About Genti

Genti · ‎01-11-2011

Tried this and it seems that the BOM flag is not set. Will work with Sorkin to find out why.

Genti · ‎01-11-2011

Yes, that configuration is possible, however it is a bit tedious work and should be setup by a splunk expert as it is prone to a lot of mistakes. The important thing here is this attribute: targetRepositoryLocation Please check this page for more info. The idea is you need to setup the 1st level deployment server to send the data to the "/deployment-apps/" directory instead of the /apps/. The answer to your second question is : YES.

Genti · ‎12-29-2010

firstTime , as the name says, is the first timestamp the indexer sees an event from a host. lastTime , is the latest timestamp the indexer has seen an event from a host. recentTime , is the most recent timestamp the indexer has seen an event from a host. Shouldnt recentTime and lastTime be the same thing then? - No, in most cases, when the data is streaming live, these are equal, however if the data is historical, then these are (could be) different. Here is an example to illustrate the differences: Assume we have host xyz which will send 3 events in the following order. The first one has a timestamp of 100, the second one a timestamp of 200, and the third one has a timestamp of 150. Here is a table showing how the specific times will appear: event | timestamp | firstTime | lastTime | recentTime ----------------------------------------- 1st | 100 | 100 | 100 | 100 2nd | 200 | 100 | 200 | 200 3rd | 150 | 100 | 200 | 150

Genti · ‎12-29-2010

I found that the docs were lacking in defining and explaining this. On a ! metadata type=hosts search, what do firstTime, lastTime, and recentTime stand for, and how are lastTime and recentTime different?

Genti · ‎12-28-2010

the way the buckets work in 4.0 and later, is that data that belongs close together and is real time is put in one bucket. If then you add a data input that is old, then this will be put in a different bucket. This is so, in order to not have huge spans for buckets, so that searching is a lot more efficient. Having maxhotbuckets =1, you basically are placing all data, historic, or real time, into one bucket, and hence could cause your splunk instance to waste time in searches. If you set it to, say, 5 then the real data will be in one bucket, and depending on time of events, historical data will be placed in different buckets. If data is all real time, and no historical data is coming in, i would assume that you will only see one hot bucket at a time. However, if for example you have an event where the time doesnt get extracted correctly, you might end up with reading a wrong/different time, and as such you could have a second bucket pop up...

Genti · ‎12-28-2010

See this previous answer: http://answers.splunk.com/questions/8326/are-lookup-tables-indexed From limits.conf: [lookup] max_memtable_bytes = <integer> * maximum size of static lookup file to use a in-memory index for * Defaults to 10000000 10MB.

Genti · ‎12-19-2010

say i am running a search like this: | metadata type=hosts | eval FirstSeen=firstTime | eval RecentSeen=recentTime | eval seconds_since=now()-recentTime | convert ctime(RecentSeen) | convert ctime(FirstSeen) | eval hours=floor(seconds_since/60/60) | eval minutes=floor((seconds_since-hours*60*60)/60) | eval seconds=seconds_since-hours*60*60-minutes*60 | fields host, source, sourcetype, FirstSeen, RecentSeen, hours, minutes, seconds It's basically grabbing the info from the metadata file (hosts.data) and telling me when was the first time and last time a host send data my way. Then i am calculating how many seconds ago this was, and calculating it in hours, minutes and seconds. Thats all dandy and works perfectly. Notice however that i would like to see the source and sourcetype for this last event that came from that host. I know that i can run | metadata type=sourcetypes/sources and get similar information, but i have a feeling that i should be able to, perhaps using a subsearch?, get the source/sourcetype info some way.. For example, i can use a search like: " _time=<somenumber scrapped from recentTime> | table source, sourcetype " but am failing in passing the necessary data from one search to the other. Also, is there a better way of getting "hours, minutes, and seconds" in my search above? TIA .gz

Genti · ‎12-10-2010

I do not think that is an issue, see updated answer above

Genti · ‎12-10-2010

well, no, you have to be careful here. This means that you are receiving internal data. What about your OTHER data. Are you receiving the logs from the files that you already included in your data inputs?

Genti · ‎12-09-2010

What exactly is the regex you are using. Is it the same as in question 8028? That regex [^\.\s]+\.[^\.\s]+$ is built so that it grabs the last two portions of a hostname. You need to make sure that your regex then doesnt just grab the last 2 portions but the last three. now, you also need to be careful, because you might have non-uk hosts, in which case the domain is only the last two portions, such as whatever.com . Perhaps then a more complex regex that grabs the following might work for you: ([^\.\s]+\.co\.[^\.\s]+$)|([^\.\s]+\.[^\.\s]+$) In my quick test for the following: boo.com foo.bar gentoo.what.bar what.are.you.talking.about gentoo.co.uk the above regex captures: boo.com foo.bar what.bar talking.about gentoo.co.uk This regex however takes in consideration only those domains that will have .co., if you have other domains that will be used you might want to change your regex to accept whatever other middle portion of the domain might be. Hope this helps.

Genti · ‎12-09-2010

So, when you go to Manager » Data inputs » Files & Directories do you see the file/directory you added as listed? And does it show a number of files next to it? Is this directory perhaps owned by a different user and the splunk service does not have appropriate permissions to monitor/read the files within? Are you searching using the "all time" time-range? Perhaps this is historic data and not showing up in the timeframe you are searching? Lastly, if you search for "index=_internal" , do you see any data show up?

Genti · ‎12-09-2010

Glad that worked! Cheers! 🙂

Genti · ‎12-08-2010

try adding the <fields>_time, host, source, sourcetype, field1, field2,etc..</fields> attribute right under the search that populates the dashboard. see if this helps

Genti · ‎12-08-2010

maybe this will do: index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name Update: I think there is either something you are missing, or perhaps you are not running any of the scheduled searches on the search head. I changed the search slightly to include the host as well as the savedsearch name and user. here is the search i used and my output: index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host > user savedsearch_name host count > 1 admin internal bigmac 2 > 2 admin testingsss lilmac 4 > 3 nobody Indexing workload bigmac 245 > 4 nobody Indexing workload lilmac 1496 > 5 nobody Top five sourcetypes bigmac 245 > 6 nobody Topfive sourcetypes lilmac 4501 note: Indexingworkload and TOP5Sourcetypes are the default scheduled savedsearches that come shipped with splunk. i just scheduled some more savedsearches, one on the indexer, one on the search head, and they both ran, and as you see, i see them both on my search results. lilmac=search head, bigmac=indexer. Disclaimer: bigmac has got nothing to do with the "burger" 😉

Genti · ‎12-08-2010

Try placing your dashboard here (or on paste-it) and lets see if we can reproduce this issue.

Genti · ‎12-07-2010

Are you using IIS W3c? if so check this: http://answers.splunk.com/questions/1425/timezones-iis-w3c-extended-logging-why-dont-they-work Otherwise check: http://www.splunk.com/base/Documentation/4.1.5/Admin/Applytimezoneoffsetstotimestamps cheers!

Genti · ‎12-07-2010

awesome awesome awesome!!!

Genti · ‎12-07-2010

| sort _time, that is, no - sign...

Genti · ‎12-07-2010

i tried that, and then i tried * | sort -_time and this seems to be faster. I am unaware of a command that is the opposite of head...

Genti · ‎12-07-2010

When you create a data input for the TCP or UDP incoming syslog events at Manager » Data inputs » UDP » Add New you can also set the host you desire the data to come in. The options are: . ip -sets the UDP input processor to rewrite the host with the ip address of the remote server . dns - sets the host to the dns entry of the remote server . Custom - Sets it to a custom value. You either need to fix the dns for the two types of data, or you can set them both to the ip, and then tag the ip with the host name you desire, or you can set up a custom name for these two hosts. Either of the three choices above should fix your issue. Make sure to restart the server after you make any changes to these configurations. Cheers

Genti · ‎12-05-2010

What fields are showing up by default and What fields are you looking for? Try adding this right underneath your searchTemplate: <fields>My-first-field, my-second-field, etc</fields> So your xml should be: <row> <table> <title>JAMBAJUICE</title> <searchTemplate>EventCode=644 OR EventCode=4740 Caller_Domain="DOMAIN" NOT (term OR Term) | stats count by user</searchTemplate> <fields>My-first-field, my-second-field, etc</fields> <option name="showPager">true</option> <option name="count">20</option> </table> </row>

Genti · ‎12-05-2010

This was brought to support's attention last week. It's an intentions issue and this behavior is already fixed on 4.2 Perhaps it will also be fixed in the next maintenance release, you could try creating a case with support so that your issue gets logged as well. Cheers

Genti · ‎12-05-2010

What OS are you on? Also, splunkd and splunkweb are not separate programs/installs, they only are separate processes. Are you saying that you do not see splunk installed (say if your on windows on your add/remove programs)? Or are you saying that you do not see the services running (again assuming you are on windows)? Did you try a clean install, ie. totally uninstalling the current splunk version that is installed on your box and cleaning up all splunk related directories (be careful if you actually care about the data indexed) and then installing splunk clean? If you offer some more details to you question you will be getting more concrete and to-the-point answers... Cheers

Genti · ‎12-03-2010

its hard to tell what went on with your configuration, however it seems that you were not correct when saying: "I started searching for other copies of the file, all were empty" Somehow you had multiple outputs.conf files, the one that you deleted and the one that was residing in the search app. Next time, you might want to run the following command and make life easier for you: ./splunk cmd btool outputs list --debug This will tell you exactly what output.conf stanzas exist and where they are residing.

Genti · ‎12-02-2010

i dont think the customer cared for those epoch timestamps, they were fine with the timestamp becoming the actual index time, but still wanted to extract the "Day" field..

Posts	377
Solutions	82
Karma Given	153
Karma Received	345
Member Since	‎05-04-2010

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Search help: remove intersection of two sets from ...

When creating a diag, splunk complains about splun...

How can i modify flashtimeline so that i can show ...

How to monitor .dat.gz files?

time format for results in en-US vs en-GB

on a '| metadata type=hosts' search, what do each ...

how to get host, sourcetype and source from a sing...

(search time) extracted field not showing up on th...

date_* fields not being extracted

Using the Rest API endpoint, how do i know if a se...

Re: Can the Export function export csv file in BIG...

Re: Tiered Deployment Servers, is it possible?

Re: on a '| metadata type=hosts' search, what do e...

on a '| metadata type=hosts' search, what do each ...

Re: Why set maxHotBuckets > 1 in indexes.conf?

Re: At what point do very large lookup files (csv)...

how to get host, sourcetype and source from a sing...

Re: one liner to get list of scheduled searches as...

Re: Installed Splunk but no Data!

Re: Revisiting REGEX to extract domain name from a...

Re: Installed Splunk but no Data!

Re: Data Table field changes for Dashboards

Re: Data Table field changes for Dashboards

Re: one liner to get list of scheduled searches as...

Re: Dashboard graph format problem

Re: IIS Log - Timezone

Re: Opposite of "head" ?

Re: Opposite of "head" ?

Re: Opposite of "head" ?

Re: Problems with syslog and splunk

Re: Can't sort table results from a form search

Re: order of sub searches changed when using saved...

Re: Re-Installation Problems.

Re: After disabling a Forwarder, it keeps talking ...

Re: date_* fields not being extracted

Join the Conversation