Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 137 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 11-03-2024 04:54 AM
- Got Karma for How to merge two fields into one field?. 10-23-2024 09:31 AM
- Got Karma for Re: How to remove data from a bucket for a specified period of time?. 09-05-2024 08:26 AM
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-01-2012
04:59 AM
Unable to switch from table to event list in Splunk 5. Query example:
sourcetype=any |stats count by x
OR
sourcetype=any |table a b c
Is this intentional in Splunk 5?
Thanks,
Lp
... View more
- Tags:
- unable
10-25-2012
05:33 AM
Of course Splunk does not use the "file" command to determine if a file to be monitored is binary. I am presenting as example the documentation of Linux "file" command. It clearly shows the steps it executes in order to determine the type of file. I am presenting my question again:
What are the steps splunk use to identify if the file is binary?
... View more
10-24-2012
04:40 AM
These are the first 2 lines of the file in question and I do not see any bad encoded ASCII character or any file magic number that may indicate the file is binary.
0000000: 3230 3132 2d31 302d 3234 2030 393a 3536 2012-10-24 09:56
0000010: 3a33 332c 3233 3320 494e 464f 2020 5b54 :33,233 INFO [T
The question remains without answer in this forum.
What are the steps splunk use to identify if the file is binary? Use as example the man pages of "file" unix command. It clearly explains what I am looking for in this question.
... View more
10-23-2012
08:18 AM
2 Karma
I have a log file that is a text file. Splunk does not monitor this file because it finds it as a binary file. The following linux command shows the contrary:
file /usr/local/rex/azkaban/logs/azkaban.log
/usr/local/rex/azkaban/logs/azkaban.log: ASCII text, with very long lines
This is the log splunkd.log is reporting:
10-22-2012 17:53:21.733 +0000 WARN FileClassifierManager - The file '/usr/local/rex/azkaban/logs/azkaban.log' is invalid. Reason: binary
10-22-2012 17:53:21.734 +0000 INFO TailingProcessor - Ignoring file '/usr/local/rex/azkaban/logs/azkaban.log' due to: binary
These are the first 2 lines of the file in question and I do not see any bad encoded ASCII character or any file magic number that may indicate the file is binary.
0000000: 3230 3132 2d31 302d 3234 2030 393a 3536 2012-10-24 09:56
0000010: 3a33 332c 3233 3320 494e 464f 2020 5b54 :33,233 INFO [T
The question remains without answer in this forum.
What are the steps splunk use to identify if the file is binary? Use as example the man pages of "file" unix command. It clearly explains what I am looking for in this question. In this way, I can solve this problem from its root.
Why does splunk report the file in question is a binary file?
How can this problem be solved?
This issue has been addressed previously. Example:
http://splunk-base.splunk.com/answers/7370/splunk-thinks-text-file-is-binary
Thanks,
Lp
... View more
- Tags:
- file-monitoring
10-19-2012
05:57 AM
The same problem at the forwarder:
file ////usr/local/rex/azkaban/logs/azkaban.log
///usr/local/rex/azkaban/logs/azkaban.log: ASCII English text
10-03-2012 17:53:21.733 +0000 WARN FileClassifierManager - The file '/usr/local/rex/azkaban/logs/azkaban.log' is invalid. Reason: binary
10-03-2012 17:53:21.734 +0000 INFO TailingProcessor - Ignoring file '/usr/local/rex/azkaban/logs/azkaban.log' due to: binary
... View more
10-18-2012
06:34 AM
Just reading it makes total sense. I did not know that mvzip was part of aval functions. I should review the eval functions one more time.
It should work.
Thanks,
Lp
... View more
10-16-2012
08:14 AM
The lookup file was initially edit with notepad.
... View more
10-15-2012
09:22 AM
2 Karma
I was able to solve the problem with the following steps:
-. open the lookup file with vi. Then, look for hidden characters ":set list". You should only see this hidden character at the end of line "$". Delete, any hidden character that is not part of your text lookup file. Then, save the file and try to use the lookup command.
-. If the previous step does not fix the problem. cat you csv file. You should only see the text content of the file.
I found this in my csv file:
cat feeds.csv
FeedType,MaxHoursOld
I delete  by deleting "FeedType" and re-writing it. I saved the file and my lookup command worked as it should.
Lp
... View more
10-15-2012
08:18 AM
I have tried and it does not work. My file csv is clean. Using vi I checked if there was any hidden character. I could not find any. I just see $ sign at the end of each line.
... View more
10-15-2012
07:04 AM
2 Karma
I created a look up table that does return all the fields if I use the search command:
|inputlookup lookuptable
But I use the lookup command I get the following error:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
This is related to this thread:
http://splunk-base.splunk.com/answers/38321/could-not-find-all-of-the-specified-lookup-fields-in-the-lookup-table
How can I solve this?
Thanks for your time.
Lp
... View more
- Tags:
- lookup
10-11-2012
10:02 AM
I modified the question to clarify the scenario. I tried the example you sent me before I could not make it work. Any idea.
Lp
... View more
10-11-2012
06:20 AM
Hi,
Any idea how to get the result set of the last sample without using head. Let's say we have a summary index with the following log set:
time_1 G=1 orig_host=a
time_1 G=1 orig_host=b
time_1 G=3 orig_host=c
time_2 G=3 orig_host=a
time_2 G=2 orig_host=b
time_2 G=3 orig_host=c
Using the search command "head" I can get my last sample if I know the number of logs per sample. For example:
sourcetype=x|head 3|table _time orig_Host G
How can I get the same result set without using the head search command?
Thanks,
Lp
... View more
10-05-2012
10:49 AM
I have some information I need to extract from the source field but I cannot do it for all cases:
Example:
I have these two sources
\/usr\/local\/dir-hello\/logs\/
\/usr\/local\/dir\/logs\/
So the REX for each will be:
rex field=source "\/usr\/local\/dir-hello\/logs\/(? .*?)\/"
rex field=source "\/usr\/local\/dir\/logs\/(? .*?)\/"
These REX works but I need:
rex field=source "\/usr\/local\/dir*\/logs\/(? .*?)\/"
It does not work. How can I fix it?
Thanks,
Lp
... View more
- Tags:
- rex
10-04-2012
12:14 PM
Hi,
I need some documentation about custom configuration files for splunk apps. I could not find one. I need a UI where the user could define some configurations parameters for the application.
For example: An app uses 10 hosts. One of the host is out of service. Therefore, the user should have the capability to remove such host using UI.
Is there a good documentation about it?
Thanks,
Lp
... View more
- Tags:
- configuration
09-27-2012
12:13 PM
I think that you are right. This regex looks that is sufficient:
LINE_BREAKER = ([n]+).*query
to detect the first line of the event:
2012-09-27 19:03:24,705
but seems that is not. Tomorrow morning I will try with this regex:
LINE_BREAKER = ([n]+)\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d,\d\d\d\s<query\sid=
then, set SHOULD_LINEMERGE to false.
Thanks Kristian
... View more
09-27-2012
11:10 AM
it did not work with
SHOULD_LINEMERGE = false. I set it back to:
[sourcetype_name]
LINE_BREAKER = ([\n]+).*query
SHOULD_LINEMERGE = true
TRUNCATE = 0
... View more
09-27-2012
10:36 AM
1) Yes I am sure. Also, I am aware of the UI settings in order to exceed the limit of lines per event in UI.
2) My regular expression should define the line breaker. LINE_BREAKER = ([\n]+).*query . Is this correct?
3) Truncate=0 should override MAX_EVENTS. Is this correct?
Any ideas?
Thanks
Lp
... View more
09-27-2012
09:40 AM
I cannot find concatenate function you mention in this url:
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonEvalFunctions
Therefore, I used the eval concatenation method I showed you.
What I was able to find is the command “strcat”. I can join both fields but the result is not a multivalue field. Therefore, I cannot expand using mvexpand.
This is the query:
sourcetype="test"|head 1 | spath output=id "schedule{}.id" | spath output=recurrence "schedule{}.recurrence" |fields _time host id recurrence|strcat id "--" recurrence join
The result of join is a string with the following format:
list of id fields – list of recurrence fields.
My goal is to go from this data set:
_time MV-field_1 MV-field_2
timestamp1 1 2
2 3
5 2
To this data set:
_time field_1 field_2
timestamp1 1 2
timestamp1 2 3
timestamp1 5 2
with stcat I can get:
_time join
Timestamp1 1 2 5 – 2 3 2
Is strcat the command that you recommended?
Regards,
Luciano
... View more
09-27-2012
08:36 AM
I have a sourcetype that the events are in json format. Each json event could be more the 2000 lines. I have the following configuration in props.conf:
[sourcetype_name]
LINE_BREAKER = ([\n]+).*query
SHOULD_LINEMERGE = true
TRUNCATE = 0
It works fine if the number of lines is less than 500. In events where the number of lines is more than ~500, the event is not indexed completed.
what else can i do in order to fix this?
Regards,
Lp
what can I do to tune up this up?
... View more
- Tags:
- json
- props.conf
09-25-2012
05:14 AM
Erik,
I tried your recommendation as well and it does not work. It returns zero result. I think splunk cannot do it.
sourcetype=test host="FQDN" | head 1 | spath output=id "schedule{}.id" | spath output=recurrence "schedule{}.recurrence" |fields _time host id recurrence|eval Result=id."-".recurrence|table Result
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma given to
