Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About kristian_kolb
kristian_kolb
Ultra Champion
Member since:
05-10-2011
08-20-2025
Community Statistics
| Posts | 2153 |
| Solutions | 395 |
| Karma Given | 1033 |
| Karma Received | 1584 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: Double scrollbars in search results. 08-20-2025 09:12 AM
- Karma Re: List deployment client showing "no clients contacted the server" for isoutamo. 03-03-2025 12:28 AM
- Got Karma for Re: What are the difference between regexp command and interactive field extractor regular expression pattern?. 02-27-2025 07:36 AM
- Posted Re: List deployment client showing "no clients contacted the server" on Deployment Architecture. 02-13-2025 05:18 AM
- Got Karma for Re: how to exclude indexing files starts with dot (.) and ending with .swp?. 05-28-2024 04:54 AM
- Got Karma for Re: How to implement "NOT IN" in Splunk. 05-15-2024 02:55 PM
- Got Karma for Re: eval and range. 08-24-2023 05:23 PM
- Got Karma for Re: Compare day to same day for N weeks. 08-10-2023 07:55 AM
- Got Karma for Re: find the difference between two date/time values. 07-02-2023 07:22 AM
- Got Karma for Re: Forwarder capacity?. 05-10-2023 12:51 AM
- Got Karma for Re: What are the difference between regexp command and interactive field extractor regular expression pattern?. 01-10-2023 01:51 AM
- Got Karma for Re: Where can I find my sourcetype definitions?. 12-07-2022 11:12 PM
- Got Karma for Re: Searches to detect buckets going to frozen. 12-06-2022 09:42 AM
- Got Karma for Re: Amazon Web Services Add-on: s3 generic error - TypeError: 'int' object is not iterable. 11-29-2022 07:56 AM
- Got Karma for Re: Active Directory LastLogonTimestamp EVAL/WHERE Date Math. 09-22-2022 03:56 PM
- Got Karma for Re: Assigning a max value from one field as a new field. 09-07-2022 05:54 AM
- Got Karma for Re: How to view data retention settings in Splunk. 07-10-2022 04:28 PM
- Got Karma for Re: convert time format. 05-03-2022 08:06 AM
- Got Karma for Re: sum values if<. 04-29-2022 12:34 PM
- Got Karma for Re: Take the first value of each multivalue field. 04-21-2022 02:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 7 | |||
| 0 | |||
| 2 | |||
| 16 | |||
| 4 | |||
| 6 |
02-14-2014
12:14 AM
1 Karma
Try this,
your_base_search
| eval epoch_st = strptime(start_time, "%Y-%m-%dT%H:%M:%S%z")
| eval epoch_et = strptime(end_time, "%Y-%m-%dT%H:%M:%S%z")
| eval epoch_diff = epoch_et - epoch_st
| eval dur=tostring(epoch_diff, "duration")
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
... View more
02-13-2014
11:52 PM
1 Karma
Ooh, no... I think that you're not getting correct results.
The point of my earlier suggestion was to do the grouping first (i.e. the transaction), and then remove all transactions where either of the events have a FAILED status.
By removing the FAILED events before creating the transaction, you'll get the wrong results.
Also, the point of the mvfind() is that it the transaction creates a multi-valued field of status_type . Filtering regular fields can be done directly with status_type != FAILED (though this is not what you want in this case).
Please post som sample events.
... View more
02-13-2014
07:29 AM
Please refrain from posting the same question several times.
... View more
02-12-2014
12:51 PM
Eeh, no. It is not Extorsion - it's called Marketing.
Extorsion would be to remove the authentication feature from existing enterprise licensed installations, and only turn it back on if the customer pays (again).
You may see this function as a good thing - i.e. try-before-you-buy, OR you see this as a dealer handing out heroin to schoolchildren; "The first fix is free!".
You don't have to use Splunk.
Your choice.
... View more
02-12-2014
12:44 PM
1 Karma
Maybe I'm misunderstanding this, but is the Report in each of the events. If so, did you try :
... | transaction Report | eval is_failed = mvfind(Status_type, "FAILED") | where isnull(is_failed)
... View more
02-12-2014
11:43 AM
1 Karma
Did you check what the forwarder is really doing at the time of the 'outage'?
https://your_forwarder:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Read more here;
http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
/K
... View more
02-11-2014
07:33 AM
1 Karma
Aah, it does not really work that way. The asterisk in the [monitor] does not behave like normal regex. It actually translates to [^/\\]* , i.e. match any number of characters as long as they are not slash or backslash.
This also means that your host_regex will fail, since there, the asterisk takes its normal meaning, i.e. match the preceding character zero or more times.
Also, you do not have a correctly defined capturing group in the regex.
Try this instead (includes the "nx" part):
host_regex = \/system-(.+)\.log$
/k
... View more
02-11-2014
07:16 AM
Oops, my bad. you need to make sure that the total_sum survives through the stats operation;
host=bob | eventstats sum(field_A) as total_sum | search field_B=X | stats sum(field_A) as X_sum first(total_sum) as total_sum | table X_sum total_sum
NB. Since the eventstats only calculates one value, it does not matter much which stats function (first, last, max etc) you use to preserve it.
... View more
02-11-2014
04:38 AM
Maybe I don't fully understand your question, but if you want make like this (in a pseudo-search-query);
find all relevant events
| sum(field_1) as total_sum
| filter to only keep events where user=bob
| sum(field_1) as bob_sum
Then you can use eventstats , which puts the statistic in all events, without altering them/removing information;
host=A | eventstats sum(field) as total_sum | search field1=X | stats sum(field) as X_sum
/K
... View more
02-11-2014
12:43 AM
Oops, you're faster (again), but I'll leave my answer as it describes a different solution.
/k
... View more
02-11-2014
12:41 AM
1 Karma
If the field name is the same you can do it like so (Different sourcetypes rather than hosts in the example below);
index=_internal sourcetype=splunkd_access OR sourcetype=splunkd | stats sum(timeendpos) as summy by sourcetype | stats values(summy) as summy2| eval foo=mvindex(summy2,0) | eval bar=mvindex(summy2,1) | eval result=foo/bar
If the field names are different, it's even easier ( bytes in splunkd_access and workers in splunkd);
index=_internal sourcetype=splunkd_access OR sourcetype=splunkd | stats sum(bytes) as sumb sum(workers) as sumw | eval result = sumb/sumw
/k
... View more
02-10-2014
12:05 PM
No, well, I meant that it could be that someone/something kills your forwarder process.
What type of file is it, what OS? Log rotation scheme?
... View more
02-10-2014
11:16 AM
that is a message that shows up when the splunk instance starts up - the forwarder in your case. Is the machine being rebooted? or the forwarder service shutdown/restarted?
... View more
02-09-2014
11:36 PM
The point I was making is that your requirements don't add up - how do you know that you need 30 days of cold data, if you don't know how much data you have in hot/warm? If you're indexing 10 MB/day, the hot+warm storage would last for almost 10 years - then what's the point of another 30 days of cold (300 MB)?
If you index 150GB/day, the hot+warm lasts 2 days, and the cold storage would be almost 5 TB. These two extremes will change the storage needs quite a lot.
Normally, you'll have a retention time requirement for data that is online ( hot+warm+cold ) and offline ( frozen ).
... View more
02-07-2014
08:59 AM
lukejadamec, well, regex transforms take place after linebreaking, timestamping etc, so if there is really a lot of crap coming from the evil forwarder, it could affect the event processing... I guess.
... View more
02-07-2014
08:57 AM
2 Karma
Then I would really suggest fw rule, preferably on the network, but local will also work. Perhaps you should also look at the
acceptFrom = <network_acl>
setting in inputs.conf where you define the forwarder connections (splunktcp:9997, or whatever port you're already listening to). From the docs on inputs.conf:
Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.
... View more
02-07-2014
04:16 AM
1 Karma
It's hard to make this kind of combination without knowing how much data you are actually indexing on a daily basis. There are simply no configuration parameters that fully implement such a retention policy. Also, it's a bit hard to understand the underlying requirements for such a policy.
Normally you would have a retention time requirement, say one year or 3 months, and possibly some constraint on the size or cost for fast/slow storage, which would force you to play around with when to move from warm to cold.
Given the docs for indexes.conf, I would suggest;
[your_index]
maxDataSize = 500
maxHotSpanSecs = 86400
homePath.maxDataSizeMB = 11000
maxTotalDataSizeMB = large number here, possibly larger than the default 500000
frozenTimePeriodInSecs = your actual retention time for all data
/k
... View more
02-07-2014
02:26 AM
1 Karma
Instead of writing a rather complex regex, it would probably be easier to write a different one for each pattern, e.g.
props.conf
EXTRACT-foo = \[audit\s(?<src_user>\S+)\sas\s(?<dst_user>\S+)\son
EXTRACT-bill = \son\s(?<console>pts[^\]]+)\]
EXTRACT-bob = \son\s(?<src_ip>[\d.]+):(?<src_port>\d+)-\>(?<dst_ip>[\d.]+):(?<dst_port>\d+)\]
EXTRACT-jim = \]\s(?<path>/\S+)\s(?<command>.*)
EXTRACT-joe = \]:\s\#===\ssession\s(?<session_status>\w+)
EXTRACT-hoss = \s\on\s(?<origin>\S+)\]
EXTRACT-hank = \s\S+\][^:]*:\s(?<action>.*)
This means that not all fields will be present in all events, e.g. src_port etc, and that some extractions will overlap.
The extraction named foo will handle the things that are common to all events, whereas bill and bob will deal with the alternate versions of pts * and ip/port pairs.
jim and joe deal with the different actions (sessions and commands executed). Finally hank & hoss extracts jim/joe and bill/bob information, regardless of format for easier reporting.
Consider this as examples of an approach, rather than The One Way To Do It.
/K
... View more
02-07-2014
12:44 AM
transaction does not work quite that way. The point of specifying more than one field to base the transaction on, is to allow it to span across different types of log, e.g.
logs from system_1 contains fieldA=xxx fieldB=yyy
logs from system_2 contains fieldB=yyy fieldC=zzz
logs from system_3 contains fieldC=zzz fieldD=qqq
Then you can link it together with transaction fieldB fieldC .
In your case you only have a single source of events, but the values on which you want to build your transaction moves between fields. It would be infinitely easier to use a session-id or similar.
/K
... View more
02-06-2014
10:43 PM
Is this one, or four events? If it's supposed to be four events, then your line-breaking isn't working either.
For the REGEX extraction of SerialNumber, just be a bit more specific - instead of .+ try \S+ (i.e. anything but newline, tab, space) or even [A-Z0-9]+ depending on what characters you can expect to find.
/K
... View more
02-06-2014
04:38 PM
2 Karma
One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route all data from that host to the trash can.
props.conf
[host::your_host]
TRANSFORMS-remove_stuff = setnull
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles
/k
... View more
02-06-2014
03:48 AM
You can try it out in a search with rex like so;
... | rex "^(?<log_level>[A-Z]+)" | rex "\|(?<domain>\S+)" | rex ":(?<filename>\S+)$"
If this works out well, you can make them more permanent adding the configurations to props.conf;
[your_sourcetype]
EXTRACT-log_level = ^(?<log_level>[A-Z]+)
EXTRACT-domain = \|(?<domain>\S+)
EXTRACT-file = :(?<filename>\S+)$
/k
... View more
02-05-2014
01:55 PM
1 Karma
through rex ;
... | rex "\((?<your_field>\w{4})[^@]+@\w+\.\w+\)" | the rest of your search
/k
... View more
02-05-2014
01:10 PM
2 Karma
The easiest way to try this out is to do it via rex , which extracts these field for the duration of the search. I.e. the configuration is not stored in any config file:
your search for events | rex "Number\sof\records\s+:\s+(?<rec_num>\d+)\s+Total Size of records\s+:\s+(?<rec_size>\d+) | timechart span=1d avg(rec_num) avg(rec_size)
/K
... View more
