Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ShaneNewman
ShaneNewman
Motivator
Member since:
07-25-2012
06-05-2020
Community Statistics
| Posts | 310 |
| Solutions | 35 |
| Karma Given | 339 |
| Karma Received | 86 |
| Member Since | 07-25-2012 |
Activity Feed
- Got Karma for Re: 10-26-2013 16:39:13.343 +0100 WARN TcpOutputFd - Connect to 192.168.x.x:9997 failed. No connection could be made because the target machine actively refused it.. 04-24-2024 12:23 PM
- Got Karma for Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 04-01-2021 10:58 AM
- Got Karma for S3 bucket with CSV files not extracting fields at index time. 06-05-2020 12:50 AM
- Karma Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders? for acharlieh. 06-05-2020 12:49 AM
- Karma Re: Help with hot buckets rolling prematurely for sowings. 06-05-2020 12:49 AM
- Karma Re: Capabilities needed for a service account to enable Maintenance Mode and issue offline command for leonphelps_s. 06-05-2020 12:49 AM
- Karma RHEL/CentOS 7 & systemD not honoring ulimits for jethompson_splu. 06-05-2020 12:49 AM
- Got Karma for How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 06-05-2020 12:49 AM
- Got Karma for Re: Index cluster with multiple partitions. 06-05-2020 12:49 AM
- Karma Splunk Add-On for Google Cloud Platform: Splunk Add-on REST Handler ERROR[1021]: Fail to decrypt the encrypted credential information - Failed to get credentials for efferth. 06-05-2020 12:48 AM
- Karma How does DMC determine the status of its search peers? for lycollicott. 06-05-2020 12:48 AM
- Karma Re: Splunk not matching files with wildcard in monitor path in inputs.conf for ddrillic. 06-05-2020 12:48 AM
- Karma Mac OS X Sierra - How to get all logs from the Unified Log database? for managed_securit. 06-05-2020 12:48 AM
- Karma Re: Mac OS X Sierra - How to get all logs from the Unified Log database? for yannK. 06-05-2020 12:48 AM
- Karma Re: Color map not working on New Relic Splunk App for gpareesi11. 06-05-2020 12:48 AM
- Got Karma for Re: How to add a new Active Directory group to an existing LDAP strategy?. 06-05-2020 12:48 AM
- Karma Re: DB Connect: Why am I getting "Error connecting to /servicesNS/admin/dbx/dbx/dbmon: The read operation timed out" setting up Oracle DB input? for pmdba. 06-05-2020 12:47 AM
- Karma Re: How to configure inputs.conf and outputs.conf on the Heavy Forwarder to route data received from universal forwarders to the indexers? for rmorlen. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for jrodman. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
10-22-2013
07:47 AM
Copy and paste these into the identified conf files. Then restart each instance they are deployed to. Be sure to change your time format in the props.conf.
inputs.conf
[monitor://C:\tpg\leamcsv\dualgamma_logs\...\]
sourcetype = DGC_TIME
index=main
host_segment = 4
crcSalt = <SOURCE>
transforms.conf
[extract_pulse_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = pulse_.*\.csv
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::DGC_PULSE
[extract_flow_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = flow_.*\.csv
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::DGC_FLOW
props.conf
[DGC_TIME]
TRANSFORMS-transform_1 = extract_pulse_sourcetype
TRANSFORMS-transform_2 = extract_flow_sourcetype
TIME_FORMAT = timeformat
SHOULD_LINEMERGE = false|true
... View more
10-22-2013
07:43 AM
I will post a new answer in the answer field so I can get the code bit to work.
... View more
10-22-2013
06:17 AM
Why not create a table below to summarize this information? Just use the base search in a search module, then use PostProcess/HiddenPostProcess for the chart and table.
... View more
10-22-2013
06:12 AM
If you are ok with using advanced XML, download the deployment monitor app. The license_info.xml is a great example of how to do what you want.
... View more
10-22-2013
05:57 AM
Why don't you just download the deployment monitor app? It has all of that pre-built.
http://apps.splunk.com/app/1294/
... View more
10-21-2013
09:05 PM
Ah, also the last bit goes in the props.conf.
What we are doing is saying by default, all data from the inputs path are to be known as source type DGC_TIME. Then in the props.conf (by way of the transforms.conf) we say that if the source matches pulse_.csv that it's source type should be DGC_PULSE, if it matches flow_.csv then it should be source type DGC_FLOW
And I just noticed I did not escape the . So, replace _.csv in regex with _..csv
... View more
10-21-2013
08:56 PM
Btw, you can replace transform_name 1,2 with anything you want, I was just using it as a filler name. Just make sure the names get put into the props.conf
... View more
10-21-2013
07:52 PM
After you do this, you will need to either go to yoursplunkrul:8000/info and click reload EAI Objects where ever these configs are deployed to: UF (will need instance restart), Indexer, ect.
You may even want to restart the instance just for good measure.
... View more
10-21-2013
07:46 PM
How about...
[monitor://C:\tpg\leamcsv\dualgamma_logs\...\pulse_*]
sourcetype = DGC_PULSE
index=main
host_segment = 4
crcSalt = <SOURCE>
that would work regardless if they are .zip or .csv
Are they being bundled inside of a single .zip?
If so:
inputs.conf
[monitor://C:\tpg\leamcsv\dualgamma_logs\...\]
sourcetype = DGC_TIME
index=main
host_segment = 4
crcSalt = <SOURCE>
transforms.conf
[transform_name1]
SOURCE_KEY = MetaData:Source
REGEX = pulse_*\.csv
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::DGC_PULSE
[transform_name2]
SOURCE_KEY = MetaData:Source
REGEX = flow_*\.csv
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::DGC_FLOW
props.conf
[DGC_TIME]
TRANSFORMS-transform_name = transform_name1, transform_name2
TIME_FORMAT = timeformat
SHOULD_LINEMERGE = false|true
... View more
10-21-2013
07:19 PM
I assume you are getting date in epoch time...
Try putting this in your search command at the end...
eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S")
This will make the epoch time stamp look like 10/21/2013 21:19:00
... View more
10-21-2013
07:14 PM
Well. I am a but confused by the query aspect of this... Typically if you use a "Tail" command there is no reason to do a query, other then to limit the fields you wish to index. Looks like it needs to be set up as a dump like this one:
[dbmon-dump://xxx/yyy]
disabled = 0
host = somehost
index = someindex
interval = 5 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = timestampcolumn
query = SELECT T2.LoadingStateDate, T1.ArchTime, T1.MessageID, T1.MessageSourceSystem, T1.MessageType, T1.MessageCreationTime\r\nFROM [ArchMessage] AS T1 (nolock), [ArchMessageState] AS T2 (nolock)\r\nWHERE T2.LoadingStateDate >= DATEADD(hh,DATEPART(hh,GETDATE())-1,DATEADD(dd,0, DATEDIFF(dd,0,GETDATE())))\r\nAND T2.LoadingStateDate <= DATEADD(ss,-1,DATEADD(hh,DATEPART(hh,GETDATE()),DATEADD(dd,0, DATEDIFF (dd,0,GETDATE()))))\r\nAND T2.LoadingState='9'\r\nAND T2.ErrorID Is NULL\r\nAND T2.BTSInterchangeID=T1.BTSInterchangeID
sourcetype = somesourcetype
table = sometable
output.timestamp.format = "YYYY-MM-dd HH:mm:ss.SSS"
... View more
10-21-2013
07:04 PM
1 Karma
Try This:
Windows Firewall Log
[Transform_Windows_FW]
DELIMS = "\s"
FIELDS = date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
In the search bar, after you have saved this in the transforms.conf, put:
some search | extract Transform_Windows_FW
If that works then you can set it up to be automatic in the props.conf
... View more
10-21-2013
06:03 PM
Looks like this is not doable...
... View more
08-15-2013
07:54 PM
I want to take the same data that produces 2 lines on a graph and calculate the second Y axis to be a fraction of the first. (More complected than I originally thought)
This is a timechart so Splunk is grouping by _time, which is summarized in the index by minute. I have used delta to find the grouping time:
delta _time AS delta_time p=1 | eval inbound_mps=(inbound_messages/delta_time) | eval processed_mps=(processed_messages/delta_time)
as delta_time is the total seconds in the grouping… mps=Messages Per Second
Truthfully, there is no reason to have a second chart on the dashboard overlaid, just an axis scaled to the fraction of the Volumes by delta_time for the initial data. Right now it is overlaid and it looks like trash (IMO).
Initially I thought I could use
<param name="charting.data1">hide</param>
to just ghost the data and scale the axis, however that did not work (It just set the axis to 0-100)
XML:
<module name="HiddenChartFormatter">
<param name="charting.chart">line</param>
<param name="charting.data1">view</param>
<param name="charting.data1.columns">[0,4,5]</param>
<param name="charting.chart.data">@data1</param>
<param name="charting.data1.table">@data</param>
<param name="charting.axisTitleY.text">Messages Per Second (MPS)</param>
<param name="charting.chart.nullValueMode">connect</param>
<param name="charting.chart.axisY">@axisY</param>
<param name="charting.axisTitleY.placement">left</param>
<param name="charting.axisLabelsY.placement">left</param>
<param name="charting.chart2">line</param>
<param name="charting.data2">view</param>
<param name="charting.data2.columns">[0,1,2]</param>
<param name="charting.chart2.data">@data2</param>
<param name="charting.data2.table">@data</param>
<param name="charting.axisTitleY2.text">Message Volume</param>
<param name="charting.chart2.nullValueMode">connect</param>
<param name="charting.axisTitleY2">#axisTitleY</param>
<param name="charting.chart2.axisY">@axisY2</param>
<param name="charting.axisTitleY2.placement">right</param>
<param name="charting.axisLabelsY2.placement">right</param>
<param name="charting.axisLabelsY2">#axisLabelsY</param>
<param name="charting.axisLabelsY2.axis">@axisY2</param>
<param name="charting.layout.axisLabels">[@axisLabelsX,@axisLabelsY2,@axisLabelsY]</param>
<param name="charting.layout.axisTitles">[@axisTitleX,@axisTitleY,@axisTitleY2]</param>
<param name="charting.layout.charts">[@chart2,@chart]</param>
<param name="charting.legend.placement">top</param>
<param name="charting.axisTitleX.text">Time</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<module name="Gimp"/>
</module>
</module>
... View more
06-18-2013
07:05 PM
Turned out that our service account did not have the proper permissions to the Splunk directory.
The bad news is that this Windows issue required us to completely refresh the OS because the connection to AD had become corrupted and the server itself was isolated off of the domain.
If only there wasn't a 6 month delay for Linux builds...
... View more
06-11-2013
09:19 PM
I am getting a access is denied error, everything was working fine until yesterday. No changes were made in the environment that I am aware of, other than updating the dbx app to the new version. Any insight on how to correct this would be greatly appreciated!
2013-06-11 23:04:14.380 dbx4876:ERROR:TailDatabaseMonitor - Error while executing database monitor: com.splunk.env.SplunkEnvironmentException: IO Error while handing spool directory event outupt: java.io.IOException: Access is denied
com.splunk.env.SplunkEnvironmentException: IO Error while handing spool directory event outupt: java.io.IOException: Access is denied
at com.splunk.output.impl.SpoolOutputChannel.createFile(SpoolOutputChannel.java:91)
at com.splunk.output.impl.SpoolOutputChannel.checkBufferSizeAndTime(SpoolOutputChannel.java:138)
at com.splunk.output.impl.SpoolOutputChannel.send(SpoolOutputChannel.java:159)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.sendEvent(DatabaseMonitorExecutor.java:76)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.sendEvent(DatabaseMonitorExecutor.java:72)
at com.splunk.dbx.monitor.impl.TailDatabaseMonitor.performMonitoring(TailDatabaseMonitor.java:128)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.executeMonitor(DatabaseMonitorExecutor.java:126)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:102)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:37)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: Access is denied
at java.io.WinNTFileSystem.createFileExclusively(Native Method)
at java.io.File.createTempFile(Unknown Source)
at com.splunk.output.impl.SpoolOutputChannel.createFile(SpoolOutputChannel.java:83)
... 19 more
... View more
06-10-2013
06:14 AM
We had a similar problem a few months ago. Turned out that it was not a Splunk problem, instead an AD issue. AD was not sending all of the data back that was requested.
There could be another issue though. It almost seems as if Splunk is not indexing the data coming back in a single event from what you say.
... View more
06-10-2013
06:09 AM
We use a powershell script to run on all of our Windows Splunk servers to do this, although the load balancing we leave up the the universal forwarders and heavy forwarders. The concept is simple enough, we check the status of the service to make sure it is up every 60 seconds. If we find the service is not running, the powershell script starts the service. The results of each run is written to a log we created on each individual server - monitored by UNC by a separate server. Those servers have a separate search running, looking for the absence of data for longer than 3 minutes, signifying the server may be down.
Hope that helps.
... View more
06-10-2013
06:02 AM
You will need to go into the XML file for the search app, I believe the main search you go to is dashboard_live and make your changes there.
... View more
05-14-2013
02:53 PM
Turns out that the app does not like "\" in the name of the database instance. Removing the "\" corrected the problem.
... View more
05-14-2013
08:55 AM
Using SEDCMD is at index time. That being said, you could always create a summary index of the masked data for searching.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
