Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About reed_kelly
reed_kelly
Contributor
Member since:
04-15-2011
03-06-2024
Community Statistics
| Posts | 125 |
| Solutions | 14 |
| Karma Given | 67 |
| Karma Received | 83 |
| Member Since | 04-15-2011 |
Activity Feed
- Got Karma for Re: Large lookup caused the bundle replication to fail. What are my options?. 11-20-2023 12:14 PM
- Got Karma for Max Value for bucket ID. 10-23-2023 10:52 AM
- Karma Re: I wanted to do one hot encoding on categorical variables for Machine Learning . How can I do that in Splunk? for aljohnson_splun. 10-12-2022 12:27 PM
- Got Karma for Re: Compare a date field with current date. 04-05-2022 07:45 AM
- Got Karma for Re: Compare a date field with current date. 11-30-2021 01:34 AM
- Got Karma for Re: Compare a date field with current date. 09-29-2021 07:25 AM
- Got Karma for Re: Compare a date field with current date. 08-18-2021 09:44 PM
- Karma Re: Parsing very long JSON lines for capnjosh. 02-24-2021 05:03 AM
- Karma Parsing very long JSON lines for leatherface. 02-24-2021 05:03 AM
- Karma Re: How to force shcluster member to send config from local dir (e.g. savedsearches.conf) to captain from cli or via rest for gots. 02-04-2021 09:52 AM
- Karma Automatic Lookup local=true for woodams. 10-08-2020 10:39 AM
- Karma Re: Distance between two Geocoordinates for MuS. 09-29-2020 09:11 AM
- Got Karma for Re: Match using OR statement. 09-15-2020 07:01 AM
- Got Karma for Re: Compare a date field with current date. 06-30-2020 10:35 AM
- Karma Re: How do I search multiple source types based on a lookup file? for osakachan. 06-05-2020 12:50 AM
- Got Karma for Re: How do I group events based on contiguous runs of field value?. 06-05-2020 12:50 AM
- Got Karma for How do I group events based on contiguous runs of field value?. 06-05-2020 12:50 AM
- Karma Re: How to auto-refresh the dashboard using splunk application? for martin_mueller. 06-05-2020 12:49 AM
- Karma Re: Specify time zone in static earliest and latest times for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Splunk Input List of All accepted Default Time Formats for richgalloway. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
10-10-2012
12:21 PM
This may sound silly, but we don't have the ability to see how some of our Universal Forwarders (UFs) are configured. They are running on AIX and sending their logs to a heavy weight forwarder (HWF) through a firewall port.
We do have access to the HWF. We know that data is flowing from these UFs to the HWF, because the HWF metrics.log shows group=tcpin_connections messages with the right hostnames and even showing os=AIX. These same messages occasionally show a _tcp_eps value greater than 1.
We have no access to the UFs without extensive effort. If these servers are sending data, then we need it. The data is encrypted, so we can't just sniff the data stream. Is there any way to see what indexes the UFs are attempting to use?
... View more
- Tags:
- universal-forwarder
10-05-2012
09:59 AM
1 Karma
Great for running multiple copies of Splunk on a server with no access to the Web interface.
... View more
10-03-2012
06:55 AM
We are havnig the same problem - even if Admin runs the same query. In fact, it seems to depend on how many rows are returned. If we return many rows, then the export returns this error more frequently. We have found that if we wait a minute or two, then we can click on the "Try Again" link in the message and it sometimes works. Also, if we cut and paste the link to the exported data, it starts to export. The queries that tend to do this also have many columns (80?).
We are running 4.3.1, build 119532 on our local search head in a globally distributed env.
... View more
09-26-2012
01:56 PM
1 Karma
It looks like sideview already answered this question:
Joining results from saved searches
... View more
09-26-2012
01:49 PM
I didn't think you can specify retroactive cron schedules. Cron schedules dictate when jobs will run in the future.
Did you look at backfill script ($SPLUNK_HOME/bin/fill_summary_index.py)?
Manage summary index gaps and overlaps
... View more
09-19-2012
02:51 PM
1 Karma
I forgot to add [search source=...] This is the syntax for a subsearch.
... View more
09-19-2012
06:46 AM
30 Karma
To get the current date, you can just add:
|eval timenow=now()
This gets epoch time into the field timenow. If you want to format it, you can use strftime:
|eval nowstring=strftime(now(), "%Y-%m-%d")
If you want to convert your date to an epoch time:
|eval epochdate=strptime(yourdate, "%Y-%m-%d")
You can also use relative_time to find the epoch value of 30 days ago:
|eval epoch30days_ago=relative_time(now(), "-30d@d" )
This could be used to do a direct comparison with the strptime value from above.
Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:
|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d
... View more
09-18-2012
02:21 PM
You can query the lookup file first and then remove ones that you are receiving data from. Suppose that you had a search that returned the list of hosts that you are receiving data from like:
source=/data/unix/syslog.log os=linux | stats count by host |rename host as lookup_host|fields +lookup_host
Then you could use something like:
| inputlookup lookupfile |search NOT [source=/data/unix/syslog.log | stats count by host |rename host as lookup_host|fields +lookup_host] |fields +lookup_host
You can then create an alert if this returns any lines.
That should return
... View more
08-08-2012
01:27 PM
In that case, you can replace the fields, dedup and table commands with:
|stats count by memberId, ApiKey
The blanks for ApiKey are strange, because you are testing for that above. You can always leave it off the stats command.
... View more
08-08-2012
12:24 PM
After "fields memberId ApiKey" just add:
|dedup memberId, ApiKey |table memberId, ApiKey
... View more
08-08-2012
08:08 AM
I didn't have a problem with it. I also changed the search to use gentimes for performance reasons (it doesn't need to hit indexes). Here is my subquery example:
index=_internal [gentimes start=1/1/00 end=1/2/00|eval user="*kelly*"|fields user]
... View more
07-12-2012
07:16 AM
I agree that this would be a nice enhancement. We have created a lot of independant scheduled searches along with emails of attached CSV reports. We could convert it all to a script, but we have tried to do everything natively.
... View more
06-12-2012
08:52 AM
2 Karma
It is becoming harder to submit cases, because our diag files have gotten very large. In the most recent case, the diag-xxxx-2012-06-12.tar.gz was about 570 MB. A lot of that is Hosts.data files extracted from the db folders. We frequently use the metadata commands for host lists per index, so we don't want to get rid of these as a rule, but having them bloat the diag file is not helpful.
I can unpack the tar.gz file and remove the Hosts.data files, but I was wondering how others have dealt with large diag files. Also, the files are still pretty large after removing Hosts.data.
... View more
- Tags:
- diag
04-25-2012
12:01 PM
Could there be a spurious NULL or ^Z at the end of the file? Did you try cutting and pasting the file into a new text file in Notepad and saving it from there?
... View more
04-25-2012
11:20 AM
Maybe there is a special character in the CSV file. If you are on a unix host, you could try the folowing:
strings orig.csv >new.csv
diff orig.csv new.csv
If the two files are the same, then they probably are plain text.
... View more
04-25-2012
11:10 AM
2 Karma
If you have a small number of groups in your AD, then you can just use something like: (objectClass=group) and restrict which groups actually have access with the role mappings. If the number is large (>1000), then you may be able to use wildcards like: (cn=group*)(cn=foo*), etc.. In fact, you could use a convention that AD groups with access to Splunk must be of the form splunk and use (cn=splunk*).
Nested groups does seems like a good approach, but I don't think that is supported.
... View more
04-24-2012
10:51 AM
I think you are referring to the Summary view in the Search app. This shows counts by sourcetype, but I want count by sourcetype,
... View more
04-24-2012
10:39 AM
I tried that, but
grep sourcetype $SPLUNK_HOME/var/log/splunk/metric*
doesn't return anything on the forwarder.
... View more
04-24-2012
08:59 AM
Thanks for your answer, but I think I wasn't clear enough. The heavy forwarder is not doing any local indexing. I want to know how much of each sourcetype it is sending on it's tcpout stream.
... View more
04-24-2012
07:25 AM
I see total volume for each forwarder, but not a breakdown of the sourcetypes coming from each forwarder.
... View more
04-24-2012
06:30 AM
We have a number of heavy forwarders sending cooked data to our indexers. We can get the total KBs sent by each forwarder by searching the metrics.log files. Is there a way to get a breakdown by sourcetype of data sent by each forwarder? Maybe this is a search that we can run from each forwarder?
... View more
04-20-2012
03:00 PM
One way to do it is to use a join on Serial and SN and then count the unique sourcetypes and look for results with 1 sourcetype of the kind you want. This may not be the most efficient way, but here goes:
sourcetype=A Serial=*|rename Serial as SN|join SN [search sourcetype=B SN=*]|stats first(_time) by SN,sourcetype|stats dc(sourcetype) as numst,min(sourcetype) as minst by SN|where numst==1 AND minst==A
... View more
11-04-2011
12:39 PM
Thanks, schoi. I was able to get firefox installed and run the search test. Unfortunately, I couldn't find the results. I'll take this offline as I don't want to use the comments to debug something that is probably specific to my configuration.
... View more
10-24-2011
06:11 AM
Is it possible to create a search Grinder test that doesn't depend on Firefox? Can the Grinder search test be based on CLI searches instead?
We have only headless Linux servers with fairly tight controls. We don't even have access to an external yum repository, so each RPM has to be loaded by hand.
... View more
- Tags:
- SplunkIt
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2024
05:13 PM
|
Karma given to
