Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yoho
yoho
Contributor
Member since:
08-19-2011
08-22-2024
Community Statistics
| Posts | 130 |
| Solutions | 5 |
| Karma Given | 84 |
| Karma Received | 46 |
| Member Since | 08-19-2011 |
Activity Feed
- Tagged Rebalancing script on Deployment Architecture. 04-16-2024 12:24 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:22 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:22 AM
- Tagged Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:21 AM
- Posted Re: App label configured in app.conf not displayed in nav bar next to app logo on Dashboards & Visualizations. 04-16-2024 12:20 AM
- Karma App label configured in app.conf not displayed in nav bar next to app logo for mr103. 04-16-2024 12:20 AM
- Got Karma for Re: Appending to srchIndexesDefault / srchIndexesAllowed. 10-27-2023 05:27 AM
- Got Karma for Rebalancing script. 10-15-2023 09:25 PM
- Got Karma for Rebalancing script. 10-14-2023 04:53 PM
- Posted Rebalancing script on Deployment Architecture. 10-14-2023 06:48 AM
- Karma Re: Splunk forwarder file monitor is not detecting new files and getting error "Bug during applyPendingMetadata, header processor does not own the indexed extractions confs"? for jamesar. 05-15-2023 06:13 AM
- Karma Re: Explanation of various HTTP(s) timeouts for hrawat_splunk. 05-10-2023 04:20 AM
- Karma Re: Invalid Key Stanza alert_actions.conf for yeahnah. 02-02-2023 01:05 AM
- Posted Re: close option for panel that opens after clicking on a table value (drilldown) on Dashboards & Visualizations. 04-29-2022 07:37 AM
- Posted Re: close option for panel that opens after clicking on a table value (drilldown) on Dashboards & Visualizations. 04-28-2022 03:21 PM
- Karma Re: How to force DBconnect to send fields with NULL values to the index? for Richfez. 02-14-2022 02:51 AM
- Posted Splunk Dashboard Examples - Table with Data Bars on All Apps and Add-ons. 02-03-2022 10:04 AM
- Karma Re: Health warning - The percentage of small of buckets created (40) over the last hour is very high ... for simonq. 11-04-2021 04:54 AM
- Karma How to import non native python libraries like pyMC in Splunk? for MousumiChowdhur. 10-19-2021 02:44 AM
- Karma Re: How to import non native python libraries like pyMC in Splunk? for badarsebard. 10-19-2021 02:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 |
04-16-2020
02:49 AM
By default, UFs are sending chunks of 64kB data and spread these over multiple indexers. But indexers are supposed to reassemble these chunks so that they can break lines, delimit events and extract timestamps. I don't see clearly in the documentation how this process is working.
Suppose we have 3 events. End of event1 + beginning of event2 are sent in a first chunk (chunk1); end of event2 and beginning of event3 are sent in a second chunk (chunk2). When indexers apply linebreaking rules, each of them ends up with a part of event2. They know about it because they have a leftover (partially delimited event) but what happens next ?
Also how is LINE_BREAKER_LOOKBEHIND in props.conf working exactly ? Why do you need to go back on the previous chunk of data for a certain number of bytes ?
... View more
04-07-2020
09:20 AM
In addition, I'm wondering how this all works with an indexer cluster where chunks are spreaded over multiple indexers (if you have UFs connecting to indexers in a round robin).
... View more
04-07-2020
09:09 AM
I was wondering the same and came up more or less with the same conclusion as Masa BUT I have more questions. Let's take a concrete example:
chunk1 : [data1]\n 2017-01-03 12:00:00 [data2]\n 2017-01-03 12:0
chunk2 : 0:01 [data3]\n ...
So when splunk processes chunk1, the regex will match only once: after [data1]. So data1 will be correctly identified as being part of an event (but not yet data2 and the preceding timestamp).
When processing chunk2, splunk will prefix the chunk with LOOK_BEHIND bytes of chunk1. The regex will then match if LOOK_BEHIND is greater or equal than length(data2) + 2*length(timestamp).
However, I find it all quite clumsy. First, splunk should know that ALL the leftover of chunk1 should be processed (why limit it to LOOK_BEHIND ?). Then, the default of 100 bytes appear quite small: it will only work for events whose total length + timestamp length is below 100 bytes.
Am I missing something ?
... View more
02-13-2020
02:29 AM
@mmodestino_splunk, I've compared your search with the one in the DMC for the total license. This one seems to take into account you can have multiple license masters (splunk_server in the search). It also uses a join which is a bit more explicit than a "|search []" in my opinion. So I've rewritten partly your search and the result is below.
However, in both cases, you consider a license group can only contain 1 single stack (by renaming stack_ids to stack_id), is it really the case ?
Here's my search :
| rest splunk_server=local /services/licenser/pools
| rename title AS pool
| join type=outer splunk_server stack_id
[ rest splunk_server=local /services/licenser/groups
| eval stack_id=stack_ids
| fields stack_id splunk_server is_active]
| search is_active=1
| eval quota=if(isnull(effective_quota),quota,effective_quota)
| eval "% used"=round(used_bytes/quota*100,2)
| fields pool "% used"
| where '% used' >= 0
... View more
02-06-2020
01:00 AM
Ok, I think logging each successful connection with 2 lines is a bit useless but well... thank you
... View more
02-04-2020
08:53 AM
1 Karma
I have a search head cluster (3 search heads) and an indexer cluster (3 indexers). More than 10% of splunkd.log (on my search heads) are produced by "TcpOutputProc". Is it an unusual amount ?
$ grep TcpOutputProc splunk/splunkd.log | wc -l
6780
$ wc -l splunk/splunkd.log
59586 splunk/splunkd.log
$ grep TcpOutputProc splunk/splunkd.log | head -5
02-04-2020 10:36:49.831 +0100 INFO TcpOutputProc - Closing stream for idx=xxx.142:9997
02-04-2020 10:36:49.832 +0100 INFO TcpOutputProc - Connected to idx=xxx.143:9997, pset=0, reuse=0. using ACK.
02-04-2020 10:37:08.569 +0100 INFO TcpOutputProc - Closing stream for idx=xxx.143:9997
02-04-2020 10:37:08.570 +0100 INFO TcpOutputProc - Connected to idx=xxx.141:9997, pset=0, reuse=0. using ACK.
02-04-2020 10:37:08.574 +0100 INFO TcpOutputProc - Closing stream for idx=xxx.141:9997
... View more
10-22-2019
05:26 AM
Please define "soon"... Still the same issue today 🙂
... View more
07-12-2019
02:19 AM
I downvoted this post because i upvoted it but it's actually a bad answer
... View more
06-21-2019
05:40 AM
Hello,
This addon does not take into account availability messages from HAProxy such as these ones:
Server frontend/backend is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 23ms. 1 active and 4 backup servers left. 3 sessions active, 2 requeued, 24 remaining in queue.
There is no eventttype nor field extraction. However, it could be quite useful to determine availability of your server infrastructure (the DOWN/UP messages could be grouped into transactions).
Maybe an idea for future versions of this addon ?
Regards,
... View more
03-16-2018
03:36 AM
I think he's talking about encryption and compression on disk as he is mentioning Pure Flash Array. By default, data is compressed but not encrypted. There used to be a parameter to disable encryption but it's now obsolete (see indexes.conf documentation )
compressRawdata = true|false
* This parameter is ignored. The splunkd process always compresses raw data.
... View more
07-02-2017
05:39 AM
The youtube channel is empty, otherwise there would have been a workaround as you can subscribe to YouTube channels via rss... I won't have a look at splunk blogs any longer until this is fixed, sorry for you.
... View more
06-13-2017
08:31 AM
I think custom viz apps are inherating certain properties from more general vizualisation elements such as . I'm not an expert but anyway, the following worked for me to disable the "timeline" default drilldown :
Under the element of your source XML, just add a dummy drilldown which sets a token, for instance:
<viz type=...>
...
<drilldown>
<set token="sourcetype">1</set>
</drilldown>
</viz>
... View more
01-30-2017
12:31 AM
Hello, I have not yet found time to create this chart (low priority here) but I found this viz app which could reveal quite useful to create such a dashboard: https://splunkbase.splunk.com/app/1741/
... View more
12-15-2016
07:24 AM
For info, it that could help, here's my snmp configuration with net-snmp. Note that when you restart snmptrapd, the (input) file is wiped but splunk appears to manage it correctly. Also note there is no cleanup of that file.
==> /etc/snmp/snmp.conf <==
mibdirs +/my/directory/containing/mibs/
mibs +ALL
==> /etc/snmp/snmptrapd.conf <==
# uncomment the line below and comment the disableAuthotization directive
# to enable "shared secret authentication" via community string
# authCommunity log my_sharedsecret_community_string
disableAuthorization yes
# log traps to a file
logOption f /my/path/to/the/logfile.log
# recommended to have correct key/value pair extraction
outputOption Q
... View more
02-27-2015
01:18 AM
Does it mean that if you send all your indexed data to the _internal index, you will never get any license infringement ?
... View more
09-15-2014
12:19 AM
Yes this is clearly a level above what I'm able to produce. Congrats !
... View more
06-17-2014
02:54 PM
Did you enable compression ? I'm pretty sure "tcpout_connections" log lines are showing up figures before compression. And I don't know if maxKBps is limiting the forwarder thruput before or after compression. Did you also try to measure the thruput using other independatn tools like iptables or netstat ?
... View more
06-17-2014
02:43 PM
1 Karma
If you turn on compression, will this limit apply to the thruput before or after compression ?
... View more
05-23-2014
08:27 AM
Nice tip !
... View more
05-22-2014
04:56 AM
2 Karma
I accept the answer 🙂
Maybe I should have created a fake question like "How can make vim highlight the syntax in splunk config files ?"
I've also made an attempt to highlight mako template files but it's quite difficult because mako instructions are mixed with HTML language. Maybe I'll post the files also when I find them mature enough.
... View more
05-22-2014
02:46 AM
13 Karma
Just wanted to share with the community the plugin and syntax highlighter I've made for VIM.
To enable syntax highlighting just drop the first file "splunk.vim (syntax)" in ~/.vim/syntax/ folder (create it if non-existing). To enable auto-detection of splunk configuration files drop the second file "splunk.vim (ftdetect)" in ~/.vim/ftdetect/ folder (and again, create it if non-existing).
splunk.vim (syntax)
" For version 5.x: Clear all syntax items
" For version 6.x: Quit when a syntax file was already loaded
if version < 600
syntax clear
elseif exists("b:current_syntax")
finish
endif
" shut case off
syn case ignore
" Everything before an equal sign
syn match splunkLabel "^.\{-}="
" Exception to the previous splunkLabel for search statements
syn match splunkSearchLabel "^\s*search.\{-}=" skipwhite nextgroup=splunkSearchStatement
syn match splunkSearchStatement ".*$" contains=splunkSearchLabel,splunkPipe contained
syn match splunkPipe "|" contained nextgroup=@splunkKeywords skipwhite
" cluster of all search keywords
syn cluster splunkKeywords contains=splunkCorrelation,splunkViewData,splunkManageData,splunkManagesummaryindexes,splunkAddfields,splunkExtractfields,splunkModifyfieldsandfieldvalues,splunkFindanomalies,splunkGeoipandlocation,splunkPredictionandtrending,splunkReports,splunkAlerting,splunkAppend,splunkFilter,splunkFormat,splunkGenerate,splunkGroup,splunkReorder,splunkRead,splunkWrite,splunkSearch,splunkSubsearch
" search keywords by category, taken from the online doc
syn keyword splunkCorrelation append appendcols appendpipe arules associate contingency correlate diff join lookup selfjoin set stats transaction contained
syn keyword splunkViewData audit datamodel dbinspect eventcount metadata typeahead contained
syn keyword splunkManageData crawl delete input contained
syn keyword splunkManagesummaryindexes collect stash overlap sichart sirare Summary sistats sitimechart sitop Summary contained
syn keyword splunkAddfields accum addinfo addtotals delta eval iplocation lookup multikv rangemap relevancy strcat contained
syn keyword splunkExtractfields erex extract kv kvform rex spath xmlkv contained
syn keyword splunkModifyfieldsandfieldvalues convert filldown fillnull makemv nomv reltime rename replace contained
syn keyword splunkFindanomalies analyzefields af anomalies anomalousvalue cluster kmeans outlier rare contained
syn keyword splunkGeoipandlocation iplocation geostats contained
syn keyword splunkPredictionandtrending predict trendline x11 contained
syn keyword splunkReports addtotals bucket bin discretize chart contingency counttable ctable correlate eventcount eventstats gauge makecontinuous outlier rare stats streamstats timechart top trendline untable xyserie contained
syn keyword splunkAlerting sendemail contained
syn keyword splunkAppend append appendcols join selfjoin contained
syn keyword splunkFilter dedup fields mvcombine regex searchtxn table uniq where contained
syn keyword splunkFormat untable xyseries contained
syn keyword splunkGenerate gentimes loadjob mvexpand savedsearch search contained
syn keyword splunkGroup cluster kmeans mvexpand transaction typelearner typer contained
syn keyword splunkReorder head reverse sort tail contained
syn keyword splunkRead inputcsv inputlookup loadjob contained
syn keyword splunkWrite outputcsv outputlookup outputtext sendemail contained
syn keyword splunkSearchStatement map search sendemail localop contained
syn keyword splunkSubsearch append appendcols appendpipe format join return set syn keyword splunkTime gentimes localize reltime contained
syn region splunkHeader start="^\[" end="\]"
syn match splunkComment "^#.*$"
" Define the default highlighting.
" For version 5.7 and earlier: only when not done already
" For version 5.8 and later: only when an item doesn't have highlighting yet
if version >= 508 || !exists("did_splunk_syntax_inits")
if version < 508
let did_splunk_syntax_inits = 1
command -nargs=+ HiLink hi link <args>
else
command -nargs=+ HiLink hi def link <args>
endif
HiLink splunkHeader Special
HiLink splunkComment Comment
HiLink splunkLabel Type
HiLink splunkSearchLabel Type
HiLink splunkPipe Special
HiLink splunkCorrelation Statement
HiLink splunkViewData Statement
HiLink splunkManageData Statement
HiLink splunkManagesummaryindexes Statement
HiLink splunkAddfields Statement
HiLink splunkExtractfields Statement
HiLink splunkModifyfieldsandfieldvalues Statement
HiLink splunkFindanomalies Statement
HiLink splunkGeoipandlocation Statement
HiLink splunkPredictionandtrending Statement
HiLink splunkReports Statement
HiLink splunkAlerting Statement
HiLink splunkAppend Statement
HiLink splunkFilter Statement
HiLink splunkFormat Statement
HiLink splunkGenerate Statement
HiLink splunkGroup Statement
HiLink splunkReorder Statement
HiLink splunkRead Statement
HiLink splunkWrite Statement
HiLink splunkSearch Statement
HiLink splunkSubsearch Statement
delcommand HiLink
endif
let b:current_syntax = "splunk"
" vim:ts=8
splunk.vim (ftdetect)
au BufRead,BufNewFile admon.conf,alert_actions.conf,app.conf,
\audit.conf,authentication.conf,authorize.conf,commands.conf,crawl.conf,
\default.meta.conf,default-mode.conf,deployment.conf,deploymentclient.conf,
\distsearch.conf,eventdiscoverer.conf,eventgen.conf,
\event_renderers.conf,eventtypes.conf,
\fields.conf,indexes.conf,inputs.conf,instance.cfg.conf,limits.conf,
\literals.conf,macros.conf,multikv.conf,outputs.conf,pdf_server.conf,
\procmon-filters.conf,props.conf,pubsub.conf,regmon-filters.conf,restmap.conf,
\savedsearches.conf,searchbnf.conf,
\segmenters.conf,server.conf,serverclass.conf,serverclass.seed.xml.conf,
\setup.xml.conf,source-classifier.conf,sourcetypes.conf,
\splunk-launch.conf,tags.conf,tenants.conf,times.conf,transactiontypes.conf
\transforms.conf,user-seed.conf,viewstates.conf,web.conf,
\wmi.conf,workflow_actions.conf
\ setfiletype splunk
... View more
05-15-2014
05:07 AM
Indeed, that was the point. You also risk some troubles if, in the future versions, splunk implements a way to forbid this (there are multiple ways to do this rather easily).
... View more
05-14-2014
08:23 AM
Actually got again the problem with another platform. My problem was not playing with permissions, it was more subtle than that. I had a custom app with a "bin/unix" directory (copy from a previous unix app), it was sufficient for python to look for several libraries under this path which it did not find. Error message in the web_service.log led me to the way to solve it (the message was saying it was unable to load a library)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-22-2024
03:29 AM
|
