Activity Feed
- Got Karma for Re: Windows Events Message field. 4 weeks ago
- Got Karma for Re: Lots of old bundle files on Deployment Server - Safe to delete?. 12-10-2024 06:46 AM
- Got Karma for Re: Keyboard Shortcut to Format Search. 07-23-2024 11:39 AM
- Got Karma for Re: Index Strategy - Single index with multiple sourcetypes vs Multiple indexes with dedicated sourcetype. 01-05-2022 11:52 AM
- Got Karma for Re: Referencing Multiple hosts in Props.conf. 07-27-2021 08:34 AM
- Got Karma for Re: Need to return a field in a search even if it doesn't exist. 03-24-2021 10:28 AM
- Got Karma for Re: Rawdata may be corrupt. 02-27-2021 07:05 AM
- Karma Re: Why am I unable to index contents of a text file being monitored by universal forwarder? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: What volume(s) is indexerWeightByDiskCapacity based on? for esix_splunk. 06-05-2020 12:48 AM
- Karma Re: How do I extract two different variations of a timestamp from the same sourcetype? for sowings. 06-05-2020 12:48 AM
- Karma Re: Search formatting in Splunk 6.5.0 for easier readability for lquinn. 06-05-2020 12:48 AM
- Karma Re: Is it safe to delete .bundle files ? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: How to edit my regular expression to extract a string between percentages and other characters? for govindsinghrawa. 06-05-2020 12:48 AM
- Karma Re: How to convert a string value in the format HH:mm:ss to usable seconds for a graph? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Which instance is installed on a server? for gcusello. 06-05-2020 12:48 AM
- Karma Re: Creating a timeline showing when someone log out and login? for DEAD_BEEF. 06-05-2020 12:48 AM
- Karma Re: CSV Field Extraction with spaces in field name for lguinn2. 06-05-2020 12:48 AM
- Karma Re: Hi i need to do splunk up gradation. My splunk version is 6.3.1 i need to upgrade to 6.5. what procedure i need to follow. for inventsekar. 06-05-2020 12:48 AM
- Karma Re: Why is one of my blacklists on inputs.conf not working to filter events from Windows Event Logs? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to control splunk logs splunkd_stderr.log & splunkd-utility.log filling up disk space for ddrillic. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-02-2013
06:45 AM
Here is a step by step for adding a csv file.
http://splunk-base.splunk.com/answers/29418/step-by-step-adding-a-new-csv-datasource
... View more
08-01-2013
02:08 PM
1 Karma
sourcetype="apache-access" | rex "(?i)(.*?; (?P \w+)(?=/)" |search NOT fieldname="bot1" NOT fieldname="bot2" NOT fieldname="bot3" |top 100 fieldname
... View more
08-01-2013
11:45 AM
2 Karma
Sometimes DB Connect has some trouble flying straight, so to speak.
When you access database and database input configurations it Does matter how you get there. For example: If you go from the Launcher page to the Manager to the Inputs then the changes you make do not go to the dbx local folder.
The short story is that you have two copies of the input stanza for that connection in different local folders.
Because of this, I have a strict habit of manipulating all dbx inputs from the dbx page.
... View more
08-01-2013
11:37 AM
It looks like you have a corrupt index (_internal).
You can run this command to check the index:
To check the metadata use this.
$SPLUNK/bin/splunk stop
$SPLUNK/bin/splunk cmd splunkd fsck --index _internal
To repair the metadata use this.
$SPLUNK/bin/splunk stop
$SPLUNK/bin/splunk cmd splunkd fsck --index _internal --mode metadata --repair
To rebuild the bucket use this.
$SPLUNK/bin/splunk stop
$SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk rebuild $SPLUNK/bin/splunk/var/lib/splunk/_internal/pathtobadbucket
Here is a link to a page that describes how to go about repairing indexes.
http://wiki.splunk.com/Check_and_Repair_Metadata
... View more
08-01-2013
10:15 AM
I beg to differ. I just tested it.
If you comment out an common entry (line) from a lookup.csv (hence create a non-matching value) then As Is shows up in the results.
Are you sure you worded your question correctly?
You might want to verify that the value you are entering in the GUI is being sent to the right transforms.conf (perhaps you have a conflicting transforms.conf).
... View more
08-01-2013
09:41 AM
In Manager > Lookups > Lookup Definitions > your lookup
Have you tried Advanced Options with Min = 1, Max = 1, and Default (less than min) = As Is?
... View more
08-01-2013
08:14 AM
If you cannot access the server that holds the data and install/configure a forwarder on it with ssl certificates, then your best bet would be to go to the site, down load the data from the site with the secure https connection and save it to a computer that does have a forwarder.
Verify the data is indexable (csv, key=value, etc...) and then monitor that directory/file.
... View more
08-01-2013
07:49 AM
1 Karma
When you run a query from the DBX console, does it timeout or show any errors?
Also, what type of database?
With a simple search, do a search for the most recent session ID or other unique field that is listed in the dbx query, and search all time.
... View more
08-01-2013
07:05 AM
1 Karma
With a simple search, do a search for the most recent session ID or other unique field that is listed in the dbx query, and search all time.
... View more
08-01-2013
06:51 AM
1 Karma
Good (for troubleshooting that is).
When you run a query from the DBX console, does it timeout or show any errors?
Also, what type of database?
... View more
08-01-2013
06:38 AM
Is it broken right now? Or have you reinstalled everything?
... View more
08-01-2013
06:30 AM
Using tail for a one time file index routine is not the best way to go about it.
Try it from the commandline - see this post
splunk-base.splunk.com/answers/6922/how-to-ask-splunk-to-index-a-file-using-the-cli
... View more
08-01-2013
06:23 AM
How do you get it working again?
Do you get data when you do a simple search?
Are the charts and dashboards scheduled?
... View more
07-31-2013
01:58 PM
2 Karma
Have you tried creating the query at the database and naming it, and then querying the name from DB Connect?
I know it is an extra step, but that is how we worked around it.
... View more
07-31-2013
10:14 AM
I think you need to be searching for bytesRx for bytes received, bytesTx for bytes transmitted, rcvd for bytes received within a connection, and sent for bytes sent within a connection from the syslog.
... View more
07-31-2013
09:54 AM
Is it a database that can be connected to Splunk with DB Connect?
Does it generate a log that contains data you can use?
Generally speaking Splunk can analyse any data.
... View more
07-31-2013
09:49 AM
It actually works very efficient for me because I'm using dbx to monitor database logging. We use a tailing method and therefore the dbx is checking on a schedule and each time dbx checks the database it genenerates a log entry. If we loose the connection to the database then we get an alert, and when the database is connected we are guaranteed that there will be events.
... View more
07-31-2013
09:43 AM
For some reason the Cron schedule was truncated. It should read zero space star slash one space star space star space star
... View more
07-31-2013
08:37 AM
1 Karma
The "-" is inserted by web logger as a place holder when there is no value.
Splunk puts the "-" in the field because that is what is in the log. Splunk will have no way of differentiating between cookie=null and no cookie.
... View more
07-31-2013
08:17 AM
1 Karma
You can create a search like:
index=yourdbxindex source=yourdbxsource
Save the search.
Create an Alert for the search:
Time: -15m@m now
Schedule: Cron 0 */1 * * *
Condition: If number of events is less than 1
Send Email: Enable
Email Address: your email address
This will check once an hour for data from your dbx source. Change the cron schedule to adjust the frequency.
... View more
07-31-2013
06:35 AM
Have you tried running it "as administrator"? 2008R2 is a very untrusting OS.
... View more
07-30-2013
01:26 PM
Is this a Windows server or a Unix server?
Have you used Splunk to look at the system and performance logs on the server?
... View more
07-30-2013
08:55 AM
Yes, there is a way to change the password without using the -password parameter.
See this article from Splunk:
docs.splunk.com/Documentation/Splunk/5.0.3/Security/Deploysecurepasswordsacrossmultipleservers
... View more
- « Previous
- Next »
