About muebel

muebel · ‎06-20-2016

Hi gary.richardson2, you can get access to the search results as described here : http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Configuringscriptedalerts Essentially, "SPLUNK_ARG_8" contains the filename of the search results, which you could manipulate to extract the fields you are interested in. Please let me know if this helps!

muebel · ‎06-17-2016

yup set that on the HF. you'll probably want to set the same settings on the indexer as well if you have the slack hardware.

muebel · ‎06-17-2016

Hi daniel333, a few things could be going on here, but if you are on Splunk 6.3 or better, you can make use of the multiple processing pipelines capabilities in order to increase throughput, taking advantage of the extra hardware available. More here : http://docs.splunk.com/Documentation/Splunk/6.3.4/Capacity/Parallelization Essentially set parallelIngestionPipelines in server.conf. Alternatively, there could be an issue with the upstream indexer. How do your indexer queues look like? There could also be some network bottleneck preventing the HF from writing to the network in a timely manner. Please let me know if this answers your question!

muebel · ‎06-17-2016

Hi jaxjohnny, I believe the PREAMBLE_REGEX props config is what you want here, i.e. PREAMBLE_REGEX = Table: Computers

muebel · ‎06-16-2016

Hi Madhan45, If you can run the same search from the one search head and its fine, but then not fine when running it in the cluster, it seems there is something going on with the cluster. I would take a look at it from a hardware perspective. Are the search-heads pegged out from a cpu/memory perspective? Do you have the Distributed Management Console setup? This can be a great help for getting insight into what the cluster is actually doing. You mention that this issue seemed to have started the same day that 24GB was indexed. Was this surge of data all in one index? Does the SHC perform ok when searching anything but the index that had the huge amount of data? I guess my point here is that it might not be the case that the extra data has any impact on the SHC issue. If you can't get any visibility into the cluster through the DMC, or through OS level performance instrumentation (sar, top etc), I'd throw a hail mary and issue a rolling restart to the SHC (i.e. turn it off and then on again). A reinitialization of the cluster might serve as a solution to whatever is going on with it. If that fails, you'd need to open a Splunk support ticket, generate diags and all that fun stuff. Please let me know if this helps!

muebel · ‎06-16-2016

Hi icegras, one possible answer might be to eval source to some common value for all events in question, i.e. sourcetype=MySourceType host = node1 | eval source="mycommonsource" | dump basefilename=MySourceType-node1-2016Jan01ToMay31 Please let me know if this works out for you! 😄

muebel · ‎06-16-2016

Hi adacpt, I believe this doc will be helpful http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshooting Essentially, reference the log to get a better idea exactly what is going on when the input script runs. If Splunk is indexing general inputs fine (the normal _internal stuff a the very least), then you should be able to figure this out through the dbx log. Turn up the logging level if necessary. Also, do you have permissions to view the index in question? Can you find any other sort of events in that index? I'm assuming you are admin on the search head in question, but missing events could indicate an authorization issue. (probably unlikely)

muebel · ‎06-16-2016

Hi pprakash2, there is a good set of troubleshooting documentation here : http://docs.splunk.com/Documentation/DBX/2.2.0/DeployDBX/Troubleshooting There's nothing there that directly mentions the JRE config specifically, but it is something good to keep handy, and otherewise review to see if anything stands out as an issue. Concerning the matter at hand, review the prereq doc here : http://docs.splunk.com/Documentation/DBX/2.1.0/DeployDBX/Prerequisites Essentially, do you meet these requirements? Before deploying Splunk DB Connect, install the Java Platform, Standard Edition Development Kit (JDK) 8 from Oracle Java SE Downloads. Installing just the Java Platform, Standard Edition Runtime Environment (JRE) is not sufficient. JDK 8 (with Update 31 or later) is required. Only use a supported JVM in server mode, not in client mode. Only the Oracle JDK is certified and supported for use with Splunk DB Connect. Please let me know if this helps!

muebel · ‎06-16-2016

Hi voshka, This looks similar to another question here, the answer of which I believe you could adapt towards your needs : https://answers.splunk.com/answers/406376/how-do-i-edit-my-datetimexml-file-for-my-custom-da.html Please let me know if this works out for you!

muebel · ‎04-26-2016

Hi monteirolopes, The tab layout is defined by the "default.xml" file included in the app. More info here : http://docs.splunk.com/Documentation/Splunk/6.4.0/AdvancedDev/BuildNavigation You can streamline the as desired with something like: <nav search_view="search" color="#65A637"> <view name="search" default='true' /> <view name="yourdashboardname" /> </nav> Please let me know if this answers your question!

muebel · ‎04-26-2016

Hi jenswals, yup, a different password is needed. The default user/pass for a local install of Splunk is admin/changeme Please let me know if that answers your question!

muebel · ‎04-26-2016

Hi Menaham, I believe this issue will be resolved by creating a props.conf with a [csv] stanza (this input's sourcetype, can be anything you want), and then setting the "INDEXED_EXTRACTIONS = CSV" config at that stanza. More info can be found in the Structured Data section here : http://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf Please let me know if this answers your question!

muebel · ‎04-26-2016

Hi AlexeyNL, this looks like a java related error message. Could you add the [mi_lookup://first_lookup] stanza for the splunk_app_db_connect local inputs.conf? My first guess is that there is something related to the query that is throwing off the jdbc.

muebel · ‎04-22-2016

I'm finding the otherwise unimpactful messages : ERROR TcpOutputProc - Illegal format for config item 'uri' showing up in splunkd.log. I'm guessing this has something to do with a configuration stanza name problem, but it is a pretty vague message, and I'm hoping somebody could offer advice concerning the origin and purpose of this event. Thanks!

muebel · ‎04-21-2016

One of the new features in Splunk 6.0+ is the capability of a forwarder assigning a timezone to an event in the situation where the timestamp can't be parsed from the raw event, and there isn't any props configuration assigning a timezone. This assignment is described as being based on the OS of the forwarder, and ultimately the Indexer itself. Events like this show up as "date_zone = local" I hoping that somebody has some experience with this interaction, and can explain what happens when you have one or more Intermediate forwarders (source Universal Forwarder sends to Intermediate "Heavy Forwarder" which sends to an Indexer, or even another Heavy Forwarder). Assuming the whole chain is 6.0+, should we expect the timezone assigned at the Universal Forwarder and stay that way? Or does the assignment happen when the data is "cooked" at the Heavy Forwarder? Or does it happen whenever the event passes through a pipeline at all? Thanks for any help!

muebel · ‎04-19-2016

sure, it serves as an indicator of a missing host. The main search does a count of events for the hosts, but will only do so for hosts that have events. Setting this lookup ensures that if the host is missing from the results, it will be there with a count of 0, which indicates that it hasn't been sending anything in.

muebel · ‎04-19-2016

Hi bworrellZP, You can accomplish this by creating a search that utilizes a lookup table to define the list of expected hosts, and then search recent data to determine which hosts have actually been reporting in. First, create a lookup like: host,count device1,0 device2,0 ... device50,0 Call it something like cisco_switches_list. Then create the saved search that will actually alert (assuming cisco:ios sourcetype will catch all switches: | tstats count WHERE sourcetype=cisco:ios BY host | inputlookup append=true cisco_switches_list | stats sum(count) as count by host | search count=0 Obviously you'll have to modify the initial tstats search to be limited to the expected hosts, but then you can see that the lookup is appended, if any hosts didn't show up in the initial search they end up have a count of 0, which then gets caught at the final search. You then create an alert for whenever this search returns any results, indicating a missing host Please let me know if this answers your question!

muebel · ‎04-19-2016

Hi janiceb, This search will give you all related events for src_ip values that appear in both sourcetypes given a particular search time range: src_ip=* sourcetype=bro_http OR sourcetype=McAfee | eventstats dc(sourcetype) AS sourcetype_count by src_ip | where sourcetype_count > 1 Please let me know if this answers your question!

muebel · ‎04-19-2016

could you attach a screenshot of what you are seeing?

muebel · ‎04-19-2016

Hi bkumarm, at a certain scale (daily TB) it probably makes more sense to setup offsite replication via a multi-site index cluster. Otherwise you simply copy the indexes off to some other storage system, and then copy it back as the recovery process. Concerning the "all indexers stopped" idea, this is important for version upgrades, as there might be fundamental changes to the way intra-splunk communication works, and so the components need to be on the same version to avoid issues. Depending on the length of the downtime, and each individual forwarder thruput rate, you may or may not experience any issues with queue buildup from the forwarders. The tcpoutput queue is configurable, and you can even setup space on disk to keep events should the in-memory queue fill up. This is known as a "persistent queue," more info can be found here http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Usepersistentqueues Please let me know if this answers your question!

muebel · ‎04-15-2016

you using db connect v1 or v2?

muebel · ‎04-15-2016

Hi wrangler2x, Yup, thats correct. If you have a heavy-forwarder in between your universal-forwarders and indexers, the HF will "cook" those events, and then indexer just writes them to disk. Please let me know if this answers your question!

muebel · ‎04-15-2016

Hi renanprado96, I believe this is the ideal use for eventstats : http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/eventstats something like: | eventstats avg(consumption) as totalAvgConsumption This will give you the avg consumption for the whole data set, with totalAvgConsumption as a new field containing that value for each event. Please let me know if this answers your question!

muebel · ‎04-15-2016

Hi hagjos43, With a 2 member cluster set with 2 for search and replication factor, this means that each member will have a full set of searchable buckets. In this way, the cluster can suffer the loss of one member and still have all data searchable. If you want to replace one of the indexers, you'll want to make sure to follow the documentation outlined for this process : http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Takeapeeroffline In particular, running the offline command with --enforce-counts flagged splunk offline --enforce-counts Once the old peer is shutdown, when you add the new member the cluster master will seek to satisfy the search and replication factor requirements, and so the remaining indexer will start streaming copies of all the buckets over to the new member. This will take some time. Please let me know if this answers your question!

muebel · ‎04-15-2016

glad to help! 😄

Posts	517
Solutions	80
Karma Given	220
Karma Received	353
Member Since	‎04-14-2010

Online Status	Offline
Date Last Visited	‎08-05-2025 07:44 AM

What governs the limits around the Splunk Web expo...

What kind of things do you view as "bad config"?

Is there any script to lint and validate splunk co...

How do you maintain your splunk config?

Splunk Community Office Hours - March 4th 2022 11:...

What type of restart happens during a normal index...

Swap field and values

How does a Search Head Cluster determine if a rest...

Audit Default Admin Creds?

What is the difference between the metasearch and ...

Re: Is it possible to pass values from a notable e...

Re: How can I have full queues and plenty of syste...

Re: How can I have full queues and plenty of syste...

Re: How do I edit my configuration to ignore index...

Re: How to increase the performance of my search h...

Re: Dump command splits results in many files. How...

Re: Why isn't Splunk DB Connect 2 generating any e...

Re: Splunk DB Connect 2: How to troubleshoot why t...

Re: How to configure Splunk to recognize the times...

Re: How to create an app with only a "Search" tab ...

Re: I am able to log in to splunk.com, but why am ...

Re: Splunk Add-on for Amazon Web Services: Exporti...

Re: Splunk DB Connect 2.1.3: Why am I unable to pr...

ERROR TcpOutputProc - Illegal format for config it...

How does timezone assignment work for timezoneless...

Re: How to alert if a Cisco device has not sent an...

Re: How to alert if a Cisco device has not sent an...

Re: How to search for the same IP in multiple sour...

Re: Why am I getting "Source not available..." whe...

Re: How to back up and restore indexed data when u...

Re: If we have database connectors set up in Splun...

Re: Where is the proper place to use INDEXED_EXTRA...

Re: How to overlay a line of the overall average o...

Re: Replacing a search peer in an indexer cluster,...

Re: How to troubleshoot why I'm not getting any da...

Join the Conversation