Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About AKG1_old1
AKG1_old1
Builder
Member since:
09-02-2016
09-04-2022
Community Statistics
| Posts | 287 |
| Solutions | 10 |
| Karma Given | 101 |
| Karma Received | 55 |
| Member Since | 09-02-2016 |
Activity Feed
- Posted How to Configure Netapp Ontap Add-on for data collection on All Apps and Add-ons. 07-18-2022 05:44 AM
- Got Karma for Re: where does splunk store the logs which specify starting/stoping the splunk ?. 03-29-2022 07:48 PM
- Posted Executing python script as an alert action on windows on Getting Data In. 11-11-2021 03:32 AM
- Tagged Executing python script as an alert action on windows on Getting Data In. 11-11-2021 03:32 AM
- Posted Re: Updated: Help in event break for json file on Getting Data In. 10-06-2021 08:40 AM
- Posted Re: Help in event break for json file on Getting Data In. 10-06-2021 01:29 AM
- Posted Updated: Help in event break for json file on Getting Data In. 10-05-2021 04:49 AM
- Posted Getting data in Splunk through REST API in case of two step connection on Splunk Enterprise. 09-27-2021 08:43 AM
- Tagged Getting data in Splunk through REST API in case of two step connection on Splunk Enterprise. 09-27-2021 08:43 AM
- Tagged Getting data in Splunk through REST API in case of two step connection on Splunk Enterprise. 09-27-2021 08:43 AM
- Posted Re: How to configure request payload in a POST HTTP Method with REST API Modular Input? on All Apps and Add-ons. 09-24-2021 12:11 PM
- Posted Re: REST API Modular Input Help on Splunk Enterprise. 09-24-2021 06:05 AM
- Posted REST API Modular Input Help on Splunk Enterprise. 09-24-2021 03:15 AM
- Got Karma for Re: where does splunk store the logs which specify starting/stoping the splunk ?. 08-25-2021 10:05 PM
- Posted Re: Admin account to view all the Dashboard created by individual users on Security. 06-10-2021 12:57 PM
- Karma Re: Admin account to view all the Dashboard created by individual users for rupkumar4sec. 06-10-2021 12:57 PM
- Karma Re: Admin account to view all the Dashboard created by individual users for isoutamo. 06-10-2021 12:57 PM
- Posted Re: Admin account to view all the Dashboard created by individual users on Security. 06-10-2021 12:35 PM
- Posted Re: Admin account to view all the Dashboard created by individual users on Security. 06-10-2021 10:16 AM
- Karma Re: Admin account to view all the Dashboard created by individual users for isoutamo. 06-10-2021 10:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-16-2020
09:18 AM
added sample data
... View more
09-16-2020
08:35 AM
Hello, In particular sourcetype we are getting huge numbers of events but only some data events are relevant. I am try to take only events with matching string and exclude everything else. Matching strings : Session initialization | Session initialized (There are few more as well) I have tried this by refereing this post Link When I am using this its excluding everyting and when i tried only with setparsing its injesting all data. Not sure what I am missing here. props.conf [mx_java_event] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom pulldown_type = true EXTRACT-JavaClass = ,\d+\s\[(?<JavaClass>[^:]*): EXTRACT-Session = session:(?<Session>\d+) TRANSFORMS-set = setnull, setparsing transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = Session initialization | Session initialized DEST_KEY = queue FORMAT = indexQueue FYI : In case REGEX is incorrect, I tried with "REGEX = Session" its not working either. Sample data: (Only 1st and 3rd line are matching) 2020-08-12 14:08:11,775 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session initialization - SGITOPS/SG_LAW_MRC 2020-08-12 14:08:12,775 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Excluded - SGITOPS/SG_LAW_MRC 2020-08-12 14:08:11,912 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session initialized 2020-08-12 14:08:12,912 [Thread-233 - Worker-54] murex.processing.stp.osp.server.service.OspServer : DEBUG - [session:1758555252] Session Excluded2 2020-08-12 14:08:12,912 JUST FOR Testing
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-17-2020
03:38 AM
@LukeMurphey Hi Luke, Will yo be able to guide me on this issues.
... View more
06-12-2020
06:12 AM
Hello, We have upgraded Lookup editor app to latest version but looks like there is a bug when editing the lookup. When I am changing some thing in lookup and try to save lookup those changes are not applied. (when changing one cell value at a time then its working chaning multiple cell having problem) Recently new version released (3.4.2) with fix of this issue but its not working either. I have tried to install older version (3.3.3 , 3.4.0, and 3.4.1) and having the same issue. Just wanted to check if this bug is still there in these version or I am missing some thing. Splunk Enterprise Version : 8.0.3 Update : Looks like this issue is only with Enterprise 8.0.3 version. I just tested it with 8.0.1 and it was working fine. when upgraded again on 8.0.3 its not working . Thanks
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-11-2020
06:26 AM
Hi, I am looking to build a dashboard where I can track all the email sent on configured alerts. I have used Alert manager App where I can get these details except couple of details. I am also looking to get the details of recepient list and subject(optional), which I guess not avaiable. I am aware of internal logs (sourcetype=splunk_python) where we get details of all email sent by splunk. but I couldn't find a way to map those details with details in alert manager. splunk_python log 2020-06-10 17:15:14,882 +0200 INFO sendemail:139 - Sending email. subject="[PS_PI45_KERNEL_ELEMENTS] Splunk CPU Alert", results_link="http://splunk:8000/apps/xxxxx/@go?sid=scheduler__admin__xxxxx__RMD56802a2f6671046cd_at_1591802100_15918", recipients="[u'xyz@xxxxx.com', u'abc@xxxxx.com']", server="smtp.murex.com" Alert Manager Thanks
... View more
Labels
- Labels:
-
administration
04-22-2020
10:18 AM
@PavelP : Some time we use to have Splunk install and forwarder on same box so we might have changed management port to 9089 for forwarder to avoid conflict. Forwarder is original Universal forwarder. I tried changing port back to 8089 but still not working 😞
... View more
04-22-2020
06:48 AM
I tried your command on Forwarder but its not working. eventhough splunkd is up its saying its down. Am I missing something here ?
bash$ bin/splunk status
splunkd is running (PID: 18089).
splunk helpers are running (PIDs: 18090).
mx25089vm autoengine /data/apps/splunkforwarder_MIC_v44_ORCH1/
bash$ bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
QUERYING: 'https://127.0.0.1:9089/services/admin/inputstatus/TailingProcessor:FileStatus'
This command [GET /services/admin/inputstatus/TailingProcessor:FileStatus] needs splunkd to be up, and splunkd is down.
... View more
04-22-2020
06:22 AM
@skalliger : thanks for reply.
Props.conf
First data is injested to GC_11_RAW and only relevant events trasffered to GC11 sourcetype
[GC11]
disabled = false
SHOULD_LINEMERGE = false
TIME_PREFIX = ^\[
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 100
EXTRACT-PAUSE_FULL = (\[(?P\d*-\d*-\d\dT\d\d:\d\d:\d\d.\d*\+\d*)\])?(\[(?P\d+.\d+)s])?.*GC\((?P\d*)\) (?PPause Full)(.*) (?P[0-9]*)M->(?P[0-9]*)M\((?P[0-9]*)M\) (?P[0-9]*.[0-9]*)ms
[GC11_RAW]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
category = Custom
TRANSFORMS-sourcetye_routing = JAVA_GC11_sourcetye_routing
transforms.conf
[JAVA_GC11_sourcetye_routing]
DEST_KEY = MetaData:Sourcetype
REGEX = GC\(\d*\)|Using G1
FORMAT = sourcetype::GC11
There is no heavy forwarder in between. even no unusal activity on monitoing console. data volume is same what we ususally gets. _time is correct because its been extracted from logs. Just indexing is lagging.
... View more
04-22-2020
04:53 AM
Hi,
we are monitorning recursively on directory and some time indexing the data in splunk is delayed a lot ( 12+ hrs).
Universal Forwarder
[monitor:///net/hp707srv/hp707srv1/apps/QCST_MIC_v3.1.44_MASTER/logs.../.log]
disabled = false
host = MIC_v44
index = mlc_live
sourcetype = GC11_RAW
crcSalt =
whitelist = .*gc.log$|.*gc. .log$
blacklist=logs_|fixing_|tps-archives
In below example log printed every hour but it was not indexed straigh away. More than 12hrs of data indexed at same time 12:01
throughput is set to unlimited as this forwarder is monitoring many other files.
limits.conf
[thruput]
maxKBps = 0
... View more
04-06-2020
07:17 AM
Hello,
Currently, we are using multiple datamodels for same data (post filters are different). Now we are trying to merge them in single datamodel using child dataset to decrease disk space but appently there is massive performance impact on tstats search queries using child dataset.
In below example, while using child dataset Its almost 300+% increase in search time.
This might be expected as scaning full set of logs. Checking if there is any other way of using tstat query on child dataset to improve performace ?
Datamodel structure
... View more
02-13-2020
02:38 PM
thanks but it doesn't seem to be working. Even though I have given full permission to this app and my app which has dashboard to export, it always display page not found (404 error).
... View more
02-13-2020
09:52 AM
For the same reason this app is desinged for.
Default pdf export misses many GUI functionality.
for example: Table colors are removed, not all charts been exported ( Timeline chart etc...)
Smart pdf export exact snapshot of dashboard.
... View more
02-13-2020
06:36 AM
Hi,
I am using one table in my dashboard. if possible I wanted to display one column values as tooltip to another column.
basically in below table Threshold value need to be displayed as tooltip when mouse rollover on Alert_Destription or Issues_Count.
... View more
02-13-2020
04:14 AM
Hello,
I am using smart pdf export app (https://splunkbase.splunk.com/app/4030/) .
when I am trying to export my dashboard, it stuck and won't generate pdf. My dashboard has 3-4 tables and couple of charts.
I have also increased row count in limits.conf.
limits.conf
[pdf]
max_rows_per_table = 50000
Tried with different browser as well but no luck. Is there anything we can do here ?
... View more
Labels
- Labels:
-
troubleshooting
Actually it worked with result.host_token but its not solving my problem. Second search is still running with all time. (Same results as using subsearch to override time)
... View more
Thanks @skoelpin
I have tried this approch but still I am not be able to get desired outcome.
1. Outcome of first search is not been passed to second search properly.
This is how I am using my queries.
**first search output in table**
| table host_token service_earliest_time earliest latest time_token.earliest time_token.latest
**Second search**
| savedsearch "TEST_KPI_MTE_ALERT_FUNCTION" host_token="$host_token$" service_earliest_time="$service_earliest_time$" earliest="$earliest$" latest="$latest$" time_token.earliest="$time_token.earliest$" time_token.latest="$time_token.latest$"
Inspite arguments are not passed to second search, I can see second query is running but results are stored in "main" index in json format. which will be diffcult to parse. I was hopping to get results either via email or dumping in some file. extracting from logs will be difficult.
I am not sure if second search will use earliest and latest time from output of first search.
This is results what I am getting in logs (tokens not having values from first search)
{"messages": [{"type": "INFO", "text": "[subsearch]: Successfully read lookup file '/hp737srv2/apps/splunk/etc/apps/Murex/lookups/KPI_MASTER_LIST.csv'."}, {"type": "WARN", "text": "Unable to run query '| savedsearch KPI_MTE_NO_OF_CRITICAL_INFRA host_token= SERVICE_EARLIEST_TIME= time_token.earliest= time_token.latest= | appendcols [ | makeresults | eval Order=7 | fillnull count ] | table ALERT count Order '."}], "earliest": "1970-01-01T01:00:00.000+01:00", "description": "Splunk Adaptive Response Search", "latest": "2020-01-29T13:27:05.%L", "search": "| savedsearch \"TEST_KPI_MTE_ALERT_FUNCTION\" host_token=\"\" service_earliest_time=\"\" earliest=\"\" latest=\"\" time_token.earliest=\"\" time_token.latest=\"\"", "results": [{"TYPE": "MTE_GENERIC", "Category": "INFRA", "ALERT": "KPI_MTE_NO_OF_CRITICAL_INFRA", "Alert_Description": "Total No of Critical Alerts (INFRA)", "Dashboard": "MTE_ALERTS_CRITICAL_INFRA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "INFRA", "ALERT": "KPI_EnvStatus_INFRA", "Alert_Description": "EnvStatus INFRA", "Dashboard": "MTE_envStatus_INFRA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_BA", "Alert_Description": "Business Activities Failed", "Dashboard": "MTE_RUNTIME_BA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_BA_EOD", "Alert_Description": "BA_EOD Failed Scripts", "Dashboard": "MTE_RUNTIME_BA_EOD", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_TOOLING", "Alert_Description": "MTE RUNTIME TOOLING (Not Executed)", "Dashboard": "MTE_RUNTIME_TOOLING", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MX", "ALERT": "KPI_MTE_NO_OF_CRITICAL_MX", "Alert_Description": "Total No of Critical Alerts (MX)", "Dashboard": "MTE_ALERTS_CRITICAL_MX", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_NO_OF_CORES", "Alert_Description": "Total No of Cores", "Dashboard": "MTE_ALERTS_CORES", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_ALERT_RECIPIENT_COUNT", "Alert_Description": "MTE Alerts > 20 Per User", "Dashboard": "MTE_ALERT", "Threshold": "25"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_MXTECH", "Alert_Description": "EnvStatus MXTECH", "Dashboard": "MTE_envStatus_MXTECH", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_LOAD", "Alert_Description": "EnvStatus LOAD (Value<=3)", "Dashboard": "MTE_envStatus_LOAD", "Threshold": "3"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_BAU", "Alert_Description": "EnvStatus BAU (Value<=3)", "Dashboard": "MTE_envStatus_BAU", "Threshold": "3"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_BP", "Alert_Description": "EnvStatus BP", "Dashboard": "MTE_envStatus_BP", "Threshold": "0"}]}
... View more
Thanks, I tried this approach but it doen't work. eventhought earliest/ latest time is overriden by subsearch but still savedsearch use all time.
... View more
Hello,
I have to execute one saved search which required some arguments. These arguments are generated dymanically in one file. So I am looking to read that file and pass those argument to saved search.
search to get argument
index=mlc_live sourcetype=csv
| table host_name earliest latest
Output
host_name earliest latest
RSAT43 1578927600 1579016736
I am looking to execute saved search for time from above search. (earliest and latest time)
My query:
index=mlc_live sourcetype=csv
| table host_name earliest latest
| map maxsearches=1 search="| savedsearch "TEST_KPI_MTE_ALERT_FUNCTION" host_token=$host_name$ earliest=$earliest$ latest=$latest$"
But in above query, saved search is producing results for all time.
Is there a way to execute saved search for specific duration taken from another file/search query ?
FYI : my saved search is a complex function which calling another multiple saved search searches so I can't replace this saved search with normal query.
... View more
01-23-2020
05:08 AM
Hi,
I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?
Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.
Case 1: Override of earliest/latest time doen't work for saved search.
Case 2 : Override of earliest/latest time works for normal search query.
... View more
Labels
- Labels:
-
saved search
01-22-2020
03:33 AM
| streamstats max(NPID) as NPID_P current=false
| streamstats max(Machine_Name) as Machine_Name_P current=false
| streamstats max(NICKNAME) as NICKNAME_P current=false reset_before=("$NPID$!=$NPID_P$") reset_after=("$Machine_Name$!=$Machine_Name_P$") reset_on_change=true
| eval NICKNAME = if(isnull(NICKNAME) AND NPID=NPID_P AND Machine_Name=Machine_Name_P,NICKNAME_P,NICKNAME)
... View more
01-20-2020
01:25 PM
thanks but as I mentioned before, NPID, NICKNAME, Machine_Name are not same. there could be hundreds of different value.
And 1st solution will fill wrong values without checking the condition of matching NPID and Machine_Name
... View more
01-20-2020
10:22 AM
just using filldown won't work for me. NICKNAME, NPID, Machine_Name are not always having same value.
NPID and Machine name should match before updating the empty NICKNAME.
Attached another example in question.
... View more
01-20-2020
02:11 AM
Hello,
In search query results some cells populate empty results for specific field. I am looking to update those empty cells based on another row which share same results for another field.
In below table, NICKNAME for some rows are empty. These should be updated same as first 3 rows as they share same NPID and Machine_Name.
NICKNAME = MX (where NPID=43417)
NICKNAME = EPAD_DUPAL_PARALLEL (where NPID=364564)
Thanks
... View more
01-08-2020
08:56 AM
I am able to start webUI after upgrade. Problem was there are mutiple apps having python script which is not compitible in Splunk 8.x. So I have removed those apps to make it working.
Apps I have to remove
Splunk_TA_jmx
splunk_app_for_nix
DBdata
sideview_utils
dbx
sos
... View more
01-08-2020
06:50 AM
@BainM : thanks for response. I have reverted server.conf. I have attached screenshot of relevant errors I am getting in Splunkd.log
There errors related to python and getting this error for multiple apps.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-04-2022
05:07 PM
|
Karma given to
