Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About royimad
royimad
Builder
Member since:
07-11-2012
06-05-2020
Community Statistics
| Posts | 208 |
| Solutions | 11 |
| Karma Given | 67 |
| Karma Received | 46 |
| Member Since | 07-11-2012 |
Activity Feed
- Karma Re: How to extract all fields between a word and two specific characters in a string? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to count the number of occurrences of a word in an event? for MuS. 06-05-2020 12:47 AM
- Karma Re: How to write regex to extract all values for a field at search time? for MuS. 06-05-2020 12:47 AM
- Karma Re: Sideview Utils Multiplexer: How to use icons instead of colors for rangemap? for sideview. 06-05-2020 12:47 AM
- Karma Re: Sideview multiplexer - rangemap for sideview. 06-05-2020 12:47 AM
- Got Karma for How to count the number of occurrences of a word in an event?. 06-05-2020 12:47 AM
- Got Karma for How to write regex to extract all values for a field at search time?. 06-05-2020 12:47 AM
- Got Karma for Sideview Utils Multiplexer: How to use icons instead of colors for rangemap?. 06-05-2020 12:47 AM
- Got Karma for Please advise on proposed process to upgrade Splunk 6.1 to a new Linux server.. 06-05-2020 12:47 AM
- Karma Re: How do we extract from a character "-" till the end of the line? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Splunk Split automatically 2 events when it detect two different dates in a log for sowings. 06-05-2020 12:46 AM
- Karma Re: Field extractor is unusually slow (max single event time=, probes=warning max=) for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Can i show and hide columns on a table based on values? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: How to extract date YYYYMMDD from _time? for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: Can i write a conditional regular expression? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Can i set default behavior on a static checkboxes list to be pre-selected? for sideview. 06-05-2020 12:46 AM
- Karma Re: Can TimeRangePicker be on the Top of a HiddenSavedSearch? for sideview. 06-05-2020 12:46 AM
- Karma Re: Can regular expression extract only 2 lines after a pattern? for lain179. 06-05-2020 12:46 AM
- Karma Re: Unable to monitor and index a log file for jbsplunk. 06-05-2020 12:46 AM
- Karma Re: Unable to monitor and index a log file for Ayn. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
04-03-2013
05:16 AM
Look what i got in output.txt
ignored file (crc conflict, needs crcSalt)/s:key
/s:dict
/s:key
What does it mean ? Ignored file ( crc conflict, needs crcSalt )
... View more
04-03-2013
04:23 AM
1 Karma
Splunk is unable to monitor a local file - and a search query is not returning any values - No events is indexed, How to troubleshoot this?
Search: sourcetype="online_error_test1" >>> No results for any time.
inputs.conf
[monitor:///home/splunk/error_delta.log]
disabled = false
followTail = 0
sourcetype = online_error_test1
props.conf
[online_error_test1]
TIME_FORMAT = %a %b %e %Y %k:%M:%S,%3 %Z
... View more
04-02-2013
12:08 AM
do you think i need a LINE_BREAKER in my case?
\w{3}\s\w{3}\s\d{2}\s\d{4}\s\d{2}:\d{2}:\d{2}
... View more
03-27-2013
09:54 AM
How to add the rest of the date the millisecond and the timezone ?
... View more
03-27-2013
09:49 AM
1 Karma
I have a view composed from a time range picker and a table.
I need to drilldown from one view to a target view but need to preserve the parameter selected from a time range picker , the target view will be displayed when clicking on a cell knowing that cells of the tables could be passed to the second view using the $click.value$ and i'm fine with that. How to preserve the value that is selected by the time range picker as earliest time?
( Last 30 Days --> -30d@d )
( Last 7 Days --> -7d@d )
etc...
Any idea?
... View more
03-27-2013
09:28 AM
Log content (log4j) begin with a date that i will use it as TIME_FORMAT in my props.conf file.
Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred
wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in deleg
The TIME_FORMAT should be equal to %a %b %e %Y %k:%M:%S,%3 %Z
I need to convert this to the regular expression to put it on LINE_BREAKER.
So what are the equivalent of my strftime in regular expression? is their a tool to convert this or i just need it to write it from scratch.
Many Thanks,
Roy
... View more
03-27-2013
08:49 AM
In the props.conf ?
... View more
03-27-2013
08:40 AM
Thanks for the Hint, but where should i edit this parameters? Can you give me an example?
... View more
03-27-2013
08:31 AM
1 Karma
You can use scripted inputs to do all kinds of weird things to get data into Splunk. The better choice is to use universal forwarder to forward your data or you can transfer the logs to local splunk instance or put it on a network sharing drive via samba/nfs etc.
So in order to analyze the logs you need first to index them into splunk, the next steps is to used saved search and alert with an notification email. An alert could be triggered when a criteria is met.
You can configure savedsearch.conf easily or just use the management interface.
An example of editing the savedsearch.conf file to sent an email notification:
[Database Response Time Average]
action.email = 1
action.email.format = csv
action.email.sendresults = 1
action.email.subject = Splunk DB response time on online is very high > 200 sec.: $name$
action.email.to = royimad@royimad.net
action.script = 1
action.script.filename = actions.sh
alert.digest_mode = True
alert.expires = 12h
alert.severity = 5
alert.suppress = 1
alert.suppress.fields = average
alert.suppress.period = 1d
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */55 * * * *
enableSched = 1
quantity = 0
relation = greater than
search = host="online.wavemark.net" (LOGTYPE="DB") | stats avg(LOGDURATION) AS average | where average > 2000
... View more
03-27-2013
07:45 AM
1 Karma
I have a log generated from log4j:
an event of this log could be described by the following:
Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred
wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in delegate [ReportSessionDelegate]
at wavemark.webapp.delegates.ReportSessionDelegate.getReportData(ReportSessionDelegate.java:52)
...multipleline
RepName, LastCabinetID, ExpectedDeliveryDate From MFR_MissingItem_RP, DB, N/A, dany.ostamdtru, null, 2013-03-06 10:58:30.974, 170, MEDTRONIC]
Query: InsertObjectQuery(wavemark.core.entities.PerformanceTiming@1d46a898)
at org.eclipse.persistence.internal.jpa.EntityManagerImpl.flush(EntityManagerImpl.java:699)
The above event contain 2 date one in the header top of the event and one on a line ( the second dates could exist or not ) depending on the stacktrace.
The Question why Splunk index this a 2 separated event and how to prevent from this to happen. I only need Splunk to consider what begin with a date as a single event.
... View more
03-27-2013
01:39 AM
Thanks martin, Do you know any editor where i could build and test my regular expression of splunk? or i good reference to build regular expression with some example cause i have a lot of complicated patterns to look for.
... View more
03-27-2013
01:37 AM
Thanks, this is working. Do you know any tool that could help me build my regular expression for props.conf easily? some sort of an editor where i could test my regular expression for splunk ?
... View more
03-27-2013
01:35 AM
sourcetype="online_error_log" | regex _raw = "ERROR(\s+[^\s]+){5}" this will return some field.
But editing regular expression pattern in IFX return syntax error
Invalid regex: no named extraction at position 5 (i.e., "R(\s+[^\s]..."). Expected "(?P pattern)"
"ERROR(\s+[^\s]+){5}"
... View more
03-27-2013
01:06 AM
What is the differences in syntax between calling a regular expression using regexp command or using a regular expression pattern in IFX?
For example:
I have a regexp that is working well when calling:
sourcetype="mysource" | regexp _raw = "RegEx1"
But when using the IFX with the same "RegEx1" i'm getting a syntax error.
... View more
03-27-2013
12:59 AM
I need to know if i could extract the fields of the entire log using regular expression, I don't know how to use it? could it be extracted during the indexing of the log?.
My log line look like:
Fri Jan 04 2013 13:05:34,114 EST ERROR wavemark.webapp.interceptors.WmExceptionInterceptor - WaveMarkException occurred wavemark.common.exceptions.WaveMarkException: Error while calling method [getReportData] in delegate [ReportSessionDelegate]
at wavemark.webapp.delegates.ReportSessionDelegate.getReportData(ReportSessionDelegate.java:52)
...
The regular expression that i'm intended to use is:
/(?<TIMESTAMP>\d{6}\s\d{6}\.\d{3})\s (?<LEVEL>^[E|W|D|I])\s (?<THREAD>.*?)\/ (?<CLASS>.*?)\s-\s (?<MESSAGE>.*?[\r|\n](?=^[[E|W|D|I]\s\d{6}\s\d{6}\.\d{3}]?))/gxsm
... View more
- Tags:
- regex
03-22-2013
03:30 AM
Hello Splunkers,
I have a log file as follow:
Time1 WARN a.b.c
Time2 ERROR 1.2.3
Time3 FATAL a.b.c
Time2 WARN a.b.c
Time4 WARN a.b.c
If i want to select all the fields after WARN , i can write a regular expression as:
(?i) WARN (?P [^ ]+)
This will select all the fields after WARN.
What do i need to change if i want to select with the same regular expression the fields after ERROR with the fields after WARN?
Thanks,
... View more
- Tags:
- regex
03-22-2013
12:51 AM
Thanks, So sending the delta is the default behavior?
... View more
03-21-2013
06:46 AM
Thanks kris! this was very helpful
... View more
03-21-2013
06:17 AM
I need to know if a universal forwarder could send only the delta changes in a log or need to forward the hole log to the splunk instance.
... View more
03-20-2013
09:08 AM
Is that possible from a free license to send email alert to users on my company based on saved search results ?
Thanks,
Roy
... View more
03-20-2013
08:22 AM
i need to know is if i'm sending 10 MB file to splunk instance free license from a universal forwarder and splunk only index the changes in that logs ( the delta changes ) would it count the total size of the logs as computed or just the changes in that logs?
... View more
03-20-2013
08:17 AM
Thanks, this is an answer that i'm looking at, However what i need to know is if i'm sending 10 MB file to splunk instance free license from the forwarder and splunk only index the changes in that logs ( the delta changes ) would it count the total size of the logs as computed or just the changes in that logs?
... View more
03-20-2013
02:19 AM
1 Karma
Hello Splunkies,
I need to know what are the security measures that is should take if i want to introduce universal forwarder on a production environment to forward data to splunk instance on another machine.
Thanks,
Roy
... View more
- Tags:
- universal-forwarder
03-20-2013
02:05 AM
You can combine several line with "," and count for a specific values
| stats count(eval(Domain="y")) , count(eval(Domain="x")) by Short_Host
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
