Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About SierraX
SierraX
Communicator
Member since:
09-11-2013
07-02-2025
Community Statistics
| Posts | 51 |
| Solutions | 3 |
| Karma Given | 9 |
| Karma Received | 10 |
| Member Since | 09-11-2013 |
Activity Feed
- Posted Re: Can i have just 2 search heads in a cluster on Deployment Architecture. 01-19-2025 01:50 AM
- Got Karma for Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects". 06-27-2024 02:18 PM
- Posted Re: Custom Regex on Knowledge Management. 04-11-2024 10:42 AM
- Posted Re: need help on regex on Splunk Enterprise. 04-09-2024 11:31 AM
- Karma Re: Convert Time with T and Z to Normal format for richgalloway. 04-09-2024 10:32 AM
- Posted Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects" on Splunk Enterprise. 04-09-2024 08:10 AM
- Got Karma for Is there a Timeline when Splunk Enterprise and Universal Forwarder will ported to the new Apple Chips?. 12-13-2023 09:16 AM
- Posted Re: How to check the expiration date of a certificate? on Security. 07-11-2022 12:57 AM
- Got Karma for Is there a Timeline when Splunk Enterprise and Universal Forwarder will ported to the new Apple Chips?. 05-05-2022 02:08 AM
- Posted What is the function of this entry in the splunkd binary file? on Installation. 03-07-2022 02:45 AM
- Posted Re: How can I set up LDAP for all my Splunk servers at one time? on Security. 08-27-2021 03:17 AM
- Posted Re: How can I set up LDAP for all my Splunk servers at one time? on Security. 08-27-2021 03:15 AM
- Tagged Splunk DB Connect 3.5.1 and MariaDB 2.7.1: Catalog loads. Other queries fail. on All Apps and Add-ons. 04-25-2021 12:20 PM
- Tagged Splunk DB Connect 3.5.1 and MariaDB 2.7.1: Catalog loads. Other queries fail. on All Apps and Add-ons. 04-25-2021 12:20 PM
- Tagged Splunk DB Connect 3.5.1 and MariaDB 2.7.1: Catalog loads. Other queries fail. on All Apps and Add-ons. 04-25-2021 12:20 PM
- Posted Splunk DB Connect 3.5.1 and MariaDB 2.7.1: Catalog loads. Other queries fail. on All Apps and Add-ons. 04-25-2021 12:17 PM
- Got Karma for Is there a Timeline when Splunk Enterprise and Universal Forwarder will ported to the new Apple Chips?. 03-17-2021 06:32 AM
- Got Karma for Is there a Timeline when Splunk Enterprise and Universal Forwarder will ported to the new Apple Chips?. 03-13-2021 10:03 PM
- Posted Re: Splunk Installation in CentOS on Installation. 12-07-2020 11:52 PM
- Got Karma for Is there a Timeline when Splunk Enterprise and Universal Forwarder will ported to the new Apple Chips?. 12-07-2020 05:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 5 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-13-2016
10:14 PM
in my system:
ls -l /opt/splunk/current/etc/apps/Splunk_TA_nix/bin/cpu.sh
-rwxr-xr-x 1 splunk splunk 3616 12. Nov 15:28 /opt/splunk/current/etc/apps/Splunk_TA_nix/bin/cpu.sh
ls -l $(which awk)
lrwxrwxrwx 1 root root 4 8. Jan 2016 /bin/awk -> gawk
ls -l /bin/egrep
-rwxr-xr-x 1 root root 158 20. Nov 2015 /bin/egrep
ls -l $(which sar)
-rwxr-xr-x 1 root root 97440 6. Mär 2015 /bin/sar
Didn't saw another involved system programs right now...
Do you have a shell skilled Linux admin on your side?
I will also look but this could need a while
... View more
11-13-2016
01:44 PM
You wrote strptime("20130322112233Z","%s") in your answer...
%s is parsing the String as epoch time or am I wrong?
... View more
11-13-2016
01:27 PM
The custom visualization Horizon Chart looks interesting... I will checkout.
The question about "as sparkline" was about the pie examples on omnipotent
(Think this was also referred by splunk.)
I'm thankful for you suggestions.
I only expect a "yes or no" answer maybe with a "in future versions"
... View more
11-13-2016
10:59 AM
Normally it should show you an error message in $SPLUNKHOME/var/log/splunk/splunkd.log when its not reading you can force it with a .splunk restart or you try a .splunk add oneshot to see in splunkd.log what happen.
...what kind of files are in the .tar.gz may there is something inside splunk can't read.
... View more
11-13-2016
09:07 AM
Seems not what I'm looking for.
Searching for something like this:
But with a Pie Chart instead of a range map symbol.
... View more
11-13-2016
07:46 AM
Hi,
also haven't hear about this ClusterMaster (CM) error Message. Could it be a Custom one from a 3rd party App?
But for the additional 2. 😞 The Indexers in a indexing Cluster typically can only search on own data... maybe Its changeable when you connect the cluster as search peer : But I'm pretty sure you should not do this
For searching on the cluster: The Cluster Master is always a Searchhead for his own cluster too
Kind Regards
SierraX
... View more
11-13-2016
06:44 AM
wow... this would be an epoch time on createDt2:
GMT: Fri, 27 Nov 2607 20:08:32.233 GMT 😄
| eval createDt2 = strptime("20130322112233Z","%Y%m%d%H%M%SZ")
should bring the requested result
... View more
11-13-2016
05:59 AM
This is the shorter version to write the 2nd eval command... but not so easy to read or change:
| eval seven_d=if(_time<relative_time(now(),"-7d@m"),"Longer than 7 Days",NULL)
is doing the same job.
... View more
11-13-2016
05:17 AM
You try to parse a kind of epoch time.
now() and _time are both epoch time formats means this are seconds beginning from the 1970-01-01 00:00:00.
When I subtract seconds from seconds the result is also seconds.
This is also the reason why I choose 604800 this are 60*60*24*7
One solution could be:
Evaluate d in corresponding to the epoch time to days like
| eval d=strftime(seven_d,"%d Days %H Hours %M Minutes") | table host d
but this is only useful when you say "time between scans is everytime lower than 31 days". On the 32nd Day it would jump to 01 again because seven_d would be 1970-02-01 00:00:00 as formatted
Better way is to use macros to calculate the date back from seconds to days hours and minutes. But I haven't done this more than a year... need time to have a look.
... View more
11-12-2016
01:59 PM
1 Karma
Hi,
I would write an alert like this:
index=sample sourcetype=scan Scan_Action=Complete
| stats latest(Scan_Action), latest(End_Time) by host
| eval _time=strptime(End_Time,"%Y-%m-%d %H:%M:%S")
| eval seven_d=if(now()-_time>604800,"Longer than 7 Days",NULL)
| search seven_d=*
With an Alert condition of if number of events greater than 0
You do not write something about scanned hosts I guess every scanned host has an own host entry in splunk.
If not, you have to change the host in second line to the entry with the scanned hosts
Kind Regards
SierraX
... View more
11-12-2016
06:50 AM
my output looks like
[splunk@splunk ~]$ splunk cmd /opt/splunk/current/etc/apps/Splunk_TA_nix/bin/cpu.sh
CPU pctUser pctNice pctSystem pctIowait pctIdle
all 0.50 0.00 1.25 0.00 98.25
0 0.00 0.00 0.00 0.00 100.00
1 0.99 0.00 2.97 0.00 96.04
2 0.00 0.00 1.00 0.00 99.00
3 1.00 0.00 1.00 0.00 98.00
... View more
11-12-2016
06:45 AM
Hi,
the error show something ist missing:
I've looked to the script them self and the cpu.sh seems to use sar . It's part of the sysstat package most Linux distros have not in minimal or standard installations.
Make sure sar is installed and usable by user splunk.
You can also test the script is running with the command
./splunk cmd /opt/dir/splunkinstall/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu.sh
Kind Regards
SierraX
... View more
11-11-2016
04:52 AM
Hi,
one alone with cron, seems not possible.
3 alerts are the easiest for this case
Maybe also over:
Alarm condition: if custom condition is met (for this I need a while to think about)
or
Over an external script which activate, deactivate the scheduled saved search.
Kind Regards
SierraX
... View more
11-11-2016
04:12 AM
Hi,
I would prefer the usage of 7 forwarders. Because when something happen on Splunk Server side what block incoming data for a while the for splunk forwarder hold in cache and send when the connection is unblocked.
Also with a restart of a Splunk forwarder it looks where to continue reading ... not sure every log-server do this instead of sending the whole files again and running against a possible CRC problem or produce double events.
... View more
11-11-2016
01:48 AM
Hi,
when I open a dashboard with a default timepicker on yesterday the browser line looks:
?form.field1.earliest=-1d%40d&form.field1.latest=%40d
and if I use all time (like you)
?form.field1.earliest=0&form.field1.latest=
are you sure the now is not deleted because its not necessary?
HTH
Kind Regards
SierraX
... View more
11-11-2016
12:34 AM
Hi,
a very interesting case... not sure I found the right solution:
I found in the props.conf a part called KEYS: there is a key queue with the possible Values nullQueue or indexQueue
I'm not sure, but I think it's :
[rest:solarwinds:nodes]
DEST_KEY = nullQueue
In a props.conf to solve this.
Kind Regards
SierraX
... View more
11-09-2016
01:50 PM
1 Karma
Ok its a bit older but maybe 3rd Persons has similar problems:
| stats c(_raw) as failed by Country
| sort -failed
| head 5
| eval failed = Country + " - " + failed
| geom geo_countries featureIdField=Country
gives a legend like this:
... View more
11-09-2016
06:15 AM
Hi,
I work with some searchhead/indexing clusters with some machines and some mounts, in a growing environment.
Now I try to create an overview to see how full the Splunk relevant partitions are. A nice way to have an human readable overview is a 2 field Pie Chart.
But there are 36 partitions at the moment and with every enterprise instance 1 or to partitions added.
Best way I think is to do it in a sparkline with pie format
The search I use to get the requiered data is:
index=_introspection sourcetype=splunk_disk_objects component=Partitions
| dedup host data.mount_point
| table host data.mount_point data.fs_type data.capacity data.available
| convert auto(data.capacity) auto(data.available)
| rename data.* as *
Try to create pie sparklines since hours but doesn't work.
Is it possible to create pie chart sparklines like that in splunk?
And when yes, how?
Thanks in advance
And Kind Regards
SierraX
... View more
09-30-2016
12:26 AM
1 Karma
For the LDAP Config you have to copy $SPLUNKHOME/etc/system/local/authentication.conf and change the copied bindDNpassword = to a plain text version, because splunk> cant read encrypted passwords from other splunk> instances and will encrypt the plain text one with the own key after the next splunk restart.
The same for other configs with encrypted Passwords/Keys inside like the server.conf.
Also apps can hold encrypted parts... like the Splunk_TA_aws where the credentials hold in $SPLUNKHOME/etc/apps/Splunk_TA_aws/local/passwords.conf. But not encrypted by the server (with a restart)
Apps and configs without passwords has typically no problems to copy between instances. At some places it can generate confusions when Systems has the same names (stored in inputs.conf,deploymentclient.conf and server.conf)
... View more
09-29-2016
11:41 PM
I downvoted this post because this answer may correct for clone a machine to another env... not for a copy of a splunk instance.
... View more
09-29-2016
10:55 PM
Hi,
got a similar problem at an customer and worked yesterday on a solution based on your Question and the first answer, on a testsetup.
The Splunk Server has a different system time than the sender (see in the lower half)
The JSON is send by following python line:
response = urllib2.urlopen(req, json.dumps({"sourcetype":"indoor_tph", "source":"", "host":"", "event": {"temperature": str(sense.get_temperature()-7.0), "timestamp": str(datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.%f')), "pressure": str(sense.get_pressure()), "humidity": str(sense.get_humidity())}}))
The props.conf entry for the upper half example looks:
[indoor_tph]
INDEXED_EXTRACTIONS = JSON
TIME_PREFIX = "timestamp": "
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
TZ = UTC
Hope this will help other splunkers with the same or similar problems.
Kind Regards
SierraX
... View more
04-12-2016
11:05 PM
But looks not nice and professional anyway.
... View more
04-12-2016
01:48 AM
Hi,
Just downloaded the Status Indicator - Custom Visualization App ( https://splunkbase.splunk.com/app/3119/ ) (about small Karma splunkbase 3119)
and the panels looks ... I link a pic:
This was on a fresh Mac OS X - Splunk 6.4 installation, installed with the webUI, but it looks the same on an installation via deployment server on a 6.4.0 Centos 7.1 Search Head.
The tar command to untar the .tgz to right folder shows some strange behavior:
tar: Ignoriere unbekanntes Schlüsselwort „LIBARCHIVE.creationtime“ für erweiterten Kopfteil
tar: Ignoriere unbekanntes Schlüsselwort „SCHILY.dev“ für erweiterten Kopfteil
tar: Ignoriere unbekanntes Schlüsselwort „SCHILY.ino“ für erweiterten Kopfteil
tar: Ignoriere unbekanntes Schlüsselwort „SCHILY.nlink“ für erweiterten Kopfteil
adds the last 3 lines of the list, in front of every line to extract.
For the non-German speakers:
tar: Ignore unknown keyword "*" for enhanced header.
Is there a fix scheduled?
... View more
03-11-2014
12:27 AM
Thank you for the answer. You were right... the searches wasn't embadded...
Additional they need autoRun to do the search not as "all time" first.
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-02-2025
12:41 AM
|
Karma given to
