About MuS

MuS · ‎12-10-2015

Run both searches on your system searching your events over the same time range and check the job inspector for each search and you will get the answer which one will perform best for you in your environment.

MuS · ‎12-09-2015

Hi ltrand, this basic run everywhere search will match all fields that end with .MD5 and get the value into a new field called md5 | gentimes start=-1 | eval myRaw="root.sub1.sub2.objectname.MD5=foo root.sub2.objectname.MD5=boo root.objectname.MD5=baz" | rex max_match=0 field=myRaw "\.MD5=(?<md5>[^\s]+)" | table md5 The first and second line is only needed to create some dummy events, so you won't need it. Tweak it as needed to match your events. Hope this helps ... cheers, MuS

MuS · ‎12-09-2015

Hi athorat, yes, this can be configured in outputs.conf # Clone events to groups indexer1 and indexer2. [tcpout:indexer1] server=Y.Y.Y.Y:9997 [tcpout:indexer2] server=X.X.X.X:9997 Hope this help ... cheers, MuS

MuS · ‎12-09-2015

This is just to make sure it does match the timestamp, it will be the : between the hour and the minute. If you are 1000% sure there are no other events containing something like 1234-12-12 20 foo or 1234/12/12 20 foo you won't need it....otherwise add it.

MuS · ‎12-09-2015

HeHe, I keep messing up things here (the time range this time) 🙂 That's the transforms.conf and it looks good, don't forget the props.conf to match it to source and place it on either a heavy weight forwarder or an indexer and restart Splunk after the change.

MuS · ‎12-09-2015

Based on the examples and assuming you will have 24 hours in the logs(?) try this regex: (?:\d+\/\d+\/\d+|\d+-\d+-\d+)\s(07|08|09|10|11|12|13|14|15|16|18): The first group will match both possible date formats and the second group will macht any hour from 07 til 18 ..... Does that makes sense?

MuS · ‎12-09-2015

Hi praneethkodali, this must be set in the XML of the dashboard, take this run everywhere example: <dashboard> <label>pie percent</label> <row> <panel> <chart> <search> <query>index=_internal | stats count by sourcetype</query> <earliest>-1d@d</earliest> <latest>now</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">pie</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">right</option> <option name="charting.chart.showPercent">true</option> </chart> </panel> </row> </dashboard> As you can see I did use it as last option name= for the graph. Hope this helps ... cheers, MuS

MuS · ‎12-09-2015

Can you provide some examples of the events containing the time?

MuS · ‎12-09-2015

great idea to filter on the time! Thanks for this hint!

MuS · ‎12-09-2015

You can set the sizelimit by using the sizelimit= option: | ldap server="foo" sizelimit="100" BTW the default for sizelimit is 10 not 55

MuS · ‎12-08-2015

Hi jkponnuri, From the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Delete Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data using Splunk Enterprise. The delete command does not reclaim disk space. There is a complete topic on this in the documentation: Remove indexes and indexed data. It explains the four main options: Delete events from subsequent searches. Remove all data from one or more indexes. Remove or disable an entire index. Delete older data, based on a retirement policy. Hope this helps ... cheers, MuS

MuS · ‎12-08-2015

Sorry to add another answer; but here is how you do it if your not on Linux or do not have OS access on the search head to run @woodcock 's command. Using the Lookup Editor App https://splunkbase.splunk.com/app/1724/ you can check the lookup files and see the error straight away! I uploaded two lookup files called missingoneheaderfield.csv which is missing one header field somewhere in the header and another lookup file called missingendheaderfield.csv which - surprise, surprise - misses one field at the end of the header. Running the app and looking at the lookup files you can spot and fix the errors very easy. missingoneheaderfield.csv missingendheaderfield.csv Hope this will help anyone out there to get rid of this annoying error cheers, MuS

MuS · ‎12-08-2015

Sorry my bad, go for the nullQueue filtering solution from the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Hopefully you will have some unique identifier for the un-needed events. Do this on the indexer and re-start splunk. otherwise the only solution time wise, would be an external cron job that stops the universal forwarder, checks this log 4 for the end of the batch process and echo "" > log.4 and restarts the universal forwarder again.....

MuS · ‎12-08-2015

Hi agoktas, there are multiple ways of achieve this: Blacklist the file in your inputs.conf http://docs.splunk.com/Documentation/Splunk/6.3.1511/admin/Inputsconf#inputs.conf.example see option blacklist = Filter out the un-wanted events on a heavy weight forwarder or indexer http://docs.splunk.com/Documentation/Splunk/6.3.1511/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Monitor not the directory, but each log file separate in inputs.conf Update: Following up all comments, this was the final working config: Here is the final config that looks to be working great (we forgot '00' for the midnight hour): Indexer configuration: props.conf [AppInternal] TRANSFORMS-null= Appsetnull transforms.conf #Discard all events between 6pm - 6am [Appsetnull] REGEX = (?:d+/d+/d+|d+-d+-d+)s(18|19|20|21|22|23|00|01|02|03|04|05): DEST_KEY = queue FORMAT = nullQueue Hope this helps ... cheers, MuS

MuS · ‎12-08-2015

Your inputs.conf sets the sourcetype to syslog but in your props.conf you're using [syslog_audit_log_change_index_transform] . This should be [syslog] instead and remember to restart Splunk after the change.

MuS · ‎12-08-2015

Hi SridharS, read the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues about Filter event data and send to queues where you can learn how this can be done. You have to do this either on the indexer or a heavy weight forwarder - don't forget to restart Splunk after the changes and it will only apply to new events. Hope this helps ... cheers, MuS

MuS · ‎12-08-2015

this little helper https://splunkbase.splunk.com/app/2613/ will do it all form the UI

MuS · ‎12-08-2015

Hi ralphw_SAIC, I found these two links: https://lists.linuxcontainers.org/pipermail/lxc-users/2014-July/007455.html https://wiki.apache.org/httpd/NonRootPortBinding The first is about setcap for Splunk, the second a generic from Apache but does also apply to Splunk. Please mark this as answered, because your initial question is answered - thanks 🙂

MuS · ‎12-08-2015

Hi jsven, I don't know why you do it this way, because your base search is searching for the multiple MsgId but further down the pipe you discard them again....could it be those are multivalve fields and/or your events are not properly line broken? Anyway, probably you have a reason to do so; so let me help you.... try this search: mysearch... (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673 OR MsgId=AUT23574 OR MsgId=AUT20915 OR MsgId=AUT22886) | dedup User | search NOT MsgId="AUT22673" OR NOT MsgId="AUT23574" OR NOT MsgId="AUT20915" OR NOT MsgId="AUT22886" | eval Cluster="C"+substr(Node,10,1) | table MsgId Keep in mind, try to avoid NOT search, instead search for what you want and need. Also keep in mind if you have multi value fields, it will still match events which for example holds a value of MsgId="AUT11111, AUT20915" . To remove those events as well use the NOT MsgId="*AUT20915*" , but this will be a bad performer on large searches. Here is a link to a .conf slide about Search Efficiency Optimisation http://conf.splunk.com/session/2015/conf2015_JHarty_DuncanTurnbull_Splunk_UsingSplunkSearchLanguage_AQuickGuideToSearch.pdf Hope this helps ... cheers, MuS

MuS · ‎12-07-2015

PS: the reason for the deployment server on a VM, is to be able to scale up later ....

MuS · ‎12-07-2015

Hi benafo, It may look like an over-head right now, but since the number of universale forwarders will grow over time consider to get a dedicated small VM to be the deployment server. You can start as well on the search head and get the dedicated VM later.... Hope this helps ... cheers, MuS

MuS · ‎12-07-2015

Hi ralph_SAIC, this is not a Splunk problem, this is based on the so called privileged ports . The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you. If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550: /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550 Your Sysadmin can do this for you. Hope this helps ... cheers, MuS

MuS · ‎12-06-2015

No need to install Python, since this will be provided by Splunk.... try this: /opt/splunk/bin/splunk cmd python This will start Splunk's Python which is used by sendmail.py I assume you have some limitation of either sending out emails form this server or some mismatch in the mail server setting on your Splunk. Run this search from the UI to see your current setting: | rest /services/configs/conf-alert_actions | table mailserver or the CLI: /opt/splunk/bin/splunk search "| rest /services/configs/conf-alert_actions | table mailserver" cheers, MuS

MuS · ‎12-06-2015

just search on index=_internal or any other index to try it. I don't have access to a virtual index to test it 😞

MuS · ‎12-06-2015

Hi sdaruna, I'm not sure if I understand your request completely....there is a way to show the source of search result: After you ran your search, open the dropdown event menu (find the down arrow next to the event timestamp) and click Show Source from the Event Actions drop down. Hope this helps ... cheers, MuS

Posts	4458
Solutions	814
Karma Given	2144
Karma Received	3944
Member Since	‎05-02-2011

Online Status	Offline
Date Last Visited	a week ago

Report Capture app for Splunk: Exception capturing...

How to use eval if there is no result from the bas...

How to compare fields over multiple sourcetypes wi...

Splunkbase Apps update bug?

docs.splunk.com wrong link to answers

splunkbase feature request

splunkbase colored background

Captain Picard's Star fleet messages

the pony command

max throughputs of forwarders

Re: Which is more efficient - filldown or streamst...

Re: How to search for a field name that a value ex...

Re: Can we have the same source forwarding data to...

Re: How to index certain logs only during a certai...

Re: How to index certain logs only during a certai...

Re: How to index certain logs only during a certai...

Re: How do we display percentage on a pie chart?

Re: How to index certain logs only during a certai...

Re: How to index certain logs only during a certai...

Re: Add-on for LDAP: How to search for user entrie...

Re: How to delete existing indexed events?

Re: "Corrupt csv header" : how to find the corrupt...

Re: How to index certain logs only during a certai...

Re: How to index certain logs only during a certai...

Re: How do I index with regex using props.conf/tra...

Re: How and where do I filter logs with regex befo...

Re: Is there an easy way to download an app from t...

Re: Why Splunk started as non-root cannot bind por...

Re: Why is my search with "where NOT equals this O...

Re: Do I need to set up my search head or one of m...

Re: Do I need to set up my search head or one of m...

Re: Why Splunk started as non-root cannot bind por...

Re: How to troubleshoot why I'm not getting email ...

Re: Is there a way to see the source file in Splun...

Re: Is there a way to see the source file in Splun...

Join the Conversation