Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About kristian_kolb
kristian_kolb
Ultra Champion
Member since:
05-10-2011
08-20-2025
Community Statistics
| Posts | 2153 |
| Solutions | 395 |
| Karma Given | 1033 |
| Karma Received | 1584 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: Double scrollbars in search results. 08-20-2025 09:12 AM
- Karma Re: List deployment client showing "no clients contacted the server" for isoutamo. 03-03-2025 12:28 AM
- Got Karma for Re: What are the difference between regexp command and interactive field extractor regular expression pattern?. 02-27-2025 07:36 AM
- Posted Re: List deployment client showing "no clients contacted the server" on Deployment Architecture. 02-13-2025 05:18 AM
- Got Karma for Re: how to exclude indexing files starts with dot (.) and ending with .swp?. 05-28-2024 04:54 AM
- Got Karma for Re: How to implement "NOT IN" in Splunk. 05-15-2024 02:55 PM
- Got Karma for Re: eval and range. 08-24-2023 05:23 PM
- Got Karma for Re: Compare day to same day for N weeks. 08-10-2023 07:55 AM
- Got Karma for Re: find the difference between two date/time values. 07-02-2023 07:22 AM
- Got Karma for Re: Forwarder capacity?. 05-10-2023 12:51 AM
- Got Karma for Re: What are the difference between regexp command and interactive field extractor regular expression pattern?. 01-10-2023 01:51 AM
- Got Karma for Re: Where can I find my sourcetype definitions?. 12-07-2022 11:12 PM
- Got Karma for Re: Searches to detect buckets going to frozen. 12-06-2022 09:42 AM
- Got Karma for Re: Amazon Web Services Add-on: s3 generic error - TypeError: 'int' object is not iterable. 11-29-2022 07:56 AM
- Got Karma for Re: Active Directory LastLogonTimestamp EVAL/WHERE Date Math. 09-22-2022 03:56 PM
- Got Karma for Re: Assigning a max value from one field as a new field. 09-07-2022 05:54 AM
- Got Karma for Re: How to view data retention settings in Splunk. 07-10-2022 04:28 PM
- Got Karma for Re: convert time format. 05-03-2022 08:06 AM
- Got Karma for Re: sum values if<. 04-29-2022 12:34 PM
- Got Karma for Re: Take the first value of each multivalue field. 04-21-2022 02:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 7 | |||
| 0 | |||
| 2 | |||
| 16 | |||
| 4 | |||
| 6 |
02-18-2014
04:44 AM
4 Karma
This is a setting in props.conf on the indexer (or a Heavy Forwarder if you have that as a relay). By default Splunk will cut multline messages at 256 lines, and each line at 10000 bytes. This behaviour can be altered with the MAX_EVENTS and TRUNCATE parameters (respectively), e.g.
props.conf
[my_sourcetype]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
MAX_EVENTS = 1024
TRUNCATE = 400
The above configuration will allow each message to contain up to 1024 lines, and each line can up to 400 bytes long.
See the documentation for props.conf for further details and other configuration options.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
/K
... View more
02-18-2014
04:38 AM
Yes, start with these settings. You can always alter stuff like maxDataSize , maxHotIdleSecs and maxWarmDBCount later without really changing anything major.
Once in production, changing (lowering) maxTotalDataSizeMB or frozenTimePeriodInSecs by too much, may cause Splunk to start deleting data (oldest first). You must understand the implications of such changes before you perform them.
Best of luck,
K
... View more
02-18-2014
12:28 AM
Dang. You're too fast. I'm not sure that you will get a reset license for Splunk Free, though. But no harm in trying.
... View more
02-17-2014
04:20 PM
2 Karma
Your stats should work like it is - have you verified your data? Anyway, you can remove the field before the stats/chart/timechart/whatever, just to be sure ...
your search | fields - labelDataSpec | chart count by labelData | sort - count
/K
... View more
02-17-2014
02:34 PM
It seems rather inefficient, and it probably is. However, since the string can be 1, 2, 3 or n words long, it's safest to build it like this, since (AFAIK) there is no foreach() functionality that can operate on the different values of a multivalued field directly. Or on the (single valued) field with a multiword string either for that matter.
/K
... View more
02-17-2014
02:27 PM
tested and works with the following strings in fieldX;
all work and no play makes jack a dull boy
ALL WORK AND NO PLAY MAKES JACK A DULL BOY
ALL wORK anD NO pLaY MaKeS JACk a dull bOy
they all come out as
All Work And No Play Makes Jack A Dull Boy
/k
... View more
02-17-2014
02:10 PM
6 Karma
Not that I've tried it (yet), but I assume that a fieldX that holds an arbitrary string like in your examples could be formatted like so;
... | eval fieldX = lower(fieldX) | makemv delim=" " fieldX | mvexpand fieldX | eval A = substr(fieldX, 1, 1) | eval B = substr(fieldX,2) | eval A = upper(A) | eval fieldX = A.B | fields - A, B | mvcombine fieldX | eval fieldX = mvjoin(fieldX, " ")
maybe..
EDIT: Needed to remove the temp fields in order for the mvcombine to work
... View more
02-17-2014
12:52 PM
oops, typo... fixed it now.
... View more
02-17-2014
12:51 PM
1 Karma
Not knowing the rest of your config - or what your other events look like, I'd still guess that the regex is a bit too greedy. I have not experimented with the PREAMBLE_REGEX setting, but I guess that this might actually happen before linemerging(?), or is it perhaps a special purpose TRANSFORM à la nullQueue . Somebody more knowledgeable may have that answer.
If you change your regex to the following, it should at least not be too greedy.
PREAMBLE_REGEX=xml version[^>]+><event_change_list[^>]+>
/K
... View more
02-17-2014
10:46 AM
As I said before - if you have a requirement of 18 months worth of online data, set it - for the index as a whole - via the frozenTimePeriodInSecs parameter.
If the intended storage for hot/warm and cold is the same, there is no point (from a technical/functional perspective) to strive for "no warm buckets". With understanding of how hot/warm/cold/frozen buckets work, you can explain to the policy-maker why warm/cold does not matter.
If you really insist, there is an additional parameter controlling the maximum number of warm buckets in an index.
maxWarmDBCount = <positive integer>
/K
... View more
02-17-2014
10:30 AM
not so sure what you mean by 'the summary data'. BTW, does it look better today?
/K
... View more
02-17-2014
10:26 AM
oh well, if your fields are actually called start_time and end_time , the new fields should come out fine. However, they do not show in the event text ( _raw ), but you can use them in table s, chart s, stats etc.
... View more
02-17-2014
09:55 AM
1 Karma
Ok, there are several issues here:
1) don't edit files in 'default' folders, edit in 'local' instead.
2) the file is called transforms.conf not transform.conf (but maybe that's just a typo)
3) in order to activate a transform, it has to be invoked from props.conf ;
props.conf
[your host, source or sourcetype]
TRANSFORMS-blah = setArkoon
transforms.conf
[setArkoon]
your REGEX, FORMAT, and DEST_KEY here (which look ok, by the way)
Also, out of habit I always recommend that you use underscores instead of hyphens in names. Splunk is picky sometimes.
4) depending on how you get your data in, it might be possible to set the sourcetype in inputs.conf. You should look that up.
5) As you've noticed, you base your field extractions on sourcetype (which is A Good Thing), so basically, the format of the events should dictate what calls for a new sourcetype. Don't overdo it, e.g. create sourcetypes like arkoon_fw1, arkoon_fw2 etc, if the actual log format is the same.
Hope this helps,
/K
... View more
02-17-2014
06:49 AM
Well TIME_PREFIX is used to ensure that you find the start of the timestamp in the events, whereas TIME_FORMAT will allow you to specify how the timstamp is formatted.
In your case, you seem to be having three different time formats, but the first seems to be of less interest (service started?). The second two differ very little, and if you can make do without the millisecond precision, you could probably have something like this config (in props.conf);
[your_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 50
TIME_FORMAT = %Y-%m-%d %H:%M:%S
Unfortunately, TIME_FORMAT does not take a regex as parameter value, otherwise it would have been easy to handle the dot/comma difference.
UPDATE:
Perhaps you could also add the TIME_PREFIX as such;
TIME_PREFIX = (:\s|<|^)
The TIME_PREFIX will match the first instance it finds of the pattern, and will start looking for a timestamp immediately after it (which must be formatted according to the TIME_FORMAT )
Not sure it will have any success on the first message.
/K
... View more
02-17-2014
03:45 AM
1 Karma
How long is a piece of string? There are normally a few different ways of solving most problems, but here is one way;
host=hostA OR host=hostB | chart count over ID by host
and another way;
host=hostA OR host=hostB | stats count by ID, host
and yet another way;
host=hostA OR host=hostB | top 20 ID by host
Hope this helps,
K
... View more
02-17-2014
03:40 AM
1 Karma
There is normally no such thing as a dev or test license (i.e. that is cheaper). What you do is that you install Splunk on one server and install the license there. Then, when you install the second (third, fourth..) Splunk server, you configure it to point to the first server for licensing. This is done in Settings -> Licensing, click the "change to slave" button and fill in the details.
This requires that they're allowed to communicate with each other, which may not be the case in every organization.
Please mark the question as answered if your problem was solved.
Thanks,
K
... View more
02-17-2014
02:45 AM
1 Karma
There is no such thing as a single-user license, as far as I know. As of version 4.2(?), there is a mechanism within Splunk, that allows several instances to share a single license, i.e. one of the instances is designated as the 'license master', and the other Splunk servers connect to the license master to report on license usage.
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/HowSplunklicensingworks
/K
... View more
02-17-2014
02:43 AM
4 Karma
Yes, %m is the numeric representation of a month, i.e. 01, 02, 03 etc. What you want is the variable for the abbreviated alphabetic version, which is %b . Also, you might want to change the %Y to %y , since you only represent the year with two digits. Then you can add the milliseconds as well.
TIME_FORMAT = %d-%b-%y %H:%M:%S.%3N
http://www.strftime.net
/K
... View more
02-17-2014
01:29 AM
You are aware that cold buckets are still online and searchable?
Does your policy say that you need to have 30 days worth of log data online, and 18 months 'readily available'?
In that case, you may be thinking of frozen rather than cold , i.e. where you set up a path for archiving the data that should be removed from the online system, but it must still be possible to re-import it if the need arises.
If your policy actually says that you need 30 days warm and 18 months cold , and you use the same underlying storage - you have a case for challenging the policy.
/K
... View more
02-16-2014
11:36 PM
1 Karma
At the moment your search does not really deal with the _time element. And it also has a join , which seems a bit unecessary.
Have you considered making a timechart without the join?
your search for events | timechart span=1h sum(field1) as sum_1 sum(field_2) as sum_2 | eval ratio = sum_1/sum_2 | fields + ratio, _time
Then select the "visualization" tab in the search results.
/K
... View more
02-14-2014
01:18 PM
1 Karma
You probably want to look at a certain SID in the events, either the first or the second, and compare that SID across events. Since the Security_ID is present more than once in these events, Splunk creates what is called a multivalued field. The individual values of the field can be accessed with various functions. You can then build so-called transactions based on this, e.g.
your search for events | eval sid2 = mvindex(Security_ID, 1) | transaction sid2 maxpause=5s
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
... View more
02-14-2014
07:15 AM
You get the warning because you exceeded the volume limit. It does not matter if you remove the data - the warning still counts, as the license is based on indexing volume, not storage volume. However, there is no reason to panic. The (visible) warning will go away tomorrow, and the actual warning will age out in 30 days. You're allowed 5 warnings in a rolling 30 day window before you get locked out.
As you've probably read in the docs, the delete command does not actually remove any data, it only removes the it from the index-file (.tsidx), i.e. removes the pointers to it. Unless it was a really huge amount of data, and you have disk space concerns, it's better to leave it as it is, and let it age out along with the other data according to the retention policy you have specified. If you did not specifically set such a policy, then event data will be purged (oldest first) from the index when it reaces 500GB in size or ~6 years age (whichever condition matches first).
Don't panic!
EDIT: typos and clarity
/K
... View more
02-14-2014
06:03 AM
2 Karma
I guess that you could remove the explicit settings for maxDataSize , maxHotIdleSecs and maxWarmDBCount and just go with the default values.
There is no particular point in trying to gear your storage so that 1 bucket = 1 day. Also, if your warm and cold data resides on the same disk ( in terms of speed/cost) there is little need to configure anything specifically. Hot data will not be searched faster or treated differently than cold data by design, it's only the underlying storage speed that affects performance.
... View more
02-14-2014
01:59 AM
5 Karma
From a storage perspective, you should treat hot and warm the same. They must exist in the same path, and the only difference is that hot buckets are actively being written to. In your case, as you just have a single drive, there is no real difference between hot/warm and cold either.
The definition of the paths for hot/warm, cold and frozen for an index can be done in the GUI, or in indexes.conf.
As for the retention time, it is controlled for the index as a whole, i.e. hot+warm+cold. This can only be defined in indexes.conf.
What you probably need is to set the retention time to 18 months via the following setting, which is equivalent to just under 550 days (~18 months);
frozenTimePeriodInSecs = 47500000
Additionally, you'd like to set the total size to a higer value than the default 500GB;
maxTotalDataSizeMB = 1900000
Assuming that you index 3 GB of raw logs per day, and with an average compression ratio of 50%, your 2TB drive will last you more than 3 years.
As for backing up, you should read the following;
http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Backupindexeddata
Hope this helps,
/K
... View more
02-14-2014
12:45 AM
If you only need to find which indexes that have not been created properly, you could check for these events in the "_internal" index;
02-14-2014 09:40:57.755 +0100 WARN IndexProcessor - received event for unconfigured/disabled/deleted index='some_index_name' with source='source::c:\temp\blah.log' host='host::ServerX' sourcetype='sourcetype::bleh' (1 missing total)
/K
... View more
