given | 27 |
| Karma Received | 21 |
| Member Since | 06-08-2016 |
Activity Feed
- Posted Re: Set multiple tokens using "condition match" on Dashboards & Visualizations. 09-14-2022 07:42 PM
- Got Karma for Index Strategy - Single index with multiple sourcetypes vs Multiple indexes with dedicated sourcetype. 01-13-2021 10:44 AM
- Got Karma for Re: how to create splunk custom search command with java ?. 10-08-2020 11:25 AM
- Got Karma for Re: Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?. 10-05-2020 03:31 AM
- Karma Re: Eval expression with gentimes is not generating new fileds for kamlesh_vaghela. 06-05-2020 12:49 AM
- Karma Re: Is there a default sourcetype for /opt/log/www1/secure.log? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Why am I experiencing indexer congestion after 6.5.0 upgrade? for ptoro. 06-05-2020 12:48 AM
- Karma Re: What is the best practice for installing and managing apps in a distributed environment? for gcusello. 06-05-2020 12:48 AM
- Karma Re: Numerous messages WARN LineBreakingProcessor Truncating for remote_searches.log for dshpritz. 06-05-2020 12:48 AM
- Karma Re: How to use the foreach command to list a particular field that contains an email address? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Can Eventgen run on a Universal Forwarder? for wweiland. 06-05-2020 12:48 AM
- Karma Re: HTTP Event Collector: Is it possible to send multiple events in one API call? for msivill_splunk. 06-05-2020 12:48 AM
- Karma Re: Change background of single value based on its text for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Should a summary index be created on both Search Head and Indexer? for MuS. 06-05-2020 12:48 AM
- Karma Re: How do I find an orphaned search in Splunk 6.4.1? for inventsekar. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Kafka: Where do I find the pre-built dashboard panels? for rpille_splunk. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Kafka: Where do I find the pre-built dashboard panels? for ppablo. 06-05-2020 12:48 AM
- Got Karma for HTTP Event Collector returns Bad Request - what is wrong with my event?. 06-05-2020 12:48 AM
- Got Karma for Re: What is the expected response time for an HEC POST?. 06-05-2020 12:48 AM
- Got Karma for Management Console - Indexing Performance shows Queue Fill Ratio's are at 100% (almost). 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
11-10-2016
05:35 AM
You seem to be on the right track. But you still need to know couple of things -
If you are planning to use Heavy Forwarder for your input, it should already be configured to send all data to the indexers. And yes, you need to remove the indexes.conf file from the Heavy Forwarder.
If the App provides in-built dashboards/panels, you may want to install it on the Search Head to use their UI. But when you install it on Search Head, it is recommended to eliminate some of the files like - inputs.conf, indexes.conf etc. Please see here for details instructions - http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
Your are right! Index time operations are not always required to index data.
... View more
11-08-2016
09:30 AM
May I ask your source?
... View more
11-08-2016
06:58 AM
This practice was discouraged in Stackoverflow, so I added it to only comments. But, love to get few reputations on this as well. Thanks!
... View more
11-08-2016
05:17 AM
Did I read it right? 5MB data per day?
If yes, you can most certainly live with just 1 VM where you can have standalone installation of Splunk acting both as search head and indexer. But usually, standalone installations are not recommended in Production environments for several reasons. But it all depends on how much data you are planning to ingest in Production, number of users, number of dashboards/panels they may be creating etc. Because all the searches in Splunk Search Head utilizes a CPU core per search, which can tweaked.
For a standalone Splunk Installation, I recommend the following -
8 core CPU
8 GB RAM
50 GB harddisk.
But remember, with 8 core CPU, you will soon hit the limits on how may current searches you can perform.
But if you are planning for Production I would recommend following Hardware Reference doc from Splunk.
... View more
11-08-2016
05:07 AM
What you are probably looking for is an appendcol command.
You can try something like this -
your_search_query_1|appendcols [search your_search_query_2]
Reference # http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Appendcols
... View more
11-07-2016
08:32 PM
Summary Indexing by default change the sourcetype to stash. This is how splunk knows that data is already in splunk and your summary data will not be account for your additional license.
You can change the sourcetype, but remember the data will go against your license.
I guess one of the practices is to re-use the source field and set it to sourcetype for summary indexes.
For example :
index=xyz result=success | stats count .... | collect index=summary source=sourcetype
... View more
11-07-2016
08:10 PM
Read docs - http://docs.splunk.com/Documentation/Splunk/6.5.0/Installation/UpgradeyourdistributedSplunkEnterpriseenvironment
... View more
11-07-2016
08:04 PM
3 Karma
Did you already visit - https://answers.splunk.com/answers/399363/why-would-i-use-the-http-event-collector-when-i-ca.html ?
... View more
11-07-2016
07:57 PM
What is the format of the event? JSON? Posting the event might be helpful!
... View more
11-07-2016
07:48 PM
2 Karma
Someone in my team created a dashboard with 8 panels. Each panel uses individual searches, for example:
Panel -1
index=xyz sourcetype=log_mover result=logmover_success | stats .....
Panel -2
index=xyz sourcetype=log_mover result=logmover_failure | stats .....
Panel - 3
index=xyz sourcetype=log_mover result=transfer_success | stats ......
and so on...and finally, Panel - 8 does an overall chart:
index=xyz sourcetype=log_mover result=* | stats....
All the Panels are built around the "result" field which has different values. But Panel - 8 covers all the different values of result (that is why result="*" in Panel - 😎
Looking at the queries I realized, this is definitely a candidate for post-processing using a base search. I redefined the panels, by creating a base search (which is same as Panel - 😎 and then subsequently updated all the Panels to use the base search for charting.
Base Search
<search id="baseSearch">
<query>index=xyz sourcetype=log_mover result=*</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
And each of my Panels use post-processing, for example , Panel - 1
<search id="firstPostProcess" base="baseSearch">
<query>search result=logmover_success | stats .... </query>
</search>
And likewise, I have set up all other panels. But I noticed my dashboard with post processing searches are running extremely slower than individual search. What am I doing wrong?
If I were to measure the performance with a timer, they are at least 3 times slower than individual searches. Thoughts?
... View more
11-07-2016
10:36 AM
I have 6.4.3.
... View more
11-04-2016
11:35 AM
Where is this macro defined? My splunk installation can not find it.
... View more
10-26-2016
12:58 PM
I have front-end events with several dynamic uri patterns. I am trying to generate a report to summarize the average, perc95, perc80 for the response time by uri.
Some of the uri patterns include:
/market/us/asdfadf/home.do
/market/us/123123/home.do
/market/us/dfq3we/home.do
/market/us/dfq3we/home.do
/shop/us/buy.do
/shop/us/buy.do
/market/us/shop/dfq3we/home.do
/market/us/shop/dfq3we/home.do
/market/us/shop/dfq3we/home.do
I can certainly apply reg-ex pattern using sed and convert the alphanumeric characters to -- and display the counts as:
/market/us/--/home.do
/shop/us/buy.do
/market/us/shop/--/home.do
But my problem is I don't have list of all the patterns that match, so I can't write evals. I am wondering if there is a dynamic way of writing the regular expression so all patterns of these urls are identified.
Thanks!
... View more
10-25-2016
06:08 AM
Gotche. So the recommendation is to install the apps, but maintain the configuration files manually, which means by overriding the app setting before deploying into Splunk.
... View more
10-25-2016
04:27 AM
OK, so where do I install my apps in this case? Arista Networks for example?
... View more
10-24-2016
01:36 PM
For example, we manage all the indexes we create via Git. But AristaNetworks app has a file indexes.conf that is creating app specific index. Do we manually remove this conf file and manage it outside the app ? Things like are what I am worried about. Most important one is where do you define your inputs when you are using apps? Most of the apps come with wizards, which when used create inputs on the search heads? Question is how do you manage those?
... View more
10-24-2016
01:31 PM
What you mentioned is a very general practice which we adopted in our PROD cluster as well. My question is more related to the configuration that we need to manage, that are part of the apps.
... View more
10-24-2016
09:58 AM
We have Splunk installation in a distributed environment with search head clustering and indexer clustering enabled and managed via a master node.
We are currently in the process of ingesting network logs into Splunk.
During the POC (non-clustered env) we installed several networking Splunk apps/add-ons like Arista Switch Source, F5 Sources, Palo Alto Firewall, etc. We deployed them on the search head and configured them to directly read syslogs via some UDP port. [Network devices are sending logs to syslog directly without the need of UF].
Now in PROD, we are in a clustered environment and I am wondering what is the best way to manage configurations? I see at least 2 options -
1 - Install the apps on the search heads and configure the app same way we did in POC, where the search head is reading the data of the UDP port and forwarding it to Indexers
2 - Install the apps on the search heads but don't use the app to configure the inputs and source types. Manage them outside the app's installation and push them via master node to the indexers. This way, load is on the Indexers where they are reading the data off the UDP ports and are indexing.
Are there other approaches (help outline pros and cons) without using UF?
Thanks!
... View more
10-21-2016
07:31 AM
Woh, that worked. I am still trying to understand how the match returned the email address!
... View more
10-21-2016
05:41 AM
Is there a way to get fields and their respective values separately ?
... View more
10-20-2016
08:26 AM
How can we get both fields and their respective values?
... View more
10-19-2016
02:30 PM
It did not pick anything. I can see one column emfield with no values in it.
... View more
10-19-2016
02:08 PM
I have events in JSON format as follows -
Event 1:
{ QP_A:abc@gmail.com, QP_B:123, COUNTRY:USA}
Event 2:
{ QP_C:XYZ@gmail.com, QP_B:123, COUNTRY:USA}
Event 3:
{ QP_f:100, QP_Bb:123, COUNTRY:USA}
Event 4:
{ COUNTRY:USA, STATE:CT}
Event 5:
{ QP_A[0][A]:abc@gmail.com, COUNTRY:USA, STATE:CT}
Observe that QP_* fields don't appear in all events and even if they did they may not have a field that has an email address.
I am trying to search and list all QP_* fields that have email addresses in them. How can I do it?
I tried using foreach command, but no luck in the syntax -
index=abc QP_*
| foreach QP_* [eval fieldnames = if(match(<>, ".com"), "<>", "NoMatch")] | table _raw fieldnames
I see the output (may be wrong but) I see error that says something like -
[splunkindxers-001] Failed to parse templatized search for field 'QP_A[0][A]'
The output I am looking for in case of my above events is -
QP_A
QP_C
QP_A[0][A]
Thanks!
... View more
10-09-2016
07:55 AM
2 Karma
Here is what we have:
8 indexers / 4 search heads / each of them are 24 core, 256GB memory and 7.6TB disk
I am trying to understand which of the following gives a better search performance -
[access permissions and retention period are same (35 days)]
Option-1: Single index, multiple sourcetypes each having data anywhere between 75 to 150GB per day.
Option-2: Single index for each of the sourcetypes that exceed 75GB per day.
Splunk documentation never talks about how big an index can be or when is it ideal to create separate indexes (excluding access permissions and retention periods).
My second question is what is the real harm in having too many indexes? What is the maximum number of indexes you have experienced/worked on a specific splunk installation?
Thanks!
... View more
09-23-2016
09:13 AM
I am seeing the same behavior. Actual size on disk is atleast 10 times larger than the cumulative raw data size. Any further updates on this question?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-17-2022
12:34 PM
|
Karma from
Karma given to
