Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About cdstealer
cdstealer
Contributor
Member since:
08-28-2011
10-27-2022
Community Statistics
| Posts | 109 |
| Solutions | 10 |
| Karma Given | 17 |
| Karma Received | 27 |
| Member Since | 08-28-2011 |
Activity Feed
- Got Karma for Re: Splunk DB Connect ERROR Without Error. 11-10-2022 09:12 AM
- Posted Re: Splunk DB Connect ERROR Without Error on All Apps and Add-ons. 10-27-2022 08:13 AM
- Posted Re: Splunk DB Connect ERROR Without Error on All Apps and Add-ons. 04-18-2022 10:21 AM
- Posted Why am I getting Splunk DB Connect ERROR Without Error? on All Apps and Add-ons. 04-05-2022 10:13 AM
- Karma Re: Merge cells together when having one same Value for lslschr. 04-05-2022 05:54 AM
- Got Karma for Re: field value invalid. 01-20-2022 08:08 AM
- Got Karma for Re: Lookup csv missing in definitions. 10-11-2021 02:07 PM
- Posted Re: Splunkism Regex? on Getting Data In. 06-25-2021 06:27 AM
- Posted Re: Splunkism Regex? on Getting Data In. 06-25-2021 05:49 AM
- Posted Splunkism Regex? on Getting Data In. 06-25-2021 01:24 AM
- Tagged Splunkism Regex? on Getting Data In. 06-25-2021 01:24 AM
- Got Karma for Re: DB Connect KEY=VALUE Extraction Fail. 06-09-2021 07:06 AM
- Posted Re: DB Connect KEY=VALUE Extraction Fail on Getting Data In. 06-09-2021 06:28 AM
- Posted Re: DB Connect KEY=VALUE Extraction Fail on Getting Data In. 05-25-2021 06:33 AM
- Posted DB Connect KEY=VALUE Extraction Fail on Getting Data In. 05-25-2021 04:23 AM
- Tagged DB Connect KEY=VALUE Extraction Fail on Getting Data In. 05-25-2021 04:23 AM
- Posted Regex Truncation vs Rex on Splunk Search. 12-09-2020 03:38 AM
- Tagged Regex Truncation vs Rex on Splunk Search. 12-09-2020 03:38 AM
- Posted Re: Multiple Stats from Base Search on Splunk Search. 10-08-2020 04:03 AM
- Posted Re: Multiple Stats from Base Search on Splunk Search. 10-07-2020 10:39 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
01-24-2017
05:59 AM
Hi, no problem 🙂 So I'm trying to make this dynamic so that if the data changes, the extractions still work and also any new fields get extracted without having to manually create them. So the props/transforms I gave extract all the fields almost as I need. This also includes new fields. So what I need is a way to get splunk to enrich the fields so that we know which field belongs to which RPA.
In the example above, I have 8 "Initiator ID" values which anyone searching this data will have no idea what RPA they belong to. So I want splunk to assign the 4 under the RPA1 heading and the second 4 to belong to RPA2. So if a user searches for RPA1, they only get the fields extracted under the RPA1 heading. I hope I'm explaining this ok.
Thanks
Steve
... View more
01-24-2017
05:38 AM
Hi Giuseppe,
Thanks for the reply. Apologies, I probably should have stated how I'm extracting the fields.
transforms:
[emc_sourcetype]
DELIMS = "\"{\n}\"", ":"
FORMAT = $1::$2
MV_ADD = true
props:
[emc_sourcetype]
KV_MODE = none
KV_TRIM_SPACES = true
REPORT-extractions = emc_sourcetype
Thanks
... View more
01-24-2017
04:54 AM
Hi All, I'm struggling with a data input from the EMC Recoverpoint devices. I may be making things hard for myself, but I'm sure someone will have come across this scenario on their travels 😉
An event looks like this:
SITE_VPLEX:
RPAs:
RPA 1:
Version: 4.1.SP1.P1(h.167)
WAN IP: 000.000.000.000
RPA LAN IPv4: 000.000.000.000
RPA LAN IPv6:N/A
iSCSI interface IPs: None
Interfaces:
Type: FC
Initiator ID: 50012481006bexxx
Type: FC
Initiator ID: 50012481006bexxx
Type: FC
Initiator ID: 50012481006bexxx
Type: FC
Initiator ID: 50012481006bexxx
Hardware details:
Hardware type: Intel Corporation S2600GZ GEN5
Adapter type: 2564
Vendor: Intel Corporation
Hardware Serial ID: FC6RP133000229_00000000002_FFF
Hardware Platform: Intel Corporation S2600GZ GEN5
Amount of memory: 16269416 KB
Number of CPUs: 12
RPA 2:
Version: 4.1.SP1.P1(h.167)
WAN IP: 000.000.000.000
RPA LAN IPv4: 000.000.000.000
RPA LAN IPv6:N/A
iSCSI interface IPs: None
Interfaces:
Type: FC
Initiator ID: 50012481006bdxxx
Type: FC
Initiator ID: 50012481006bdxxx
Type: FC
Initiator ID: 50012481006bdxxx
Type: FC
Initiator ID: 50012481006bdxxx
Hardware details:
Hardware type: Intel Corporation S2600GZ GEN5
Adapter type: 2564
Vendor: Intel Corporation
Hardware Serial ID: FC6RP133000135_0000000000_FFF
Hardware Platform: Intel Corporation S2600GZ GEN5
Amount of memory: 16269416 KB
Number of CPUs: 12
I have the fields extracting without issue, but the issue I have is each field needs to belong to either RPA1 or RPA2.
Thanks in advance
Steve
... View more
11-24-2016
11:35 PM
Hi, Thanks for the reply. I've tried setting it as a token that is defined (help_target) and get the same result. This is the inputs section.
<form>
<init>
<set token="help_target_title">NetApp Volume Details</set>
<set token="help_target">NetAppVolumeDetails</set>
</init>
<label>NetApp Volume Details WIP smoyes</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="system" searchWhenChanged="true">
<label>System Name</label>
<search>
<query>sourcetype="ontap:system" | stats count by system-name</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<change>
<unset token="Detail_show"></unset>
<set token="form.aggregate">*</set>
<unset token="Chart_noshow"></unset>
</change>
<fieldForLabel>system-name</fieldForLabel>
<fieldForValue>system-name</fieldForValue>
</input>
<input type="time" token="time" depends="$details_show$">
<label>Time Period for Capacity Chart</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
... View more
11-24-2016
04:53 AM
Hi, I'm trying to add conditional form inputs, but I just get an error even though the docs say it's supported??? DOCS
This is an excerpt from the dashboard.
<fieldset>
<input type="time" token="time" depends="$details_show$" >
<label>Time Period for Capacity Chart</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
And this is the error displayed in the source editor:
Warning on line XX: Unknown attribute "depends" for node "input"
So are the docs incorrect and this isn't supported or am I doing something wrong?
I've tested this on versions 6.5.0 & 6.5.1.
Thanks in advance.
Steve
... View more
- Tags:
- splunk-enterprise
11-14-2016
11:06 PM
Case for enhancement raised.
... View more
11-14-2016
11:05 PM
1 Karma
Thanks aaraneta. I've submitted case 416266 🙂
... View more
11-14-2016
06:15 AM
Hi, We have a Splunk implementation that differs from the norm on some things. The one I would like to investigate are the license pools. The Splunk servers are managed by puppet which is why we're able to configure licensing in the way we have. We have created 2 pools which are wild carded and then we specify the pool we want the indexer to bind to with "pool_suggestion" under the license stanza within server.conf. This works, however, as this is outside of the spec for how license pools operate, it generates hundreds of thousands of the following in splunkd.log per day.
11-14-2016 13:55:26.634 +0000 ERROR LMStack - pool=name1 and pool=name2 have catch all slave *
I would like to know if it's possible to feature request the ability to have more than 1 catch all pool?
TIA Steve
... View more
Labels
- Labels:
-
license
10-20-2016
07:23 AM
Hi Sorry, Yes, we set the token before the search. This UI removed my code, I've added it back 😉
The way our code works is it defines the token before any panels as the token is used in several charts. This definition is on a search that has the maximums and this maximum is used for each chart so there is a visual representation of use.
The chart below is an example. The chart on the left would be the maximum and this maximum would also be used for the chart on the right.
!!!! I hate that you can't attach images to comments 😞 Added to the top post.
... View more
10-20-2016
06:42 AM
Hi Cmerriman,
Thanks for the reply. Everything was working and only broke with the upgrade. Anyways, here are the code snippets.
Define the token:
<input type="dropdown" token="YAxisMax" searchWhenChanged="false" depends="$hidden$">
<search>
<query>REALLY BIG SEARCH</query>
</search>
<fieldForLabel>YAxisMax</fieldForLabel>
<fieldForValue>YAxisMax</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
Chart code:
<row>
<panel>
<chart>
<title>XIV Usage For Each Site by $displayby$</title>
<search>
<query>REALLY BIG SEARCH</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.maximumNumber">$YAxisMax$</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
Hope that helps 🙂
Thanks
Steve
... View more
10-20-2016
01:41 AM
Hi,
We have a few dashboards were we set the Y axis height depending on the query results. However, it seems that this option has now been removed in 6.5.0?
The answer to this question is what we were doing and worked great. Is there any way to have this functionality again? Downgrading is not an option 😉
Cheers
Steve
... View more
10-17-2016
09:11 AM
Hi Somesoni2, Thanks for the suggestion, but this will not work in our environment. This needs to be transparent to the end user. I appreciate that we could do an automated lookup, but it will just put the search head under unnecessary load. We have quite a few users that have to run very intense queries that return several hundred thousand events. I just don't see a lookup being a viable solution due to the expense to the search head. Also, not all forwarders are under deployment control 😞
Thanks
Steve
... View more
10-17-2016
08:40 AM
Hi Giuseppe, Many thanks for the suggestion. We did look into this before I posted and it's not feasible as we will have quite a few hundred servers feeding into Splunk. The thought of a lookup being queried hundreds of times a second is frightening. There has to be a more elegant solution. We also don't want end users looking into the _internal index.
Thanks
Steve
... View more
10-17-2016
05:37 AM
Hi, I think this has been asked a couple times over the past few years, but no real answer. Obviously the forwarder sends the hostname, but it must also send the ipaddress as this exists in the _internal index under the "sourceIp" field. Is there anyway, lightweight or builtin, to have this as a field? I'm asking this as we have a lot of servers that have generic hostnames which is next to useless when we require to know the location and environment details which we can stipulate from the ipaddress of the host.
Using a static solution like a lookup table et al will not work as servers can be built and torn down at will. If there is no solution, would a feature request be an answer to get the ball rolling?
I know we can use "_meta = ::" in inputs.conf on each forwarder. But this means specifying a static value which may cause problems further down the line.
TIA
Steve
... View more
07-01-2016
06:28 AM
I think it's working now. I moved the YAxisMax inputs to the end of the fieldset and removed a couple of the unset lines from inputs that really didn't need them. So far so good and is stable 🙂 I've attached the fieldset XML for reference. Thank you very much Neil for offering your help.
fieldset_XML
... View more
06-30-2016
08:55 PM
Hi Neil, That's correct. This seemed like a solution as without it, the YAxisMax dropdown would only ever display the first result from when the dashboard was opened and you'd have to manually select the new value. So the theory was to unset the token after a change so that YAxisMax would be forced to use the new value.
... View more
06-30-2016
11:37 AM
Hi,
I've created a dashboard with 5 inputs. The first input will be hidden eventually. It's shown to allow me to diagnose the issue.
The issue I have is that it is unstable. If anything in the XML is changed, the first input "YAxisMax" breaks and becomes unset which then breaks the panels that rely on the token to set the height of the chart.
Here is the XML that I'm using for the inputs. I can't paste it as code or quote 😞
XML
I would be really grateful if anyone could help. I'm also using version 6.4.0.
Thanks In Advance.
Steve
... View more
06-15-2016
04:05 AM
Many thanks woodcock, unfortunately I cannot get this to work. I've tried this on the HF which collects the data and also on the searchhead/indexer.
I've worked around it by setting up additional field extractions rather than trying to split a field 🙂
... View more
06-14-2016
11:49 AM
Hi,
Usually lookups aren't an issue, but today seems it is. I'm hoping this is just a pebcak 😉 This is the first time I'm attempting to run a lookup on eval fields rather than search-time extractions.
Anyway, to the issue.
I have a search index=ibm_xiv sourcetype="xiv:volpool" and this is OK. I then use eval to split a field value into a couple of new fields using | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1) . All is well. The 2 new fields are populated with the correct values which are abbreviations. Now I have created 2 CSV files to translate these abbreviations, created the lookup tables and definitions.
Both files are in the same format: Both the channel and environment column contain the abbreviations.
channel.csv = "channel","friendlyName"
environment.csv = "environment","friendlyName"
No matter how I configure an automatic lookup, it makes no difference what so ever.
Executing this works:
index=ibm_xiv sourcetype="xiv:volpool" | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1) | lookup XIVChannels channel as channel OUTPUT friendlyName as channel
Having XIVChannels channel AS channel OUTPUT friendlyName AS channel as an automatic lookup does not 😞
Am I doing something wrong, or do I assume that at search-time the lookup is done after the evals (which is why it works on a manual search), but an automatic lookup is done before the evals?
TIA
Steve
... View more
04-04-2016
12:45 AM
Hi, Thanks for the replay. These are the versions in use:
Splunk Add-on for AWS - 3.0.0
Splunk App for AWS - 4.1.1
Splunk Enterprise - 6.3.0
PagerDuty Incidents - 1.0
Thanks
... View more
