Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About royimad
royimad
Builder
Member since:
07-11-2012
06-05-2020
Community Statistics
| Posts | 208 |
| Solutions | 11 |
| Karma Given | 67 |
| Karma Received | 46 |
| Member Since | 07-11-2012 |
Activity Feed
- Karma Re: How to extract all fields between a word and two specific characters in a string? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to count the number of occurrences of a word in an event? for MuS. 06-05-2020 12:47 AM
- Karma Re: How to write regex to extract all values for a field at search time? for MuS. 06-05-2020 12:47 AM
- Karma Re: Sideview Utils Multiplexer: How to use icons instead of colors for rangemap? for sideview. 06-05-2020 12:47 AM
- Karma Re: Sideview multiplexer - rangemap for sideview. 06-05-2020 12:47 AM
- Got Karma for How to count the number of occurrences of a word in an event?. 06-05-2020 12:47 AM
- Got Karma for How to write regex to extract all values for a field at search time?. 06-05-2020 12:47 AM
- Got Karma for Sideview Utils Multiplexer: How to use icons instead of colors for rangemap?. 06-05-2020 12:47 AM
- Got Karma for Please advise on proposed process to upgrade Splunk 6.1 to a new Linux server.. 06-05-2020 12:47 AM
- Karma Re: How do we extract from a character "-" till the end of the line? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Splunk Split automatically 2 events when it detect two different dates in a log for sowings. 06-05-2020 12:46 AM
- Karma Re: Field extractor is unusually slow (max single event time=, probes=warning max=) for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Can i show and hide columns on a table based on values? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: How to extract date YYYYMMDD from _time? for Damien_Dallimor. 06-05-2020 12:46 AM
- Karma Re: Can i write a conditional regular expression? for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: Can i set default behavior on a static checkboxes list to be pre-selected? for sideview. 06-05-2020 12:46 AM
- Karma Re: Can TimeRangePicker be on the Top of a HiddenSavedSearch? for sideview. 06-05-2020 12:46 AM
- Karma Re: Can regular expression extract only 2 lines after a pattern? for lain179. 06-05-2020 12:46 AM
- Karma Re: Unable to monitor and index a log file for jbsplunk. 06-05-2020 12:46 AM
- Karma Re: Unable to monitor and index a log file for Ayn. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
03-19-2013
07:22 AM
a)is not an option for me at the moment - otherwise i need to proof of security concept ( encryption , ssl , etc.)
b) Rotate every X minutes this could be part of the first solution. How about monitoring the delta changes from splunk directly? do you think this could be done?
... View more
03-19-2013
05:07 AM
Hello Splunk Expert,
The situation:
I have a logs file around 10 MB generated from web application errors. this log file contain the sequence of errors that appeared on online system,each time an errors appeared on the systems a number of lines is added to the end of the file, the structure of each event is as following followed by < Severity > followed by a java stack trace.
The structure of the file at time c:
line 1:event a x ---
line 4:event b y ---
last line:event c z ---
The structure of the file at time d could be:
line 4:event b y ---
line 5:event c z ---
last line: event d d ---
the event a will be rotated to another file only if it reach 10 MB
or the log file could be simply
line 1:event a x ---
line 4:event b y ---
line 5:event c z ---
last line: event d d ---
The requirement is to automate the monitoring of this file into splunk.
The two solution i'm intended to implement are:
1-First Solution is to send the delta changes only to splunk server by writing some shell script do get the delta changes each 5 minutes ( the modification that happened to the files in the last 5 minutes )
2-Second Solution is to send via ftp the entire file to splunk instance and let splunk monitor the changes.
Note that: using universal forwarder is not an option - i have no permission to open a port 9997 or any other port for the forwarder on the production environment but i have the possibility of ftp this file from production server to splunk instance
The problem:
My preferred solution is the second but i don't know how to monitor only the delta changes in that file, how splunk will indexes only the new events and detect those lines without having any duplication?
All idea are welcome and appreciated.
Thanks,
Roy
... View more
03-18-2013
08:02 AM
1 Karma
You can use sideview and get $click.fields.someFieldName$ $click.fields.someOtherFieldName$, etc... for all the cells in the row, and you also get $click.cell0.value$, $click.cell7.value$, in case that's ever useful... then parse those values to the search
... View more
03-18-2013
07:55 AM
Yes, it's possible from splunk view.
... View more
03-18-2013
07:43 AM
1 Karma
You can call loadjob command , the artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.
| loadjob savedsearch="username:application:MyMasterSavedSearch" | search business=businessX
... View more
03-18-2013
05:28 AM
Just to confirm more your answer - Can i use an existing port used and opened?
... View more
03-18-2013
02:37 AM
What is the port that splunk universal forwareder use to sent data to the indexer on a splunk instance, what protocol need to exist between universal forwarder and the splunk instance?
... View more
- Tags:
- universal-forwarder
03-18-2013
02:30 AM
My situation is this,on an online production Machine A servers their is errors logs that exist. I need to be able to monitor those logs using the universal forwarder but one of my requirement rules is do not open another port on the server for the splunk forwarder and i need to know if i can use existing opened port. The opened port is for Machine B so i need to know if i can use 2 steps forwards.
... View more
03-18-2013
01:36 AM
Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.
... View more
03-18-2013
01:35 AM
Thanks, for your answer. should i install a splunk instance on where universal forwarder exist? could i use an open ports for that reason?- Can i perform 2 step forwards ?
Machine A with universal forwarder --> Machine B with universal forwarder --> Machine C with Splunk Instance.
... View more
03-18-2013
01:30 AM
Can splunk monitor a log errors.log that exist on another machine without sending the files via ftp/sftp to splunk server and use monitor option in inputs? Is their a simplest way to monitor a distant log file? Can splunk universal forwarder perform this step and do i need to open new ports for that reason ?
... View more
03-18-2013
01:18 AM
My Use case:
1- I have a log file X ( a log generated from a web applications - errors.log ) that exist on a server A
2- Splunk is installed on server B
In order to monitor this logs, one solution 1 is to send the file X to splunk server B and then used the monitor options in inputs.conf file.
I was wondering if an alternative solution 2 could work in order to monitor this log. I need to know if i can use splunk universal forwarder to monitor the log on another machine but i don't know the step yet.
Another solution 3 i'm thinking of is to sent the logs to splunk server by email but i don't actually know if that could work.
Please i need to know if someone have faced this situation before? and what solution is preferable and what are the steps?
... View more
03-18-2013
01:07 AM
Hello Splunkies,
I was wondering if splunk could monitor a logs sent by email to splunk server. if yes how this could be done?
... View more
03-04-2013
09:56 AM
Thanks a lot dude. It's working great
... View more
03-04-2013
09:34 AM
While migrating my dashboards to sideview utils , i have faced this error during saving my dashboard.
Here is the code:
| metadata type=hosts | sort host | where like(host,"%wavemark%")
host
online.wavemark.net
<module name="Pulldown">
<param name="name">host</param>
<param name="label">Select Environment:</param>
<param name="valueField">$name$</param>
<module name="Switcher" group=" " layoutPanel="panel_row4_col1">
<param name="selectedGroup">$host$</param>
...
<module name="SavedSearch" layoutPanel="panel_row4_col1" group="stagedb.wavemark.net">
<param name="savedSearch">Long Running Reports Trend (2+ Seconds) - Daily Count</param>
<module name="ViewstateAdapter">
<param name="savedSearch">Long Running Reports Trend (2+ Seconds) - Daily Count</param>
<module name="JobProgressIndicator" />
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
</module>
<module name="HiddenChartFormatter">
<module name="FlashChart">
<param name="width">100%</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
... View more
03-04-2013
09:18 AM
I'm receiving the following error
Misconfigured view 'dashboard_side' - Unknown parameter 'savedSearch' is defined for module SavedSearch. Make sure the parameter is specified in SavedSearch.conf. - Should i create a SavedSearch.conf file???
... View more
03-04-2013
02:02 AM
1 Karma
An exception is throw on the dashboard after calling HiddenSavedSearch module inside a Switcher module saying that HiddenSavedSearch does not yet support layering additional intentions on the top of saved search. ( I actually doesn't now what that mean ? would it be supported in the future?! ).
<?xml version="1.0"?>
<view autoCancelInterval="90" isVisible="true" isSticky="False" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1"
template="dashboard.html">
<!-- autoCancelInterval is set here to 100 -->
<label>Reports Performance By Environments</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="Message" layoutPanel="messaging">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<!--
<module name="HTML" layoutPanel="viewHeader">
<param name="html">
<![CDATA[ <h1>Switcher</h1> ]]>
</param>
</module> -->
<!-- ============================================================================== -->
<!-- Setup HostName Selection -->
<!-- ============================================================================== -->
<module name="SearchSelectLister" layoutPanel="panel_row1_col1_grp1" autoRun="True">
<param name="searchWhenChanged">True</param>
<param name="search">| metadata type=hosts | sort host | where like(host,"%wavemark%")</param>
<param name="label">Select Environment:</param>
<param name="settingToCreate">hostname_setting</param>
<param name="selected">online.wavemark.net</param>
<!--
<param name="staticFieldsToDisplay">
<list>
<param name="value"></param>
<param name="label">None</param>
</list>
</param>
-->
<param name="searchFieldsToDisplay">
<list>
<param name="value">host</param>
<param name="label">host</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">hostname_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="hostToken">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="Switcher" group=" " layoutPanel="panel_row4_col1">
<param name="selectedGroup">$hostname_setting$</param>
...
<module name="HiddenSavedSearch" layoutPanel="panel_row4_col1" group="stagedb.wavemark.net" autoRun="True">
<param name="savedSearch">Long Running Reports Trend (2+ Seconds) - Daily Count</param>
<param name="groupLabel">Daily Long Running Report Trend</param>
<module name="ViewstateAdapter">
<param name="savedSearch">Long Running Reports Trend (2+ Seconds) - Daily Count</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="HiddenChartFormatter">
<module name="FlashChart">
<param name="width">100%</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module> <!-- ** End of ConvertToIntention ** -->
</module> <!-- ** End of Host SearchSelectLister ** -->
</view>
... View more
03-04-2013
01:46 AM
Thanks, this is working now.
... View more
03-04-2013
01:45 AM
Thanks, I'm still getting this error. I was wondering if their are a step by step procedure to configure an Oracle database connection, and what happen if i'm using Splunk free license , how gona calculate 500 MB per day from a database.
... View more
02-26-2013
08:06 AM
Is their any example of using the option 2) using sideview, i actually have the same issue where i need to run 2 different search on the same panel based on the host selected from a drop down list, the reason why i need this conditional switching is that one of my search is saved search and i need to set it up as default when the page load. How can i do that technically?
... View more
02-25-2013
06:30 AM
Thanks, can i call macro from loadjob?
| loadjob savesearch="admin:search: my_macro($token$) "
... View more
02-25-2013
05:58 AM
Their are no action called "clone" to move extracted field objects from one apps to another, any idea? >> Manager » Fields » Field extractions. Some of my field have no "move" neither "clone" option as action. Does that mean i need to re-create them manually?
Thanks,
... View more
02-25-2013
05:37 AM
I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?
... View more
02-25-2013
05:36 AM
I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
