About jgauthier

jgauthier · ‎01-20-2012

Your indexer is getting bogged down. I'm not sure I can personally help much at this point. However, Splunk on Splunk was helpful in identifying the indexer load.

jgauthier · ‎01-20-2012

Have you checked your splunkd.log? Specifically for something like this: 12-02-2011 08:14:06.429 -0500 INFO TcpInputProc - Stopping port : 9997 12-02-2011 08:14:06.429 -0500 INFO TcpInputProc - Stopping port : 9998 12-02-2011 08:14:06.429 -0500 WARN TcpInputProc - Stopping all listening ports. Queues blocked for more than 300 seconds

jgauthier · ‎01-10-2012

That works, but it potentially gives anyone else in that group access as well. That is not preferred.

jgauthier · ‎01-10-2012

This is great. Thanks for the information. It's almost exactly what I am looking for, and I am going to figure out how to adapt it.

jgauthier · ‎01-10-2012

Greetings, I've set up LDAP authentication for my splunk installation. I would like to be able to add users specifically, but it appears when I do role mapping, I can only do groups. How can I specify a user to a role?

jgauthier · ‎01-09-2012

I wanted to follow up one this question. I did open a ticket and have beenw roking with splunk since November on it. The listener stopped because the indexer was clogged. Getting to figure out why the indexer was clogged took some time. Ultimately, we discovered the fishbucket was huge. Almost 3GB. Because of it's size, splunk was spending most of it's time searching the fishbucket. We cleaned the fishbucket and splunk started behaving normally. Now, the reason the fishbucket got so large was because I was putting a large number of files into a sinkhole. I just wanted splunk to scoop them up and index them. As it turns out, even though the sinkhole deletes the files, splunk still recorded the data so they would not be re-indexed. After so long, and so many files the fishbucket got so large. Splunk support has my data and is reproducing this so a bug can be logged. I have also put in an enhancement request that will allow the ability to bypass the fishbucket.

jgauthier · ‎01-09-2012

I'm not sure if what I would like to do is possible. Interaction: Execute a command from the command line. Result: Be emailed a link that point to a graph of the results. I can do this in the GUI. Run a command, "Show Report", customize the report, and then get an URL for the report. I'd like to automate the whole thing... from a command executed on the command line. Can I? Thanks!

jgauthier · ‎11-28-2011

I have opened a ticket on this issue.

jgauthier · ‎10-28-2011

Situation: I log into to splunk and find that data is not present when it should be. I log into the client machine with the issue and find it's no longer connected: tcp 0 0 192.168.74.5:40358 192.168.74.45:9997 TIME_WAIT I restart the client, and it doesn't change. It will not connect. I restart the server, and voila: tcp 0 0 192.168.74.5:39908 192.168.74.45:9997 ESTABLISHED This has been happening to me repeatedly for a few revisions of 4.2 (I've tried multiple subversions) currently I am running: Splunk 4.2.2 (build 101277) Is this a known issue? Can I provide more information? I don't want to have to babysit my data 😞 I have about 10-15 forwarders, and I never know which one it's going to be until I am missing data.

jgauthier · ‎08-22-2011

Ultimately, I want to use the username in dashboards. It doesn't have to be javascript, but I can't figure out any other way to obtain that from a dashboard.

jgauthier · ‎08-22-2011

This is not a full fledged answer, but it will be too long for a comment. I was able to get the username, when I thought about my original question. I can do this like this: $.ajax({ url: '/en-US/app/launcher/home', type: 'GET', success: function(msg){ var messenger = Splunk.Messenger.System.getInstance(); var start=msg.indexOf(" ", logged+12)+1; var end=msg.indexOf(String.fromCharCode(13), start); var username=msg.substring(start,end); // I have the username.. now what? } }); This is exciting. But now what? How can I expose this in a dashboard? Can the XML call a js function? Or otherwise make a variable accessible? Thanks!

jgauthier · ‎08-20-2011

I think I am very close to solving my ultimate objective. Which is obtaining the user name of the user logged in so I can customize dashboards based on the user logged in. http://splunk-base.splunk.com/answers/28869/my-username-in-the-dashboard Thanks for all the help so far.

jgauthier · ‎08-20-2011

This is great! But I can't get it to work. I can review the results of a search using this method: http://host:8000/en-US/splunkd/search/jobs/1313884823.2/results_preview Anything else gives me an error: Error loading stylesheet: A network error occured loading an XSLT stylesheet: http://host:8000/static/atom.xsl REST endpoints through 8089 for searching begins with /services. When using /splunkd it does not? I get that error using either: http://host:8000/en-US/splunkd/services/authentication/current-context/context OR http://host:8000/en-US/splunkd/authentication/current-context/context

jgauthier · ‎08-20-2011

That's great! Thanks! I will try that for searches. The pain behind this is that I am trying to access REST endpoints 😞 Unless there is a javascript module, I will have to do it this way somehow.

jgauthier · ‎08-19-2011

Greetings, I am working with the REST API, and have had some success from the command line. For instance: curl -u user:password -k https://s-splunk:8089/services/search/jobs -d"search=savedsearch%20Blocked_Sites" Works. I can see the job running in the jobs. I can pull the stats, and results as well. However, when I take this same thing and apply it in application.js, the search does not run. if (Splunk.util.getCurrentView()=="request_search") { $.ajax({ url: 'https://s-splunk:8089/services/search/jobs', type: 'POST', data: 'search=savedsearch%20Blocked_Sites', success: function(){ var messenger = Splunk.Messenger.System.getInstance(); messenger.send('info', 'splunk', "Job is running...."); } }); } It is returning 'success', as the info bar in splunk says, 'Job is running....'. Am I missing something?

jgauthier · ‎08-11-2011

At the top of splunk, I log in and see "Logged in as jgauthier". Is there anyway to expose that username in a dashboard? Very specifically, I would like to look at data specifically for the person that is logged in. So, I can expose a dashboard (for all users) but the queries that run return results only for the user that is logged in. Thanks!

jgauthier · ‎08-10-2011

Yup. My splunk server is Windows. (latest version of both)

jgauthier · ‎08-10-2011

This morning I opened a dashboard and was greeted with "results not found." I thought this was peculiar, so I started doing some digging and found that the server I was forwarding from had this in its log file: 08-10-2011 09:10:49.476 -0400 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying... 08-10-2011 09:10:53.799 -0400 INFO BatchReader - Could not send data to output queue (parsingQueue), retrying... So, I began poking around, and could not figure out what was happening. Finally, I started to think it was the receiver on the indexer, so I tried to hit the listening port: jgauthier$ telnet 192.168.74.45 9997 Trying 192.168.74.45... Nothing. I tried from another system.. nothing. Not a "Connection refused", just totally not accepting. I restarted splunkd, and everything started working. I could not find any log files on the splunk indexer to help, because it started a few days ago and has since been scrolled from the log. Any suggestions?

jgauthier · ‎08-08-2011

How would I expose python code to the search bar?

jgauthier · ‎08-08-2011

Yes. The user logged into the web interface, potentially running reports.

jgauthier · ‎08-05-2011

Is is possible to pull the current user name for use in a search? For instance, a search that would do something like 'sourcetype="blah" user=$user | stats galore' My long term goal is to populate list =ers based on user, and their employees. That data would come from AD. I have authentication with LDAP already, so this should match up pretty easily. Thanks!

jgauthier · ‎08-05-2011

Is it possible to build a dashboard that will take user input, runs serveral searches, and displays multiple graph outputs? ... Without using post processing? the 10,000 post processing limitation is a deal breaker.

jgauthier · ‎06-14-2011

Hey all, How do I turn off the local windows splunk server from logging: S-SPLUNK.domain.com WMI:WinEventLog:Security 40653200 This is a copy of the index size it's used in 24 hours, which is 40M. -- significant. I want to disable it. Nothing seems to. I've removed the local monitoring, remote monitoring, etc. Something else is keeping this active that I cannot see in the GUI, I believe.

jgauthier · ‎06-14-2011

I'm not sure I understand "split into unique searches." and how it applies to this. Could you elaborate?

jgauthier · ‎06-13-2011

I've built a very small example to reproduce a problem I am having. Using this page as an example: http://www.splunk.com/base/Documentation/4.2.1/Developer/FormSearchPostProcess I've built a dashboard that looks like this: Requests search <searchTemplate>sourcetype="Exchange2010" sender="$sender$"</searchTemplate> <fieldset> <input type="text" token="sender"> <label>Sender</label> <seed>*</seed> </input> <input type="time"> <default>Last 30 days</default> </input> </fieldset> <row> <chart> <title>Requests over time for result set</title> <searchPostProcess>timechart count as "Requests"</searchPostProcess> <option name="charting.chart">column</option> </chart> </row> <row> <chart> <title>Top users in result set</title> <searchPostProcess>top 10 recipient</searchPostProcess> <option name="charting.chart">pie</option> </chart> </row> <row> <table> <title>Requests in result set</title> <searchPostProcess>sort - _time | fields _time, sender, recipient</searchPostProcess> <fields>_time, sender, recipient</fields> <option name="showPager">true</option> <option name="count">30</option> <option name="displayRowNumbers">false</option> </table> </row> </form> Regardless of the "Time" chosen, the query seems to abort just after hitting 10,000 rows. Is this a known limitation? Is there a configuration change I can make to get more? In some instances, this is only good for a day or two of data, and after that short data. for instance, I can select 30 days, but I really only get about 6. It always seems to stop short. I'm not sure why, but I never get more than 13,000 records. Thanks!

Posts	139
Solutions	5
Karma Given	5
Karma Received	30
Member Since	‎03-12-2011

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Splunk App for Web Analytics: How to resolve missi...

sideview multiple pulldowns

dbquery and variables

Splunk SSO change - no longer works.

apache virtual hosts - custom field?

Cold bucket move error

FSChangeMonitor errors?

Apache Dashboards?

iplocation missing after upgrade

Button on dashboard?

Re: Splunk server stops taking client data

Re: Splunk server stops taking client data

Re: Add LDAP user

Re: Command line, graph, URL

Add LDAP user

Re: Splunk server stops taking client data

Command line, graph, URL

Re: Splunk server stops taking client data

Splunk server stops taking client data

Re: REST and javascript not working

Re: REST and javascript not working

Re: REST and javascript not working

Re: REST and javascript not working

Re: REST and javascript not working

REST and javascript not working

My username in the dashboard?

Re: Forwarder stop accepting connections

Forwarder stop accepting connections

Re: current user in search?

Re: current user in search?

current user in search?

Dashboard, user input, graphs

WMI:WinEventLog:Security - make it stop

Re: Query Limit on a UI view?

Query Limit on a UI view?