Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About phoenixdigital
phoenixdigital
Builder
Member since:
02-08-2011
04-01-2026
Community Statistics
| Posts | 280 |
| Solutions | 25 |
| Karma Given | 33 |
| Karma Received | 77 |
| Member Since | 02-08-2011 |
Activity Feed
- Got Karma for Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1. a week ago
- Posted Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1 on All Apps and Add-ons. 04-01-2026 01:53 AM
- Got Karma for Re: Terminate User Session. 08-05-2022 12:07 AM
- Got Karma for Re: Realtime clock of Splunk server time on dashboard?. 06-10-2022 05:49 AM
- Got Karma for Indexing a CSV data file with more than one set of data. 04-06-2021 04:39 PM
- Got Karma for Can you hard code a color for a value range in Calendar Heat Map?. 06-05-2020 12:49 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for MuS. 06-05-2020 12:48 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for micahkemp. 06-05-2020 12:48 AM
- Karma Re: Splunk App for Stream: How to configure a universal forwarder to monitor DNS and DHCP? for vshcherbakov_sp. 06-05-2020 12:48 AM
- Karma Re: Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: Is there documentation on forwarder behavior for various types of inputs when an indexer goes offline? for ryanoconnor. 06-05-2020 12:48 AM
- Karma Re: Search Head Deployer in a SH Cluster: What happens to local? for teunlaan. 06-05-2020 12:48 AM
- Karma Re: How is Server Identified After clone-prep-clear-config Script is Run? for jconger. 06-05-2020 12:48 AM
- Got Karma for Search Head Deployer in a SH Cluster: What happens to local?. 06-05-2020 12:48 AM
- Got Karma for Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for setup.xml to modify/create an entry in app.conf (or anywhere else). 06-05-2020 12:48 AM
- Got Karma for Re: Chart not obeying charting.axisY.includeZero=false. 06-05-2020 12:48 AM
- Karma SA-Eventgen doesn't work? for laiyongmao. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-18-2012
03:41 PM
Unfortunately no. We have since moved on from this for now. If you do find a result please let us know here.
... View more
09-29-2011
06:32 PM
Unfortunately no after clearing monitored directory then clearing the indexes with the command
/opt/splunk/bin/splunk stop; /opt/splunk/bin/splunk clean eventdata -f -index bom; /opt/splunk/bin/splunk clean eventdata -f -index bom_summary; /opt/splunk/bin/splunk start
I retrieve the files again and Splunk shows zero events in the index.
... View more
09-28-2011
10:05 PM
I have a FTP data collector which pulls in files from an FTP server and dumps them into a directory monitored by Splunk.
The files are all of the IDA00*.dat files and are sourced from ftp://ftp2.bom.gov.au/anon/gen/fwo/
My script checks this ftp server about every 6 hours and if the modified date has changed on the files it will redownload them and replace them in /home/phoenix/data/bom/
Splunk is setup to monitor this directory with the following conf files
inputs.conf
[monitor:///home/phoenix/data/bom]
disabled = 0
followTail = 0
host = BOM
index = bom
crcSalt = <SOURCE>
props.conf
[source::...[/\\]bom[/\\]IDA00001.dat]
KV_MODE = none
SHOULD_LINEMERGE = false
sourcetype = bomIDA00001
REPORT-extractIDA00001 = IDA00001_Fields
priority = 100
priority 100 required as Splunk ignores .dat files by default. I have had to remove .dat from /opt/splunk/etc/default/props.conf as well recently as the priority stopped working for some reason and the data was being treated as binary (but thats for another topic)
transforms.conf
[IDA00001_Fields]
DELIMS = "#"
FIELDS = loc_id,location,state,forecast_date,issue_date,issue_time,min_0,max_0,min_1,max_1,min_2,max_2,min_3,max_3,min_4,max_4,min_5,max_5,min_6,max_6,min_7,max_7,forecast_0,forecast_1,forecast_2,forecast_3,forecast_4,forecast_5,forecast_6,forecast_7,dummy
Now this seemed to be working ok for a while but for some reason it has stopped indexing files even though new files are coming in with completely different data (in particular the forecast_date). I have can only see data in the index=bom from the 28th of Sept and back. It is the 29th and there should be data in Splunk for that.
Running the following returns some actions on the files in question
grep IDA00001.dat /opt/splunk/var/log/splunk/splunkd.log
09-29-2011 13:52:24.489 +1000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/home/phoenix/data/bom/IDA00001.dat'.
09-29-2011 14:48:50.167 +1000 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/home/phoenix/data/bom/IDA00001.dat'.
09-29-2011 14:48:50.167 +1000 INFO WatchedFile - Will begin reading at offset=0 for file='/home/phoenix/data/bom/IDA00001.dat'.
So it seems like Splunk is working on the files. Are they being indexed though as the data is not showing up?
Any help would be appreciated.
... View more
09-15-2011
04:37 PM
Here is a screenshot of the data if that clears things up.
http://i56.tinypic.com/xmmyh1.gif
... View more
09-14-2011
11:45 PM
1 Karma
Hi All,
I have written a python HTTP downloader which is pulling down multiple zip files and extracting the contents then feeding them to a TCP port on Splunk.
Inside each zip are a whole bunch of csv files with the format
header1, header2, header3, aTimestampIwant1
data1, data2, data3, dateData1
data1, data2, data3, dateData1
etc....
Now the python script is unzipping this file and creating a sourcetype based on the filename. It is also building a Splunk friendly format for Splunk to consume. This entire string is then sent to a TCP port that Splunk is listening on.
Splunk recieves something like this in the one connection
***SPLUNK*** host=myhost, source=theOriginalFilenameFromTheZip, sourcetype=extractedFromFilename\r\n
header1=data1, header2=data2, header3=data3, aTimestampIwant1=dateData1\r\n
header1=data1, header2=data2, header3=data3, aTimestampIwant1=dateData1\r\n
etc.....
now when I look at the data in Splunk it has the correct source and sourcetype.... but..
There are a few things that I need to resolve.
Each 'event' in Splunk is the entire message of all rows of data. They are not split by the newlines I am passing through the stream
It appears dates/times are not being translated when a column is of a common date type.
more importantly the timestamp(_time) is not being found and it is using the time the data was recieved.
Now I know that some will answer create something in props.conf for each type of file. I am trying to avoid this as there are over 30 different types of files.
If I can get this to work then it will allow this script to handle new file(source) types in the future should they start getting fed into the stream.
Any help would be greatly appreciated.
... View more
08-09-2011
12:13 AM
4 Karma
I found the issue by looking in splunkd.log
It was this line from the setup.xml
'WebSearch' should be 'Web Search'
I highly recommend someone update the public website. While its a simple mistake it is incredibly frustrating trying to use documented demos which dont work. Then trying to debug something you are learning at the same time.
... View more
08-08-2011
11:23 PM
3 Karma
I just tried to test the example provided at
http://www.splunk.com/base/Documentation/4.2.1/Developer/SetupExample1
I created the myapp/default/savedsearches.conf with the contents
then added the input to the myapp/defaut/inputs.conf. Finally created the myapp/default/setup.xml EXACTLY as mentioned.
All I got was this when prompted to view setup
404 Not Found
Splunk cannot find "apps/local/myapp/setup".
This page was linked to from http://192.168.0.200:8000/en-US/app/myapp.
You are using 192.168.0.200:8000, which is connected to splunkd @98164 at https://127.0.0.1:8089 on Tue Aug 9 16:36:04 2011.
I find it a bit odd that such a simple example provided on the splunk website would fail like this?
I am running Splunk on windows if that makes any difference.
... View more
07-12-2011
03:25 PM
Thanks for the information. Makes sense from the perspective of 'light' and 'heavy' system usage.
... View more
07-07-2011
05:03 PM
4 Karma
Just a quick question regarding the "Universal Forwarder"
I have setup my inputs.conf and outputs.conf in
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
this works perfectly
However I also wanted to perform some processing on these inputs prior to sending to the indexer.
It made sense that I would need to add props.conf and transforms.conf to this directory.
This however did not appear to work. Adding the props.conf and transforms.conf files to the indexer worked however.
Is there a way to do this on the universal forwarder or does it need to be done on the indexer?
... View more
- Tags:
- universal-forwarder
07-07-2011
04:38 PM
Hi All,
I am trying to work out if this is even possible with drilldowns and forms.
At the end of this post is a very simple form which searches an apache logfile and generates a table of all clientIP addresses. I understand the form is useless as it will cause the table to only show one result. I have just dumbed it down so I can get an answer to the question.
The form allows the user to enter an IP address to restrict by which is then passed onto the search.
Question: Is there a way to setup a drilldown on the table whereby when the user clicks on an IP address it is populated to the form field and the search is performed again?
I have looked through all the advanced XML queries and demos but I cant seem to find one that behaves in this manner. Is it even possible?
<form class="formsearch">
<label>Client Details</label>
<fieldset>
<input type="text" token="clientIP" searchWhenChanged="false">
<default>*</default>
</input>
<input type="time" searchWhenChanged="false"/>
</fieldset>
<row>
<table>
<title>Top client IP addresses</title>
<searchTemplate>index=webserver (sourcetype=access_combined OR sourcetype=vhost_access_combined) clientip="$clientIP$" | top limit=10 clientip</searchTemplate>
</table>
</row>
</form>
... View more
- Tags:
- drilldown
07-07-2011
04:36 PM
Did you ever find a solution to this?
I am trying to do something very similar but have no idea if it is even possible.
... View more
07-06-2011
07:00 PM
Ok I seemed to get it to work eventually using the following
inputs.conf
[monitor:///etc/httpd/logs/access_log*]
sourcetype = advanced_access_combined
index = webserver
disabled = false
followTail = 0
host = devserver.remora.com.au
[monitor:///etc/httpd/logs/error_log*]
index = webserver
disabled = false
followTail = 0
host = devserver.remora.com.au
props.conf
[advanced_access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = advanced-access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = [
transforms.conf
[all_lazy]
REGEX = .*?
[all]
REGEX = .*
[nspaces]
# matches one or more NON space characters
REGEX = S+
[qstring]
#matches a quoted "string" - extracts an unnamed variable - name MUST be provided as in [[qstring:name]]
# Extracts: empty-name-group (needs name)
REGEX = "(?<>[^"]*+)"
[sbstring]
#matches a string enclosed in [] - extracts an unnamed variable - name MUST be provided as in [[sbstring:name]]
# Extracts: empty-name-group (needs name)
REGEX = [(?<>[^]]*+)]
[bc_domain]
REGEX = (?<domain>w++://[^/s"]++)
[bc_uri]
# backwards compatible uri regex
# uri = path optionally followed by query [/this/path/file.js?query=part&other=var]
# path = root part followed by file [/root/part/file.part]
# Extracts: uri, uri_path, root, file, uri_query, uri_domain (optional if in proxy mode)
REGEX = (?<uri>[[bc_domain:uri_]]?+(?<uri_path>[[uri_root]]?[[uri_seg]](?<file>[^s?/]+)?)(?:?(?<uri_query>[^s]))?)
[reqstr]
REGEX = [^s"]++
[access-request]
# very relaxed regex for extracting fields from the request
REGEX = "s*+[[reqstr:method]]?(?:s++[bc_uri])?s+"
[advanced-access-extractions]
REGEX = ^[[nspaces:vhost]]s++[[nspaces:clientip]]s++[[nspaces:ident]]s++[[nspaces:user]]s++[[sbstring:req_time]]s++[[access-request]]s++[[nspaces:status]]s++[[nspaces:bytes]]s++[nspaces:req_process_time]?[[all:other]]
It seemed I needed to copy alot of extras from the /opt/splunk/etc/system/default/transforms.conf which makes sense.
Another issue I encountered was that I have a primary index server and the apache files are being forwarded using a 'Universal Forwarder'
The whole thing did not work when props.conf and tranforms.conf were on the 'Universal Forwarder'. I needed to add them to the indexing server for the logfiles to be parsed correctly.
This is potentially going to be an issue as I would like to get the virtual host in the logfile to be marked as the Splunk host. The host is currently defined on the 'Universal Forwarder' in inputs.conf however I dont extract the virtual host until it hits the transforms.conf on the indexing server. I think by that time it will be too late to set the Splunk host. Anyway I will create a new question for that as it is out of the scope of this one.
Edit: The formatting rules here are useless when pasting in conf files so they are a bit munted. If someone needs the configs message me (if thats possible with splunkbase)
... View more
07-05-2011
08:00 PM
Here is an example log line
developer.management.theclient.rdev.com 192.168.31.108 - stingray [06/Jul/2011:12:33:21 +1000] "GET /pop.php?m=testimonial/edit&id=1 HTTP/1.1" 200 166 "http://developer.management.theclient.rdev.com/?m=testimonial/details&id=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0"
... View more
07-05-2011
07:54 PM
Hi All,
There is a set of webservers we are trying to index which have many virtual hosts on them. This is simple enough to add in apache by changing the LogFormat from
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
to
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
However this now breaks the magic that splunk used to do for parsing apache logfiles.
So I dug into /opt/splunk/etc/system/default/transforms.conf and found these lines
[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[nspaces:bytes]?[[all:other]]
and in /opt/splunk/etc/system/default/props.conf found this
[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = [
I can see I just need to add a [[nspaces:vhost]]\s to the transforms.conf entry but obviously dont want to mess with the defaults.
I tried to replicate what I saw in props.conf and transforms.conf into my own app but it just didn't seem to work????
my inputs.conf
[monitor:///etc/httpd/logs/access_log*]
sourcetype = vhost_access_combined
disabled = false
followTail = 0
host = development.server.com
index = webserver
my props.conf
[vhost_access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = vhost-access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = [
my transforms.conf
[vhost-access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: vhost, clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
REGEX = ^[[nspaces:vhost]]\s++[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[nspaces:bytes]?[[all:other]]
Any ideas how to get this working?
I have more complex questions to follow regarding having the host in splunk set to the value of vhost in the log entry but I will do this in baby steps first.
... View more
- Tags:
- apache
- virtualhost
06-22-2011
05:54 PM
Also I have searched all other .conf files and none contain the stanza [WMI:CPUTime] however it is being indexed which is very odd.
So by copying the wmi.conf from the windows 7 machine to the xp machine and enabling each stanza got everything working.
Thankyou for pointing me in the right direction.
... View more
06-22-2011
05:53 PM
I had previously read that link but must have missed some crucial parts as I now have some rudimentary indexing occuring on the XP machine with the universal forwarder.
One thing I noticed though is that the indexer Windows 7 machine seems to be indexing WMI data locally however all the stanzas in
C:\Program Files\Splunk\etc\apps\windows\default\wmi.conf
are all disabled however WMI is still being indexed.
ie
[WMI:CPUTime]
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 1
... View more
06-21-2011
06:09 PM
Hi All,
I have installed the windows universal forwarder onto an XP machine which is forwarding it's data across to a Windows 7 machine running Splunk with the 'Windows' app installed.
It appears that the Windows application relies on a lot of WMI data however the Universal Forwarder does not appear to pass this data through.
Does anyone know a way to achieve this?
I have looked into getting the primary Splunk instance on Windows 7 to collect WMI remotely but that will only work if I have a Windows domain setup which I dont.
Any other ideas?
I would like to investigate the possibilities of windows splunking for a client and more information would be great.
... View more
05-31-2011
01:30 AM
Thanks for the response I was worried you would say that.
I had thought of the softlink option which would work but would not be ideal
It's a shame because the scripted inputs behave in this manner. Would be nice if they were consistent 😉
... View more
05-26-2011
09:24 PM
1 Karma
Hi All,
I am trying to get alerts to call a script with some parameters. I am aware splunk adds 8 or 9 parameters but I would also like to add my own as well which I will change from alert to alert. All alerts will use a common script and it's behaviour will be slightly different depending on the parameters passed.
The script lives in $SPLUNK_HOME/bin/scripts/ looks like this
#!/opt/splunk/bin/python
webPath = "/tmp/"
fileBasename = "-signal.txt"
propsalData = "proposal=" + sys.argv[2]
outputFilename = webPath + sys.argv[1] + fileBasename
output = open(outputFilename,'wb')
output.write(propsalData)
output.close()
As you can see the first parameter is prepended to the name of the file to create. The second parameter is put inside the text file.
For the life of me I can't seem to add these parameters in both the GUI and from a conf file.
In the GUI I have tried each of these in the script textfield
create-station-signal-file.py paramTest 34
'create-station-signal-file.py paramTest 34'
"create-station-signal-file.py paramTest 34"
All give an error like below in splunkd.log
05-27-2011 14:12:24.105 +1000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/create-station-signal-file.py paramTest 34
When editting in the savedsearches.conf file directly I made them look like this
action.script.filename = create-station-signal-file.py paramTest 34
action.script.filename = "create-station-signal-file.py paramTest 34"
action.script.filename = 'create-station-signal-file.py paramTest 34'
same errors as above.
Does anyone know if this is possible to pass some parameters in?
If not thats a real pain as I have to take this one simple script and replicate it 20+ times for each alert. Which is even worse if I decide to modify the script slightly in the future.
Thoughts?
Also I did test a simplified no parameters required script and it worked so incase you are thinking python scripts wont work they do 🙂
... View more
05-19-2011
11:00 PM
Thanks for the reply. I suppose the best method is to just refresh the page every few minutes. Hopefully they release an update with this soon. That would make Splunk unstoppable.
... View more
05-18-2011
10:09 PM
2 Karma
Hi All,
I understand that real time charting works on data as it arrives so you will not see anything on the chart until the data arrives.
My question is is it possible to initially populate the chart with historical data so the user can at least see something.
For example we have a chart which displays the price of a particular item. New data arrives approximately every 5 minutes. Now if the user opens up this 'real time' dashboard they may see nothing for at least 5 minutes.
The user wants to basically have this screen open all the time and have the new data come in and update the chart. However it would be nice to at least pre-populate the chart for them.
The only solution I can see for this is to just not use realtime and have the whole dashboard refresh every 1-2 minutes.
btw I have tried changing earliest to -30m but Splunk borks at it
ie.
earliest=-1h
latest=rt
Thanks
... View more
05-17-2011
06:27 PM
Ignore that it is updating live now. Thanks heaps for your suggestion.
Another small question is there any way possible to have these 'realtime' gauges start with the most recent value in splunk instead of waiting for the first data point?
Also with 'realtime' charts can you have it show live data but start with the last 30 minutes?
... View more
05-17-2011
06:10 PM
Closer....
That displays the result thanks however the gauge never changes after that even though I know the data is incrementing every second and being logged every 15 seconds.
I watched it for about 10 minutes
... View more
05-13-2011
02:40 PM
Here is an example line
May 13 12:41:25 jacona power-engine[32525]: SPLUNK:ChkInpReg, regName=GensetRPM, reg=7, val=3668
Also just to mention these gauges and single values display fine when not attempting realtime.
... View more
05-12-2011
05:49 PM
So I have created some single values and gauges which I hope to update with live data. However they dont seem to update and there is new data coming in every 15 seconds.
Single Value
<single>
<searchString>host="jacona" SPLUNK:ChkInpReg regName=GensetRPM | head 1 | rangemap field=val low=0-30000 severe=30000-100000 | fields val, range</searchString>
<title>Station State</title>
<option name="field">val</option>
<option name="classField">range</option>
<earliestTime>rt</earliestTime>
<latestTime>rt</latestTime>
</single>
The Gauge Here
<chart>
<title>Station Output</title>
<searchTemplate>host="jacona" SPLUNK:ChkInpReg regName=GensetRPM | gauge val 0 10000 25000 33000</searchTemplate>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.rangeValues">[0,30,70,100]</option>
<option name="charting.gaugeColors">[0xBF3030,0xFFE800,0x84E900]</option>
<earliestTime>rt</earliestTime>
<latestTime>rt</latestTime>
</chart>
Anyone have any thoughts?
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-01-2026
01:40 AM
|
