Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About asarolkar
asarolkar
Builder
Member since:
11-08-2011
06-05-2020
Community Statistics
| Posts | 174 |
| Solutions | 3 |
| Karma Given | 59 |
| Karma Received | 32 |
| Member Since | 11-08-2011 |
Activity Feed
- Got Karma for renaming fields in search. 09-23-2021 06:17 AM
- Karma Re: Benefits to an upgrade from 4.3.2 to 4.3.3 for Drainy. 06-05-2020 12:46 AM
- Karma Re: OS Browser Stats onto a custom dashboard for sideview. 06-05-2020 12:46 AM
- Karma Re: Substracting chart contents over a range for jonuwz. 06-05-2020 12:46 AM
- Karma Re: REGEX for nullQueue in transforms.conf for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Multiple filters in multiple sourcetypes to be pushed to nullqueue for sdaniels. 06-05-2020 12:46 AM
- Karma Re: Multiple filters in multiple sourcetypes to be pushed to nullqueue for sdaniels. 06-05-2020 12:46 AM
- Karma Re: Multiple filters in multiple sourcetypes to be pushed to nullqueue for jbsplunk. 06-05-2020 12:46 AM
- Karma Re: Change sourcetype/index after data is indexed from forwarder for yannK. 06-05-2020 12:46 AM
- Karma Re: Sample search to look over data using stats, dedup and bucketing for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Google Maps does not work on my splunk indexer for ak. 06-05-2020 12:46 AM
- Karma Re: Google Maps does not work on my splunk indexer for ak. 06-05-2020 12:46 AM
- Karma Re: Google Maps does not work on my splunk indexer for ak. 06-05-2020 12:46 AM
- Karma Re: Timechart or stats or lastTime for Ayn. 06-05-2020 12:46 AM
- Karma Re: Timechart or stats or lastTime for Ayn. 06-05-2020 12:46 AM
- Karma Re: Benefits to an upgrade from 4.3.2 to 4.3.3 for kallu. 06-05-2020 12:46 AM
- Karma Re: Question about constant and eval and stats for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Sideview App for CDR : open questions for sideview. 06-05-2020 12:46 AM
- Karma Re: Sideview App for CDR : open questions for sideview. 06-05-2020 12:46 AM
- Karma Re: Sideview App for CDR : open questions for sideview. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 7 | |||
| 0 | |||
| 0 |
09-12-2012
03:02 PM
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes | transpose | rename "row 1" as count ???
... View more
09-12-2012
01:27 PM
So, how would you recommend I frame my search.
A timechart is not desired here but just a chart.
... View more
09-12-2012
12:54 PM
I have a query like this - which charts the number of grapes and pears in a fruit cart
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes
The InStock amount is the total number of fruits that is UNRELATED to the number of Pears and Grapes.
When I put this up on a dashboard, NO bar appears for the InStock Value of 10. I see numPears and I see numGrapes.
Any ideas so as to why this CONSTANT value would not display on a chart ? It might sound stupid to even have it there, but I need for it to show for comparison.
... View more
09-10-2012
12:44 AM
I think you may have misunderstood my question (although I do see your point generally).
The search that you framed in the first part of your response works. It gives me all accounts that match the filter - I can VISUALLY substract these from the total 10 and voila ! the balance are accounts that FAILED.
However, my problem is that the total number of accounts is actually 500.
I dont want to do a visual inspection (there's 250 successful accounts in the ACTUAL search) but rather find a way to NOT that regex.
Make sense ?
... View more
09-10-2012
12:23 AM
I have a search that filters out the value of account number from a log entry USING A REGEX extraction -->
sourcetype="SysLog" | rex field=_raw "To BOA-(?<accountno>\d{1,11})" | dedup accountno
This works as expected which is great. Anywhere where this REGEX is met, this works like a charm and churns out the account no
Now, I have been asked to ONLY APPLY this search to a set of 10 account numbers.
So I change the search to this:
sourcetype="SysLog" | rex field=_raw "To BOA-(?<accountno>\d{1,11})" | search 1 OR 2 OR 3 OR 4 OR 5 OR 6 OR 7 OR 8 OR 9 OR 10 | dedup accountno
Which works as expected as well.
Assuming that CURRENTLY this search only gives me accountno = 4,5,6,7 [ We are assuming that ONLY for those 4 accounts, did the REGEX churn out an account no] ---->
----> How do I then get any account number THAT WAS NOT FILTERED by that regex ?
Meaning, i want to modify the SECOND search above so that it gives me failed accounts -> 1,2,3,8,9,10
How do I apply a filter using a regex - and then NOT on that operation ?
... View more
08-15-2012
02:38 PM
1 Karma
I have a date timestamp coming in as a string in this format
2012-08-08 11:29:03.727000000
This is extracted as a field called createDtTimeStamp
I want to simply extract JUST the date part from this field and use the following query:
... | eval createDt = strftime( strptime( createDtTimeStamp, "%b %d %H:%M:%S" ), "%m/%d/%Y %p")
This does not seem to work. Any ideas why ?
... View more
08-06-2012
01:31 PM
I have a log file entry that looks like this (this is the VERBATIM entry from the access log):
2012-08-06 13:25:02,159 INFO [Listener-5] Listener - DeviceData processed: execution-time=[540ms], message=[< ?xml version="1.0" encoding="UTF-8" standalone="yes" ? > < ns2:DeviceData xmlns:ns2="http://www.abc.com/DeviceData/" > < TransactionId>1234<\/TransactionId> ..... (the rest of the xml content followed by other typical access log data)
I dont know if this necessarily counts as a "XML LOG FILE" per se.
But if i want to extract the transactionId (highlighted in bold), I attempt to use xmlkv and it just fails:
sourcetype="access_c*" | xmlkv | table TransactionId
Is this the wrong way about this ? Should I just use regexes ? Any other Splunk commands that I ought to be using ASSUMING that this file does NOT qualify as a XML Log file ?
... View more
07-30-2012
02:09 PM
I have a search like this:
sourcetype="access_combined" /organizations/*/profitPercentage/profitValue POST 200
I am trying to get a cumulative sum of orgs ( in the log entry * replaces the organization Name)
I would like to exclude from this search (which is looking at access logs essentially) certain IP ranges. Its easy to simply append | where clientip NOT XXX.XX.XX.XX if it was just ONE IP.
In my case there's ranges, 6 of them actually. How would I go about that ?
For example, i need to exclude everything between 134.26.88.20 to 134.26.88.68 (and then similarly for 5 other such ranges). How would I go about that ?
... View more
07-30-2012
10:53 AM
Hi all:
It is possible to pipe the results of a temp csv file created in search (using outputcsv) > into a python script located at $SPLUNK_HOME/etc/apps/search/bin > and then pipe it back into Splunk ?
Note that the CSV file itself is an argument to the python script.
with open('data.csv', 'rb') as f:
reader = csv.reader(f)
So basically:
i) I want to take a search like this : sourcetype="access_combined" host="us-1" | outputcscv data.csv
ii) Then take the data.csv and pass it to a python script (not sure how to go about it)
iii) Then take the output of the python script (which looks like this) - and put it back in Splunk
ORG PROFIT%
1 10
2 5
5 7
Any suggestions would be appreciated
... View more
07-29-2012
04:54 PM
Are you referring to field extractions ?
I am not sure I follow what an "eventtype" is.
... View more
07-29-2012
02:36 PM
Hi. Did you ever get around to getting Splunk to run this python script ?
... View more
07-29-2012
02:18 PM
1 Karma
I have a savedSearch like this which I want to put up on a dashboard in the form of a pie chart.
sourcetype="access_combined" host="us1-p01" | transaction clientip useragent | stats count as browserHits by useragent
We do not wish to use the web intelligence App !
My problem is that the aforementioned search gives me the results with a (barebones) useragent count only:
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040416 ipMonitor/10.6"
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html"
I want to be able to display all statistics gathered (see below) in the form of a pie chart:
RECOGNISED BROWSERS
IE 7: 84 (19%)
Chrome: 49 (11%)
Safari: 8 (2%)
Firefox 5: 1 (0%)
Firefox 6: 0 (0%)
Firefox 7: 0 (0%)
Firefox 8: 0 (0%)
Unknown Android Browser: 3 (1%)
I know you can use python scripts , but I guess I am not entirely sure of the specifics of how to go about it ?
As I understand it, its a three step process
i) Write the results of the aforementioned search into a log file
ii) Write a python program ( https://github.com/tobie/ua-parser/blob/master/py/ua_parser/user_agent_parser.py ) to convert user-agents into browsers names that contain the VERSION+OS.
iii) Pipe these stats back to Splunk and put them results on a dashboard.
As it turns out this is much harder than it sounds.
... View more
07-25-2012
05:59 PM
I am trying to set an alert that notifies the admin of a situation when we dont get any data from syslog (no messages on udp:514) :
Alerts based on the following searches seem to be failing:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput series=syslog | eval flag= if(isnull(kb) OR len(kb)<=1,"Y","N") | table flag | search flag="Y"
sourcetype=syslog | timechart count span=1d | search count=0
Neither seems to be working out (there is no data written to that sourcetype which clearly one of the two ought to capture)
Any other/ideas suggestions ? I do not want to use deployment monitor (unless IN deployment monitor, there happens to be a way to configure an alert when it sees a missing sourcetype/no data from sourcetype ) ?
... View more
07-24-2012
03:32 PM
1 Karma
I need to create a dashboard which involves capturing Performance Data for Linux instances.
A UF (Universal Forwarder) with the *nix app configured is installed on the Linux instances which pushes data into a central Windows Indexer.
For one of those linux host instances, AMERICA-3, I took the standard query under Splunk>*nix>CPU>CPU By Host > Load Factor and modified it to the following:
index=os sourcetype=vmstat host=* | multikv fields loadAvg1mi | search host="AMERICA-3" | timechart span=5m avg(loadAvg1mi) by host | sort _time
However, this gives me certain values for the loadAverage PER minute that are in excess of 1.000 and 2.000 (loadAvg1mi is usually between 0.000 and 1.0000). I am not sure what loadAvg1mi measures in the context of multiple CPUs and I need to understand that better.
What I am trying to do is the LINUX equivalent of the following CPU Load related metrics for WINDOWS machines (provided also out-of-the-box by Splunk):
sourcetype="Perfmon:CPU Load" | timechart avg(Value) by host | summaryindex spool=t uselb=t addtime=t index="summary" file="winCPULoad_556591856.stash_new" name="winCPULoad" marker=""
Based on my research, there are these other two queries that I could also try:
index=os sourcetype=vmstat host=* | multikv fields memUsedPct | search host="AMERICA-3" | timechart span=5m max(memUsedPct) by host | sort _time
index=os sourcetype=top host=* | multikv fields pctCPU COMMAND | search host="AMERICA-3" COMMAND="java" | timechart span=5m max(pctCPU) by host | sort _time (I only care for the java process)
Not sure if either query gives us the accurate figure.
... View more
07-24-2012
11:57 AM
Hi there:
Thanks a bunch for your response !
Sorry for the delay in getting back to you. We have been busy in some non-Splunk-related work and I did not have an opportunity to get back to you.
I can independently capture JVM metric data using other tools or perhaps a standalone client that captures and pushes this data via UF. That attribute can be extracted in several ways and the fact that it is not provided by default within sideview is not a dealbreaker.
Switching gears to the advice that you provided about staying away from Universal Forwarder (UF) based indexing of CDR and CMR data, I would like to research this a bit further before I get back to you.
I need to fully understand how the 'external billing server' mechanism works. Based on what I know about our architecture, the Windows CISCO instance where the logs(by logs I mean CDR and CMR data) get generated will be different and separate from our Windows Splunk indexer instance that captures data all data sent to it from every instance on which a LF is installed.
Without a UF on the CISCO box, how would these metrics be relayed from the CISCO instance to the Splunk instance ?
Can you perhaps provide some insight into this ?
Also and this is a separate THIRD THREAD, if you could speak to how the license purchase system works -- in terms of buying licenses for sideview apps a-la-carte (say one were to purchase a license for Splunk for Cisco CDR and Splunk for WinSSHD ONLY). How does that compare in terms of price points, to buying a license for just SideView Utils which can do the work of all the other apps combined ? What are the price points and what is the benefit to going one way or another ?
Thanks.
... View more
07-23-2012
10:49 AM
The web intelligence app comes with two kinds of statistics for capturing the # of browser profiles that are accessing the Deployed Application :
i) RealtimeBus - Browser Stats
ii) ReportBus - Browser Stats
I was trying to look through the documentation here:
http://docs.splunk.com/Documentation/WebIntel/1.0Beta/User/RTdashboard
And as I understand it, the FORMER runs against real-time data over a one minute sliding window whereas the LATTER runs against summarized data.
Can someone explain to me what those phrases mean ? If you are setting the time interval explicitly in the drop down menu, does it matter which one is selected ?
... View more
07-20-2012
11:15 PM
I want to create a user with more privileges (Capabilities) than a power role but less than an admin role.
If you go to Manager > Access roles > Roles, you can create a new role and configure it as you wish.
There are several ways to go about it from a sysadmin point of view.
You first define a new role under Selected roles and call it admin_lite.
Im unsure of the approach to take to configure this new role :
The first approach says I do not need the new role to inherit admin, power or user.
The second approach says I inherit power and NOT add any capabilities on top of that.
Is it necessary for us to define an inheritance when creating a new role ? Inheritance merely gives you a set of capabilities and you cannot add new capabilities outside of what is CUSTOM to the "power" or the "user" inheritance.
Q. What are the advantages to picking an inheritance / or just not picking one ? How would you set "inheritance" and "capabilities" ?
This is a best practices question. Because of the nature of this hybrid role, which we want to custom-define, we need to understand how inheritance/capabilities work.
... View more
07-19-2012
09:34 PM
Its like catalina.out from tomcat
MINUS the timestamps, which presents a challenge in its own
... View more
07-19-2012
09:22 PM
I have a .out DUMP file generated by Bamboo Logs -- that I want to monitor in Splunk.
I need to filter out certain content and then push over the rest to Standard Out via the universal forwarder onto the indexer.
What is the best way to go about this ?
A few options :
i) Convert the .out file to a .log file and filter out content using some process (not sure how) I could use a nullQueue setup on the indexer that will filter out whatever should not be indexed in splunk
ii) Point the configuration on the universal forwarder DIRECTLY to the .out file
[monitor://C:\Location]
disabled=1
followTail=0
sourcetype=dumpFile
whitelist= \.out$ | \.out[0-9]*$
I have been trying to get alternative (ii) to work -- but the dry run was largely unsuccesfull
iii) Somehow write the content of the .out file to sysout
Suggestions are appreciated : ) thanks !
... View more
07-18-2012
09:27 AM
Forgive me for asking but I am not entirely sure where to set that on the forwarder config.
I am guessing its in one of the conf under /etc/system/local.
... View more
07-17-2012
04:51 PM
Hi there:
We are assessing the efficacy of a third-way solution.
This involves putting a network firewall between the forwarder and the indexer. Data will keep getting pushed to the indexer on 9997 but will never make it all the way to the indexer.
This way that data is not "lost" and will be re-indexed when this temporary firewall is lifted AND we are not blocking 9997 for all the other forwarders that want to push data.
What say you ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
