Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About ShaneNewman
ShaneNewman
Motivator
Member since:
07-25-2012
06-05-2020
Community Statistics
| Posts | 310 |
| Solutions | 35 |
| Karma Given | 339 |
| Karma Received | 86 |
| Member Since | 07-25-2012 |
Activity Feed
- Got Karma for Re: 10-26-2013 16:39:13.343 +0100 WARN TcpOutputFd - Connect to 192.168.x.x:9997 failed. No connection could be made because the target machine actively refused it.. 04-24-2024 12:23 PM
- Got Karma for Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 04-01-2021 10:58 AM
- Got Karma for S3 bucket with CSV files not extracting fields at index time. 06-05-2020 12:50 AM
- Karma Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders? for acharlieh. 06-05-2020 12:49 AM
- Karma Re: Help with hot buckets rolling prematurely for sowings. 06-05-2020 12:49 AM
- Karma Re: Capabilities needed for a service account to enable Maintenance Mode and issue offline command for leonphelps_s. 06-05-2020 12:49 AM
- Karma RHEL/CentOS 7 & systemD not honoring ulimits for jethompson_splu. 06-05-2020 12:49 AM
- Got Karma for How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 06-05-2020 12:49 AM
- Got Karma for Re: Index cluster with multiple partitions. 06-05-2020 12:49 AM
- Karma Splunk Add-On for Google Cloud Platform: Splunk Add-on REST Handler ERROR[1021]: Fail to decrypt the encrypted credential information - Failed to get credentials for efferth. 06-05-2020 12:48 AM
- Karma How does DMC determine the status of its search peers? for lycollicott. 06-05-2020 12:48 AM
- Karma Re: Splunk not matching files with wildcard in monitor path in inputs.conf for ddrillic. 06-05-2020 12:48 AM
- Karma Mac OS X Sierra - How to get all logs from the Unified Log database? for managed_securit. 06-05-2020 12:48 AM
- Karma Re: Mac OS X Sierra - How to get all logs from the Unified Log database? for yannK. 06-05-2020 12:48 AM
- Karma Re: Color map not working on New Relic Splunk App for gpareesi11. 06-05-2020 12:48 AM
- Got Karma for Re: How to add a new Active Directory group to an existing LDAP strategy?. 06-05-2020 12:48 AM
- Karma Re: DB Connect: Why am I getting "Error connecting to /servicesNS/admin/dbx/dbx/dbmon: The read operation timed out" setting up Oracle DB input? for pmdba. 06-05-2020 12:47 AM
- Karma Re: How to configure inputs.conf and outputs.conf on the Heavy Forwarder to route data received from universal forwarders to the indexers? for rmorlen. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for jrodman. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
11-12-2013
07:12 AM
Link to the documentation:
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Backupindexeddata
... View more
11-12-2013
07:10 AM
First you will want to roll everything from Hot to warm. Then delete the hot buckets. When you restart Splunk after the rollback, it will create new hot buckets.
This is the command for it, just replace the index name with the name of your index(es) and your username/pw.
splunk _internal call /data/indexes/ /roll-hot-buckets –auth :
... View more
11-11-2013
06:42 PM
Install the Windows app for Splunk. It's free and just gets uploaded into Splunk.
It will probably not get you exactly what you want, it will get you most of the way there though. You will just have to modify the included Powershell scripts to capture exactly what you are looking for.
... View more
11-11-2013
04:19 PM
I don't know of anything to help you, other than what @gkanapathy suggested. You can always setup what he suggested in your props.conf and transforms.conf. This should automatically extract any values that are preceded by an "=" sign as a value of the field before the "=" sign for the sourcetype you specify.
... View more
11-11-2013
04:14 PM
Did that work?
... View more
11-11-2013
04:13 PM
If you browse the folder directory as the domain account on the server itself, can you see the files you want to monitor?
... View more
11-11-2013
03:54 PM
Is Splunk setup to run as a system account or a domain account? If it is setup as a domain account, it may not have the correct permissions to that directory.
... View more
11-11-2013
03:49 PM
I would, it will not hurt anything and will only cause your browser to clear any cached configurations.
... View more
11-11-2013
03:43 PM
There are several dashboard that will have to be completely redesigned to go forward using only simple xml and the rest. We have that in our scope of work for next year. I am just tying to make sure that for immediate needs I have not overlooked anything that would cripple our end users and force us to do a roll-back.
... View more
11-11-2013
03:41 PM
1 Karma
Have you tried going to: yoursplunkurl:8000/info (Development services) and clicking EAI object refresh? If not, try that. Then go back to the Development services URL and click Static resource cache control.
If that doesn't work, let me know.
... View more
11-11-2013
03:35 PM
Go to yoursplunkurl:8000/info
Click reload EAI Objects.
Did that work for you?
... View more
11-11-2013
11:56 AM
If you don't mind editing the XML for the dashboard itself, add:
<module name="JobProgressIndicator"/>
as a child of the search module.
... View more
11-11-2013
11:52 AM
That is not really app specific, it is user specific.
Settings>Access Controls>Roles>Your Role>Indexes Searched by Default - Add "All non-internal indexes
Does that help?
... View more
11-11-2013
06:35 AM
I manage a fairly large deployment of Splunk for a healthcare organization. We recently merged 3 separate deployments into a single larger deployment (nix, windows, and firewall). Both the nix and windows deployments are still on 5.0.5. The firewall team, who use ping federate, are already on 6.0. Additionally, our security group recently purchased a 2.5TB license and wants my groups assistance in managing their deployment and maintaining their infrastructure.
We currently have over 300 active business users, running between 1000-3000 searches per day. All of these searches are powering 30 dashboards in advanced XML. With the addition of the security team's needs, we estimate searches being around 5,000 per day.
I have been told that advanced XML is depreciated in 6.0. With so many business users being impacted if this is the case, I am hesitant to make the switch. I know that our current dashboards work fine in our QA environment with advanced XML. Is there something I am missing? From what I have read on the forums and the documentation I only see that advanced XML is impacted when using some of the new features in 6.0, such as the pivot table feature.
Is this truly the case or have I missed something completely?
Preferably, we would hire Splunk to come in and do an evaluation of this. There is just no funds for that sort of project until second quarter of next year at the earliest. The mandate given to me by leadership has been to upgrade by the end of November at the latest.
... View more
11-10-2013
08:51 AM
2 Karma
Apparently there is a limit to how many times someone can flag spam on the message boards, 5 based on the message I am getting. I assume there is a good reason for this or else it wouldn't be there.
Over the past few days there has been an abundance of Spam regarding NFL games for streaming. Can one of the mods take care of these?
... View more
11-10-2013
08:34 AM
Are you trying to replace it everywhere or just inside individual apps?
... View more
11-10-2013
08:31 AM
Based on the above example:
rex field=uri "L1\=(?<L1>[\w\+\:\;\%\.]+)\&L2\=(?<L2>[\w\+\:\;\%\.]+)\&Ndr\=(?<Ndr>[\w\+\:\;\%\.]+)\&operator\=(?<operator>[\w\+\:\;\%\.]+)\&originalValue\=(?<originalValue>[\w\+\:\;\%\.]+)\&sst\=?<sst>\w+)
... View more
11-09-2013
08:29 PM
That will do it! Make sure you mark this as answered. It will give you come karma points and you should get a badge.
... View more
11-09-2013
02:03 PM
This is once case where I would open a ticket with Splunk. /opt/splunk/bin>splunk diag
upload that diag after creating a ticket here:Splunk Support Portal
... View more
11-08-2013
07:03 PM
That is what I did. I did have to delete a few of the index files to keep get the indexes to come back up afterwards.
... View more
11-08-2013
08:42 AM
http://search400.techtarget.com/tip/Dynamically-transfer-files-via-FTP
This is the script we started with.
... View more
11-08-2013
08:13 AM
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX = [\r\n]+
Truthfully, these setting should work fine...
... View more
11-07-2013
07:27 PM
If all of the Queue data is in the same extracted field, i.e. Output_Response, then you will need to preform an mvexpand on that field to make it appear as though each queue is a different event. At that point, you can extract the queue number via the rex command
| rex field=Output_Response "Queue\:(?<queue>\d+)" | timechart sum(Depth) as Depth by queue
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
