About MuS

MuS · ‎05-22-2018

I just realised that I completely misunderstood your question :facepalm:

MuS · ‎05-22-2018

did you use the /opt/splunkforwarder/bin/splunk start command?

MuS · ‎05-22-2018

Update, if you want to reload just one config using the debug/refresh endpoint you can follow this instruction http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart#How_to_reload_files

MuS · ‎05-22-2018

Hi daniel333, there is the /debug/refresh endpoint to reload configs, but be aware it will reload inputs on the fly and current connection will just be dropped. The other option is to check a specific REST endpoint http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTlist if it supports the _reload option and only reload the specific endpoint. Hope this helps ... cheers, MuS

MuS · ‎05-22-2018

I'm really surprised no-one came up with yet another example for this: | tstats count WHERE index=* by index | table index Like the REST call, it is also lightning fast 😉 cheers, MuS

MuS · ‎05-22-2018

let's call it lost in translation from swiss german - german - english at the writer side and english - german on the reader side 🙂

MuS · ‎05-22-2018

HeHE, did you read my answer to the end? I already mentioned that in my answer 😉

MuS · ‎05-22-2018

Hi splunking1t, take a look at this answer https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html where I explain it in detail how this can be done. Hope this helps ... cheers, MuS

MuS · ‎05-22-2018

Hi Bellamar10, try this: | makeresults | eval foo="20182018--0505--2222 1111::3939::1818,,937937 [ [4747] ] ERRORERROR -- ErrorError MessageMessage:: OneOne oror moremore errorserrors occurredoccurred.. \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xA \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF Calling assembly Name/Source: Sms.Utilities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null/mscorlib \xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF\xAF" | rex mode=sed field=foo "s/\\\xAF//g" The first 2 lines are used to create an event and the important command is the last line which will remove the characters \xAF from your search result. But remember the characters will still be in the _raw event 😉 Hope this helps ... cheers, MuS

MuS · ‎05-22-2018

Hi there, remove the last stats and see if your event and no_event fields are available in all events, as well check all other fields you use in the by clause of the stats cheers, MuS

MuS · ‎05-22-2018

If on nix you need write (+w) permissions, and parent directory should be accessible (+x) to the user which is you want to have delete permission. If on Windows ... ¯\_(ツ)_/¯ sorry cannot help here, but I'm sure you will find something asking google. cheers, MuS

MuS · ‎05-21-2018

this line results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults() is reading the previous search results, and this line splunk.Intersplunk.outputResults(results) will output the results of your script into Splunk. Maybe just start with the example, make that work and then start to change the script logic. cheers, MuS

MuS · ‎05-21-2018

There are many things that can break here, so I just add a list of possible checks: Did you add import splunk.Intersplunk to your script? What happens if you start the script manually $SPLUNK_HOME/bi/splunk cmd python yourscritpnamehere.py any errors? Did you try the example from the docs http://docs.splunk.com/Documentation/Splunk/latest/Search/Customsearchcommandshape#Add_the_Python_script does that work? cheers, MuS

MuS · ‎05-16-2018

Hi jiaqya, you are looking for the [batch://...] stanza in inputs.conf , here are the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_Splunk_Web.29: [batch://<path>] * A one-time, destructive input of files in <path>. * For continuous, non-destructive inputs of files, use 'monitor' instead. # Additional settings: move_policy = sinkhole * IMPORTANT: This setting is required. You *must* include "move_policy = sinkhole" when you define batch inputs. * This setting causes the input to load the file destructively. Hope this helps ... cheers, MuS

MuS · ‎05-16-2018

But, looking at the screenshot this looks not too bad. What or where do you think it breaks or behaves badly?

MuS · ‎05-16-2018

If Splunk does not pick up the JSON event straight away, it is most likely not pure JSON. Put your JSON events into any JSON validator to see if it is pure JSON. cheers, MuS

MuS · ‎05-15-2018

Hi sarathipattam, this is most likely a copy/paste problem, you have “ instead of " . Try the run everywhere search below to see how it works: | makeresults | eval actualTime="1000" | eval buckt=case ( actualTime<1001, "time < 1 sec", actualTime>1000 AND actualTime<5001, "1 < time < 5", 1=1, "time > 15") Hope this helps ... cheers, MuS

MuS · ‎05-14-2018

Hi @niketnilay, your example is search time and works just fine, but the question asked is all related to parsing of the events 😉 cheers, MuS

MuS · ‎05-14-2018

Hi kahlerb, client_id suspiciously looks like an epoch timestamp and therefore Splunk thinks it is one. Configure a props.conf on the parsing Splunk instance for the sourcetype and use the TIME_PREFIX option like this : TIME_PREFIX="timestamp": " You might also need to adjust the MAX_TIMESTAMP_LOOKAHEAD to get that far into the event, and TIME_FORMAT to help Splunk to understand what format your time stamp has. See the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration for more detail. cheers, MuS

MuS · ‎05-14-2018

a quick and dirty google research found me this https://developer.microsoft.com/en-us/graph/docs/concepts/changelog Maybe you find some hints in the May 2018 changes 😉 cheers, MuS

MuS · ‎05-10-2018

This is feasible, but I would not do an open hearth surgery on Splunk 😉 For your data safety, do it while Splunk ist stopped. cheers, MuS

MuS · ‎05-10-2018

Did you blank the "host":"" information or is it actually missing? cheers, MuS

MuS · ‎05-09-2018

Nice hint using btool , but here is a BUT : you must be aware that btool does not necessarily shows the config Splunk is using. Here is the quote from the docs http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations Btool displays merged on-disk configurations. That is, btool shows you the merged settings in the .conf files. It does not necessarily show you what Splunk software is currently using. cheers, MuS

MuS · ‎05-03-2018

reading the docs on limits.conf http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf it looks like there is no limit by default: maxvalues = <integer> * Maximum number of values for any field to keep track of. * When set to “0”: Specifies an unlimited number of values. * Default: 0

MuS · ‎05-03-2018

My question here would be, why do you monitor the rotated directory in the first place?

Posts	4458
Solutions	814
Karma Given	2144
Karma Received	3944
Member Since	‎05-02-2011

Online Status	Offline
Date Last Visited	Wednesday

Report Capture app for Splunk: Exception capturing...

How to use eval if there is no result from the bas...

How to compare fields over multiple sourcetypes wi...

Splunkbase Apps update bug?

docs.splunk.com wrong link to answers

splunkbase feature request

splunkbase colored background

Captain Picard's Star fleet messages

the pony command

max throughputs of forwarders

Re: How can I force Splunk to reread a config file...

Re: Python Error in restarting Splunk

Re: How can I force Splunk to reread a config file...

Re: How can I force Splunk to reread a config file...

Re: Is it possibl to get a list of available indic...

Re: How to remove extra characters from an indexed...

Re: How to remove extra characters from an indexed...

Re: How to handle gracefully "No Results Found"

Re: How to remove extra characters from an indexed...

Re: need help with showing eval in stats

Re: Can you auto remove CSV files after indexing?

Re: how to feed search result into "custom search ...

Re: how to feed search result into "custom search ...

Re: Can you auto remove CSV files after indexing?

Re: how to index a json file ?

Re: how to index a json file ?

Re: Error in 'eval' command: The expression is mal...

Re: Splunk UI: Some JSON Logs Not Being Parsed Cor...

Re: Splunk UI: Some JSON Logs Not Being Parsed Cor...

Re: o365 logins

Re: How to move existing cold bucket data?

Re: Why is the data not getting displayed in Splun...

Re: Trying to Split one Event into Multiple Events

Re: How to overcome sub search limitation (only 10...

Re: Rotated log file to another directory causes d...

Join the Conversation