Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jrballesteros05
jrballesteros05
Communicator
Member since:
04-10-2013
10-03-2023
Community Statistics
| Posts | 56 |
| Solutions | 4 |
| Karma Given | 23 |
| Karma Received | 8 |
| Member Since | 04-10-2013 |
Activity Feed
- Karma Re: Props.conf & transforms.conf not working for apcsplunk. 06-05-2020 12:50 AM
- Karma Error migrating deprecated review status transitions for bestSplunker. 06-05-2020 12:50 AM
- Karma Re: Splunk Search content for a particular string for FrankVl. 06-05-2020 12:49 AM
- Karma Qualys Technology Add-on (TA) for Splunk: Files download, xml is in tmp, but don't show up in index for TonyLeeVT. 06-05-2020 12:49 AM
- Karma Re: evaluation with condition for 493669. 06-05-2020 12:49 AM
- Karma Re: Working with boolean operations like an arithmetic operation. for FrankVl. 06-05-2020 12:49 AM
- Karma Re: Remove "All" from Multiselect Input in Dashboard for ashleyherbert. 06-05-2020 12:49 AM
- Karma Re: A weird bug you have for burwell. 06-05-2020 12:49 AM
- Got Karma for Re: Splunk first setup failure. 06-05-2020 12:49 AM
- Got Karma for Re: How to refresh highlighted value choice in an link type input ?. 06-05-2020 12:49 AM
- Karma Re: How to generate a regex to find text and values greater than or equal to 2000001? for micahkemp. 06-05-2020 12:48 AM
- Karma Re: How to get date and time from this format? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to compare index data with a lookup? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Splunk DB Connect: How to configure the checkpoint value? for vsilchev. 06-05-2020 12:48 AM
- Karma Re: Can I have a universal forwarder listen on port UDP 514, if the indexer is already doing that? for jethompson_splu. 06-05-2020 12:48 AM
- Karma Re: How to fill a non existing field from other source for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: Regex searching using a csv list vs inline RegEx for micahkemp. 06-05-2020 12:48 AM
- Karma Re: What is the best way to monitoring too many files in Splunk? for starcher. 06-05-2020 12:48 AM
- Karma Re: How can I send logs from one universal forwarder to two different indexers depending on the logs type? for TStrauch. 06-05-2020 12:48 AM
- Karma Re: How do we analyze indexers/search head log? for TStrauch. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
08-07-2017
05:00 AM
Hello @sbbadri. Could you be a bit more specific? I did not understand what you meant. I appreciated your help.
I retake this topic because I have more time to learn more about this.
Thank you everybody 😄
... View more
07-05-2017
08:52 AM
Hi, I did everything in that post and I couldn't extend the lifetime. I just entered in the Indexer and extended the job lifetime manually in "Job settings". It is enough to me but If you know another way more automatically I would appreciate it.
... View more
06-29-2017
06:15 PM
Hello, I was trying and trying to export the data via REST API. I followed all the instructions from this thread:
https://www.splunk.com/blog/2013/09/15/exporting-large-results-sets-to-csv.html
But I see the jobs expire too soon when I export large data and I never get all the data I want because it sticks at 14% and 21%. I really don't know what to do. Is it a way to extend job expiration via curl or anything like that?
... View more
- Tags:
- splunk-enterprise
06-27-2017
01:57 PM
1 Karma
Hello, I know this thread is quite old but I have a question about the REST option. When I check the job activity I always realized the job expired. Is there a way to configure the expiration time in the REST API?
Best regards.
... View more
03-03-2017
08:50 AM
Hello, this is what I wanted!!!
I just changed this sentence:
| eventstats first(SOCIEDAD) as firstCapaSOCIEDAD
for this one:
| eventstats first(SOCIEDAD) as firstCapaSOCIEDAD by TXID
Thank you very much and also thanks to everybody who takes the time to reply my question.
... View more
03-02-2017
10:26 AM
Hello. Thanks for your reply.
I'm going to try this answer at night or tomorrow in the morning because I don't have access to the Splunk right now and I will tell you what happens.
... View more
03-02-2017
10:24 AM
Hi @woodcock.
Thank you for your reply.
I tried filldown in the @nickhillscpl's reply and I got a lot of falses positives with my search. I'm going to try the answer bellow and I hope that can help me.
Best regards.
... View more
03-02-2017
09:12 AM
The indexer must be listening in the 9997/TCP port, and the UF usually uses a random port to conect to the indexer.
You can check this in the indexer with this command (I'm assuming you are running your indexer over Linux):
ss -putan | grep 9997
You should get something like this:
root@myindexer~# ss -putan | grep 9997
tcp LISTEN 0 128 *:9997 *:* users:(("splunkd",28307,42))
tcp **ESTAB** 0 0 yourindexerip:9997 youruniversalforwarderip:**33809** users:(("splunkd",28307,185))
In my case the port "33809" is any port that UF takes to connect with the indexer. You also may have your connection right and you are not seeing the UF in the deployment server because the connection is in the 8089TCP, maybe you are receiving logs but you are not be able to control the UF remotely.
... View more
02-28-2017
02:24 PM
There can be many reasons:
Firewall: You said you opened the ports and I believe you, so I would discard this one.
Internal Firewall: You did not mention if you are running splunk over Windows or Linux but I am more experienced on Linux and I normally like configuring my own firewall in the Linux Server, especially in Centos. So, you should check if your Indexer is not running a firewall.
If your Indexer is running on Linux I recommend to check port with telnet from the Universal forwarder (You are talking about Active directory so I guest is a Windows Server) :
telnet yourindexerip 9997
You can also check connections from any Unix OS with nmap:
nmap -Pn yourindexerip -p 9997
Routing: Sometimes you cannot reach the indexer because of routing tables, in my opinion we only have to configure the default gateway but sometimes for many reasons people configure static routes in servers, so I think you should run a traceroute or tracert between the Windows Server and the Indexer.
tracert yourindexerip
If any of the reasons above cannot help you, you should be more specific and we try to help you. I'm guessing your problem is communication but can be something else.
Best regards.
... View more
02-24-2017
11:51 AM
1 Karma
Hi, sorry if I misunderstood.
Is that a multiline event? If so, you should use this one:
.*?\)\s+(?P<description>.*?)\n
... View more
02-24-2017
11:34 AM
This one seems to work for me:
.*?\)\s+(?P<description>.*)
... View more
02-24-2017
11:23 AM
Hi, I tried both and the second one is the closest to what I need. It worked well until I realised that sometimes logs from Layer 4 (Capa = 4) are indexed first than logs from other layers.
... View more
02-24-2017
08:35 AM
Hello, I will try this and I'll tell you.
Thanks for your reply.
... View more
02-24-2017
08:06 AM
Hello.
The field "SOCIEDAD" is different per country.
For example:
SOCIEDAD = CL* or SUCL for Chile. (Where * means any 2 digits number)
SOCIEDAD = PE* or SUPE for Peru.
SOCIEDAD = CO* or SUPROT for Colombia.
Sometimes I get this:
TXID Capa SOCIEDAD
0457f879-2d1a-4a00-8cc0-b0abda12a04d 1 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 2 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 3 SUCL CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 4 CL03
The mean reason I want to use values from Capa 1 or 2 is because those fields always give me an unique value, on the other hands Capa 3 can give 1 or more values.
... View more
02-24-2017
06:59 AM
Hello, thanks for your reply.
Sorry if I wasn't clear or if I need to be more specific.
The field "Capa" is the field I get from the Lookup and is never NULL. The field "SOCIEDAD" when the value Capa is equal to 4 is always NULL.
Basically, I want to fill SOCIEDAD from "Capa =4" with the values of SOCIEDAD from "Capa = 1" or "Capa = 2".
... View more
02-24-2017
06:39 AM
Hello everyone, I have this search
(index=trans_xxx_mycountry sourcetype=trans_xxx_mycountry) OR (index=trans_yyy_all sourcetype=trans_all) OR (index=trans_zzz_all2 sourcetype=trans_all2) TIPO_MENSAJE=* TXID="*"
| eval TXID=lower(TXID)
| lookup Id_Capas SAT_CAPA as SAT_CAPA OUTPUT Capa
| eval t=_time
| stats values(SOCIEDAD) by TXID,Capa
I get this result:
TXID Capa SOCIEDAD
0457f879-2d1a-4a00-8cc0-b0abda12a04d 1 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 2 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 3 SUCL
0457f879-2d1a-4a00-8cc0-b0abda12a04d 4
I want to fill the value "SOCIEDAD" from "Capa=1" or "Capa=2" into the SOCIEDAD from "Capa=4" because the value does not exist there or sometimes is NULL. How can I do that? I've been googling it but I didn't found something similar for me. The TXID is the same in all events but it comes from different sources. Basically, I want this:
TXID Capa SOCIEDAD
0457f879-2d1a-4a00-8cc0-b0abda12a04d 1 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 2 CL03
0457f879-2d1a-4a00-8cc0-b0abda12a04d 3 SUCL
0457f879-2d1a-4a00-8cc0-b0abda12a04d 4 CL03
I have a solution with a saved search that is writing an external lookup but I want to know if I there is a better way to do that.
I would appreciate any help.
... View more
02-14-2017
01:58 PM
Hello everybody. I am glad to tell you your answer helped me a lot. I finally made my own script that uses rsync to get only the new files and mix all the files into one log in /var/log/transacciones/, then I use logrotate to rotate the files.
Thank you very much for your help.
... View more
02-14-2017
07:35 AM
Hello esix. You gave me an hint with the batch input (I didn't remember that kind of splunk input). I think the batch input can help me because the customer have already made a script that clean the SFTP everyday. If I cannot ingest the data properly I will make my own script to copy those files to a local directory and I will use batch input with "sinkhole" option.
I will try and I'll let you know. Thank you very much guys 😄
... View more
02-13-2017
02:56 PM
Hello, thank you for your reply.
I only have read access to the files in the FTP so I cannot use tools like logrotate, I recently spoke to the customer and he said he runs a script that move all the files out the path and it keeps only files from one day. For example I have around 4000 files but Splunk it's not reading those files in real time.
I'm monitoring transactions logs and I received around two files per transaction, every file have around 10 lines and I don't expect the files to update.
Of course every file has a structure like this:
BusissnessUnit_Operation_TransactionID_Date_IN
BusissnessUnit_Operation_TransactionID_Date_OUT
This is a file sample (It is in Spanish):
-rw-rw---- 1 51194 1002 312 Feb 13 17:50 acreedor_consultar_C6EC1A3C-F23E-11E6-B6B3-0A42036A0000_20170213175034_SALIDA
-rw-rw---- 1 51194 1002 301 Feb 13 17:50 acreedor_consultar_C6EC1A3C-F23E-11E6-B6B3-0A42036A0000_20170213175034_ENTRADA
I don't know if the structure can help splunk to check files by date.
... View more
02-13-2017
10:45 AM
Ok, you can use this regex.
\S+\/(?P<filename>.*?)\..*?\s+
... View more
02-13-2017
10:31 AM
Hello, if you only need the filename. I would do it in two ways.
If the filename comes with the metadata "source" you can extract in the props.conf and create a new field:
EXTRACT-filename=\S+\/(?P .*?).txt in source
If the filename does not come with the metadata "source", you can use the
index="ti_is_st" sourcetype="xfer_log" URI=* Status=* IP_Address=* File_Size=* Service_Account=| rex field=_raw "\S+\/(?P . ?).txt" |search fileName="" Service_Account=""|table _time IP_Address Service_Account fileName File_Size Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in Status
In the two ways, the key is the regex you are using. I tried "\S+\/(.*?).txt" in regex101.com and it worked for me.
I hope this help you.
... View more
02-13-2017
09:07 AM
Hello, I don't understand the question very well (Maybe is my English :D) but I think you want to extract this:
/dirlevel1/dirlevel2/dirlevel3/dirlevel4/chr 2610 4109.txt
Am I right?
I think your problem is regex, if you help me with more information I might help you.
... View more
02-13-2017
08:36 AM
Hello everybody.
I have a problem with monitoring multiple files in a Heavy Forwarder. I mounted a folder with sshfs and I monitoring transactions files but the software always create a file per transaction, and I receive almost 3000 files per day. The HF does not have problem monitoring files from 1 day (3000 files) but when I start receiving files from the second day (6000 files) the HF cannot handle it, I executed a "ls" command and I never get a response from the server, when something like this happens, the customer always rename the folder and the HF start working again so I decided to split those files in different directories per day or maybe per hour but I'm not sure if the HF forwarder can handle it without problems.
Does anyone can tell me, based on their experience, what is the best way to monitoring those files?
Is it a good idea to split the data in different directories? Is Splunk not going to have any problem monitoring different directories?
I read this thread and it helped me to monitoring multiples files but I did not see something about monitoring too many files.
https://answers.splunk.com/answers/220025/what-is-recommended-to-monitor-multiple-files-in-t.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Any help will be appreciate.
This is an example of my inputs.conf file:
## ECC Events
monitor:///home/splunk/sshfslogs/XXX.XXX.XXX.XXX/ecc/splunk]
disabled = 0
sourcetype = mysourcetype_ecc
index = my_index
host_segment = 4
## PO Events
[monitor:///home/splunk/sshfslogs/XXX.XXX.XXX.XXX/po/splunk]
disabled = 0
sourcetype = mysourcetype_po
index = my_index
host_segment = 4
... View more
01-23-2017
12:44 PM
I also voted for your answer because it helped me when I was building the dashboards. Thank you very much.
... View more
01-23-2017
12:21 PM
1 Karma
Hi, I am completely sure. I was trying with Opera browser and I had the problem I mentioned before but when I try with Firefox and Chrome it works perfectly. I read the Splunk doc and I've just realised that Opera is not listed in the supported browsers by Splunk.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Installation/Systemrequirements
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-03-2023
07:12 AM
|
Karma given to
