Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jlvix1
jlvix1
Communicator
Member since:
08-09-2016
06-05-2020
Community Statistics
| Posts | 70 |
| Solutions | 6 |
| Karma Given | 7 |
| Karma Received | 5 |
| Member Since | 08-09-2016 |
Activity Feed
- Karma Re: Why is the UF version on forwarder different than what the indexer is seeing? for MrMcGeough. 06-05-2020 12:49 AM
- Got Karma for Re: Why is the UF version on forwarder different than what the indexer is seeing?. 06-05-2020 12:49 AM
- Karma Re: MATCH_LIMIT in tranforms.conf for nickhills. 06-05-2020 12:48 AM
- Got Karma for Re: How to remove CSV headers from raw data in order to extract fields and separate events?. 06-05-2020 12:48 AM
- Got Karma for Re: How to remove CSV headers from raw data in order to extract fields and separate events?. 06-05-2020 12:48 AM
- Got Karma for Re: MATCH_LIMIT in tranforms.conf. 06-05-2020 12:48 AM
- Got Karma for simple moving average and dynamic fields. 06-05-2020 12:48 AM
- Karma Re: What are the differences between append, appendpipe, and appendcols search commands? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Backfill not working for a realtime dashboard for KarunK. 06-05-2020 12:46 AM
- Karma Re: Horizontal line for smolcj. 06-05-2020 12:46 AM
- Karma Re: Appending Sparkline through a JOIN for dmr195. 06-05-2020 12:46 AM
- Karma Splunk re-indexing rolled over log file causing duplicate (two) copies of data for sfmandmdev. 06-05-2020 12:46 AM
- Posted Re: connection aborted error 104 connection reset by peer on Getting Data In. 06-11-2018 07:04 AM
- Posted Re: fill in 0 when there is no data on Splunk Search. 06-11-2018 06:51 AM
- Posted Re: fill in 0 when there is no data on Splunk Search. 06-11-2018 06:49 AM
- Posted Re: connection microsoft access with splunk enterprise on All Apps and Add-ons. 06-11-2018 06:46 AM
- Posted Re: Compare multi value fields to get Count on Splunk Search. 06-11-2018 06:44 AM
- Posted Re: Syslog Server vs Heavy Forwarder on Getting Data In. 06-11-2018 06:32 AM
- Posted Re: Forensic Investigator App Still Being Developed? on All Apps and Add-ons. 06-08-2018 03:55 AM
- Posted Re: Why i can only collect sourcetype=juniper, but no sourcetype=juniper:nsm or other sourcetype? on All Apps and Add-ons. 06-08-2018 03:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-13-2018
04:24 AM
Plenty of people struggle with this and with no definitive answer either... Unless someone cares to point something out I've missed from 2 hours of googling?
Take for example, security log Event ID 4625 from windows server 2016, via LF to splunk 7.0.3.
Regex using rex command on _raw (Works😞 Message\=(?<Message2>.+)\.
Regex using web GUI field extraction on this source type is identical but NOT working.
When checking the difference between my Message and Message2 fields - most are identical, occasionally the last line of text is missing from Message2.
this isn't working and I don't think it ever has, given the simplicity of this regex extraction... I've tried adding (\.|\r\n|\r|\n|\0) and had the same results.
Strange thing is, this works for other event ID's, like 4738 (A user account was changed). or 4724 (An attempt was made to reset an account's password).
I'm theorizing that splunk subsystem is possibly responsible by not correctly rebuilding events in memory when inflating?
... View more
03-16-2017
09:18 AM
Install the sankey diagram from the store.
You can only set the properties of the diagram, but if you click on the diagram from the front splunk page (should show on the left as a button) you get some good examples to work from. http://yoursplunkIP:8000/en-US/app/sankey_diagram_app/gallery
I've experimented with it, if you check the examples by opening in search and viewing the statistics tab, you get inputlookup examples, these essentially read from a csv file in splunk but just for demonstration purposes, you need to focus on the table/fields it produces and write your query to reflect that.
Sankey diagrams are quite complex when comparing to the others, the three examples all require 4 fields, of which 2 are numeric and 2 are text, stats queries seem to be the base.
You can only really check the examples and base from there by building your stats based query...
... View more
03-16-2017
05:08 AM
I finally figured this out with the help of somerford associates:
earliest=-10d index="cbeprodvteclogs" CFErrorCodeMessagesCode=* |
timechart limit=0 count as cnt by CFErrorCodeMessagesCode |
untable _time CFErrorCodeMessagesCode cnt |
sort 0 CFErrorCodeMessagesCode _time
| autoregress cnt P=1-4 | autoregress CFErrorCodeMessagesCode P=1-4
| eval cnt2=(round(cnt,1) + if(CFErrorCodeMessagesCode_p1==CFErrorCodeMessagesCode,cnt_p1,null()) + if(CFErrorCodeMessagesCode_p2==CFErrorCodeMessagesCode,cnt_p2,null()) +if(CFErrorCodeMessagesCode_p3==CFErrorCodeMessagesCode,cnt_p3,null()) +if(CFErrorCodeMessagesCode_p4==CFErrorCodeMessagesCode,cnt_p4,null()) ) / 5
| eval spike=if(if(cnt <= 10, 0, cnt) > cnt2 * 2 , 1, 0)
| FIELDS CFErrorCodeMessagesCode, cnt, cnt2, spike
The query is modifiable as well and can work with any field (host, sourcetype etc..), feel free to use on your own projects...
The removal of bin and use of timechart with untable fixes the issue above.
Thanks all.
... View more
03-01-2017
07:48 AM
earliest=-10d index="cbeprodswtlogs" CFErrorCodeMessagesCode=*
| bin _time span=1d
| stats count as cnt by _time CFErrorCodeMessagesCode
| sort 0 CFErrorCodeMessagesCode _time
| autoregress cnt P=1-4 | autoregress CFErrorCodeMessagesCode P=1-4
| eval cnt2=(round(cnt,1) + if(CFErrorCodeMessagesCode_p1==CFErrorCodeMessagesCode,cnt_p1,null()) + if(CFErrorCodeMessagesCode_p2==CFErrorCodeMessagesCode,cnt_p2,null()) +if(CFErrorCodeMessagesCode_p3==CFErrorCodeMessagesCode,cnt_p3,null()) +if(CFErrorCodeMessagesCode_p4==CFErrorCodeMessagesCode,cnt_p4,null()) ) / 5
| eval spike=if(if(cnt <= 10, 0, cnt) > cnt2 * 2 , 1, 0)
| FIELDS CFErrorCodeMessagesCode, cnt, cnt2, spike
... View more
03-01-2017
07:43 AM
This is almost working but there is quite a snag which I think I may be able to work around by some tweaks and maybe interpreting the results differently
There is a key problem I've tried to work around but failing on 2 different attempts due to there being zero of a specific code on certain days:
1) tried using fillnull
2) tried using stats sum(eval(if(isnull(_time),0,1))) as cnt by _time CFErrorCodeMessagesCode
The reason is because in my original query I'm forcing the code in hence splunk forcefully gives a row for each code on each day, e.g:
eval CFECM="Code (1)" | FIELDS CFECM
This results in a line being created for a particular day which is when empty is something like:
Code (1) 0 null/empty 0 2017-02-28 (for first 4) **or** Code (1) 0 0 0 2017-02-28 (for the rest)
With the new query, I'm unable to work out Code (x) because Code (x) only comes out on 21, 22, 25 & 28 of Feb, there are no zero days in between for the SMA to be viable.
If I could post a screenshot I would, it's quite obvious when looking.
For the ones where the code happens at least once on each day for 10 consecutive days, this is pefect and works brilliantly.
The autoregress function is having some issues with addition of null in a prior day where a skipped day is missing:
Code (203) 2 N 0 2017-02-20
Code (203) 22 N 0 2017-02-21
Code (203) 6 N 0 2017-02-23
Code (203) 8 N 0 2017-02-24
Code (203) 4 8.40 0 2017-02-25
Code (203) 2 8.40 0 2017-02-28 < Wrong Result due to null p1 & p2? Trying to refer to 26th and 27th and not the previous row, as seen? Bug? day bin issue?
When replacing null() with 0 I get lots of spike=1 and the first 4 cnt2 rows are calculated, I now understand the autoregress null addition is there to cause the first 4 cnt2 results to be null themselves.
One (crazy) workaround for this would be to artifically feed one of each code in to the system after midnight, lol although I'm not inclined to go so rogue and the boss would not allow it.
... View more
03-01-2017
04:32 AM
I've made a slight adjustment to the autoregress part, the splunk docs make out that we should have P=1-4 with the additions that work out cnt2, otherwise we need to add CFErrorCodeMessagesCode_p5 to it?
See example 3 here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Autoregress
... View more
03-01-2017
04:00 AM
I tried replacing null() with 0, results look wrong, lots of spike=1 and days are still missing. How can you perform addition on null()? I think there are no codes for that day so think I need to default/substitute where cnt for that day is zero.
Most languages I know of don't consider null in math ops and cause the result to be null via all math operators.
The sma5 is certainly not working because of not having 5 days worth of data, as days where cnt=0 is missing. I will continue to work on this in the meantime. 🙂
... View more
03-01-2017
03:29 AM
I'm just toying about with this now, seems that where cnt=0 it's not giving results for that day, so I will tune this a bit as it needs the first 5 days to work out the SMA.
... View more
03-01-2017
02:26 AM
I have just tried and got a good result but using this query:)))))
earliest=-10d index="cbeprodswtlogs" CFErrorCodeMessagesCode=*
| bin _time span=1d
| stats count as cnt by _time CFErrorCodeMessagesCode
| sort 0 CFErrorCodeMessagesCode _time
| autoregress cnt P=1-5 | autoregress CFErrorCodeMessagesCode P=1-5
| eval cnt2=(round(cnt,1) + if(CFErrorCodeMessagesCode_p1==CFErrorCodeMessagesCode,cnt_p1,null()) + if(CFErrorCodeMessagesCode_p2==CFErrorCodeMessagesCode,cnt_p2,null()) +if(CFErrorCodeMessagesCode_p3==CFErrorCodeMessagesCode,cnt_p3,null()) +if(CFErrorCodeMessagesCode_p4==CFErrorCodeMessagesCode,cnt_p4,null()) ) /5
| eval spike=if(if(cnt <= 50, 0, cnt) > cnt2 * 2 , 1, 0)
| FIELDS CFErrorCodeMessagesCode, cnt, cnt2, spike
Just a note on this to others, the CFErrorCodeMessagesCode field could easily be replaced with any field in splunk to act on that field, such as sourcetype to monitor for specific things lighting up or host... Try it.
The beauty of solving this problem is that the code can be re-used to work out the moving average of any field in an intelligent way with minimal overhead, potentially opening the gates for lots of people to make good use of this example for their alerting and spike monitoring. The SMA is very reliable especially with a floor value (nested if's) to suppress false positives. 🙂
Thanks.
... View more
03-01-2017
02:08 AM
There is no other way as I need to get the SMA of these values. The query doesn't halt, I think if I need to stick to the original method then Iwill cut down the codes/lines in the query.
... View more
02-28-2017
12:37 AM
Hi, the first query gives me the same results as the one I posted, it populates with 10 blank rows.
The second query works to demonstrate the method, let me have a play with this and see what I can achieve.
I will have a play, I noticed you used CFECM which is a shortened alias, will replace that with the field name...
thanks, this all looks very good!
... View more
02-27-2017
08:44 AM
I mean to say, dynamically analyzes the data - one line instead of lots of explicit lines
... View more
02-27-2017
08:41 AM
1 Karma
This will be very interesting or boring, it can only be one!
I have an extracted field: CFErrorCodeMessagesCode
This can contain one of many possible values, e.g. "Code (216)" "Code (9999)" e.g. "Code (xxxx)"
Normally, I have a spreadsheet that creates me a large query to run, for an alert on a cron schedule, that holds a row for each code. e.g with 3 codes the string it generates looks like this:
earliest=-10d index="cbeprodvteclogs" CFErrorCodeMessagesCode="Code (1)" | timechart count(CFErrorCodeMessagesCode) as cnt | trendline sma5(cnt) as cnt2 | eval spike=if(if(cnt <= 10, 0, cnt) > cnt2 * 3 , 1, 0) | eval CFECM="Code (1)" | FIELDS CFECM, cnt, cnt2, spike | append [ search
earliest=-10d index="cbeprodvteclogs" CFErrorCodeMessagesCode="Code (106)" | timechart count(CFErrorCodeMessagesCode) as cnt | trendline sma5(cnt) as cnt2 | eval spike=if(if(cnt <= 10, 0, cnt) > cnt2 * 3 , 1, 0) | eval CFECM="Code (106)" | FIELDS CFECM, cnt, cnt2, spike ] | append [ search
earliest=-10d index="cbeprodvteclogs" CFErrorCodeMessagesCode="Code (9999)" | timechart count(CFErrorCodeMessagesCode) as cnt | trendline sma5(cnt) as cnt2 | eval spike=if(if(cnt <= 10, 0, cnt) > cnt2 * 3 , 1, 0) | eval CFECM="Code (9999)" | FIELDS CFECM, cnt, cnt2, spike ] | where strftime(_time, "%Y-%m-%d") = strftime(now(), "%Y-%m-%d") and spike=1
The idea is to alert us of obscure spikes using sma5 over a 10 day data window, it's very effective and even better when sourced from a spreadsheet as I can tune every aspect of it via the columns.
Another alert I have is for codes the application pushes out that aren't in the SMA query (above).
I have 34 codes on one sheet/alert, this runs ok, on another sheet I have almost 60, and the performance has degraded since building up the list, and also since ingesting more data in to the index, but I don't see how this matters because I am explicitly specifying the code I need to pull.
I was considering putting the data to its own index, but this would complicate all sorts of stuff I've developed.
What I was wondering was: Is it possible to just have a single line that dynamically builds me a list? Something like the below query (which doesn't work, nor other variations I've tried)
earliest=-10d index="cbeprodswtlogs" CFErrorCodeMessagesCode=* | timechart count as cnt by CFErrorCodeMessagesCode | trendline sma5(cnt) as cnt2 | eval spike=if(if(cnt <= 50, 0, cnt) > cnt2 * 2 , 1, 0) | FIELDS CFErrorCodeMessagesCode, cnt, cnt2, spike
This would allow me to not have to maintain a spreadsheet and a separate alert for codes that aren't included already, it may also speed it up.
Thanks in advance.
... View more
02-24-2017
02:11 AM
Have you tried it?
Don't forget to add disabled=0 underneath it and you may need to add another / where there is only one?
Generally, I find that using UF's you are limited in choice to what is in the web interface on the HF when configuring from there, like app, sec and sys logs, no access to custom logs.
If you use a HF and get it to reach out directly via WMI or grab from local, you have more options and getting that input should be no problem.
If you're using inputs.conf then this link helps: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorWindowseventlogdata
... View more
02-23-2017
06:54 AM
1 Karma
Hi all, solved this with a major deep dive.
The RegEx provided is a great improvement, thanks for that, it still only works with the ungreedy prefix as well.
The missing point was LOOKAHEAD - default is 4KB and this is the directive to regex to not go beyond that value by default.
Now, each stanza looks like this:
[CFGPFweb]
REGEX = (?U)"messages":(.+"messages":){19}(?P\d+),"messages
LOOKAHEAD = 65535
WRITE_META = true
FORMAT = CFGPFweb::$2
And it works, I had to update every definition to 64KB, not sure how much overhead but I'm only getting 1 JSON msg per/min.
... View more
02-23-2017
03:42 AM
The first instance of a match failure is reportedly at bytes 4959-4960, this is for the CFBPFonboard field, and the rest after that fail as well.
The performance stats for regex101 say that this is 39232 steps and takes ~73 ms.
Is this operation too expensive for the regex engine?
Thanks
... View more
02-23-2017
03:30 AM
Hi, I have tried this and got exactly the same result, I believe this may have something to do with truncation of the event or some sort of limitation with the regex input buffer - although I have set truncate = 500000, this may not be respected from a regex point of view?
... View more
02-23-2017
01:26 AM
Before and up to the first occurrence:
[{"memory":21904,"reductions":413518,"reductions_details":{"rate":0.0},"messages":0,"messages_details":
... View more
02-23-2017
01:09 AM
It all works on regex101.com using PCRE, but only when I specify the ungreedy option, hence the (?U).
I will try what you have done, however when I did use the {n} regex function on regex101 is just went mad and started selecting 1, 2, 3 characters then nothing, as if it was selecting the amount in characters and not the occurrence.
I can't post the JSON here it's too much, it is very uniform and strongly formatted with no line breaks etc...
... View more
02-20-2017
08:47 AM
I have a fairly hefty chunk of JSON from RabbitMQ REST.
In my props I have:
[json_no_timestamp]
TRUNCATE = 500000
In transforms, I have:
[CFBPFCCmessages]
REGEX = (?U)()"messages":(?P<CFBPFCCmessages>\d+)
WRITE_META = true
FORMAT = CFBPFCCmessages::$2
[CFBPFfailed]
REGEX = (?U)()"messages":.+"messages":(?P<CFBPFfailed>\d+),"messages
WRITE_META = true
FORMAT = CFBPFfailed::$2
[CFBPFmobile]
REGEX = (?U)()"messages":.+"messages":.+"messages":(?P<CFBPFmobile>\d+),"messages
WRITE_META = true
FORMAT = CFBPFmobile::$2
[CFBPFonboard]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPFonboard>\d+),"messages
WRITE_META = true
FORMAT = CFBPFonboard::$2
[CFBPFticketoffice]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPFticketoffice>\d+),"messages
WRITE_META = true
FORMAT = CFBPFticketoffice::$2
[CFBPFtvm]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPFtvm>\d+),"messages
WRITE_META = true
FORMAT = CFBPFtvm::$2
[CFBPFunknown]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPFunknown>\d+),"messages
WRITE_META = true
FORMAT = CFBPFunknown::$2
[CFBPFweb]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPFweb>\d+),"messages
WRITE_META = true
FORMAT = CFBPFweb::$2
[CFBPMemail]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPMemail>\d+),"messages
WRITE_META = true
FORMAT = CFBPMemail::$2
[CFBPMfailed]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPMfailed>\d+),"messages
WRITE_META = true
FORMAT = CFBPMfailed::$2
[CFBPMsms]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPMsms>\d+),"messages
WRITE_META = true
FORMAT = CFBPMsms::$2
[CFBPMunknown]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFBPMunknown>\d+),"messages
WRITE_META = true
FORMAT = CFBPMunknown::$2
[CFGPFCCmessages]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFCCmessages>\d+)
WRITE_META = true
FORMAT = CFGPFCCmessages::$2
[CFGPFfailed]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFfailed>\d+),"messages
WRITE_META = true
FORMAT = CFGPFfailed::$2
[CFGPFmobile]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFmobile>\d+),"messages
WRITE_META = true
FORMAT = CFGPFmobile::$2
[CFGPFonboard]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFonboard>\d+),"messages
WRITE_META = true
FORMAT = CFGPFonboard::$2
[CFGPFticketoffice]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFticketoffice>\d+),"messages
WRITE_META = true
FORMAT = CFGPFticketoffice::$2
[CFGPFtvm]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFtvm>\d+),"messages
WRITE_META = true
FORMAT = CFGPFtvm::$2
[CFGPFunknown]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFunknown>\d+),"messages
WRITE_META = true
FORMAT = CFGPFunknown::$2
[CFGPFweb]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPFweb>\d+),"messages
WRITE_META = true
FORMAT = CFGPFweb::$2
[CFGPMemail]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPMemail>\d+),"messages
WRITE_META = true
FORMAT = CFGPMemail::$2
[CFGPMfailed]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPMfailed>\d+),"messages
WRITE_META = true
FORMAT = CFGPMfailed::$2
[CFGPMsms]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPMsms>\d+),"messages
WRITE_META = true
FORMAT = CFGPMsms::$2
[CFGPMunknown]
REGEX = (?U)()"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":.+"messages":(?P<CFGPMunknown>\d+),"messages
WRITE_META = true
FORMAT = CFGPMunknown::$2
When indexing, I only get the first 3 fields, the other fields beyond CFBPFmobile are not indexed.
I was considering MATCH_LIMIT, will this work?
... View more
02-16-2017
07:26 AM
This won't work, and this is the reason why ...
Splunk service runs as "SYSTEM" for example, the script is run in this context, beneath splunkd.exe...
By default, the splunkd.exe service definition does not have the desktop interaction privilege.
Even if the privilege is assigned, you would possibly get a desktop alert from windows saying that the system account has something to show you, when you switch to that desktop it is extremely simplistic, no taskbar, no desktop icons, low resolution and isolated, it's hard work getting services to interact via desktop properly anyway and messaging between applications is a favorable alternative - using the Splunk REST API is a possibility?
Say that... if you changed the Splunk service identity to be your account, it will run in a separate session and probably wont alert you like the system account does anyway.
Services are very much behind the scenes, we just use the alerting mechanism, if you use outlook then knock up some rules or a VBA form to respond to the email alerts.
... View more
02-16-2017
02:21 AM
Hi, no this was a crash of the UF implicating KERNELBASE.dll - the stack overflow caused other issues on the server, clearly there was a memory leak of some sort that affected everything else on the server.
I will have a look at that, thanks.
... View more
02-14-2017
01:26 AM
Faulting application name: splunk-winevtlog.exe, version: 1541.256.22575.14967, time stamp: 0x582f3e24
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18340, time stamp: 0x57366075
Exception code: 0xeeab5254
Fault offset: 0x0000000000008a5c
Faulting process id: 0x774
Faulting application start time: 0x01d24fc49cf57f77
Faulting application path: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 002d6d22-f244-11e6-8145-065cadcce291
Faulting package full name:
Faulting package-relative application ID:
The exception code resolves to "Stack Overflow". I have since stopped windows event log collection on all systems, as I understand this is a windows event log collector component issue.
The light forwarder version we are using is 6.5.1
... View more
- Tags:
- exception
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
