Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 134 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
- Karma Re: How do you manage the content of users' Splunk apps in a Search Head Cluster? for koshyk. 06-05-2020 12:48 AM
- Karma Re: How to extract multivalue field values without using the mvexpand command? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: TCP:514 Input -> Multiple Indexex and Source Type for jconger. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-22-2015
10:08 AM
This issue was related firewall issue. Once the appropriate hadoop ports were opened hadoop connect worked as intended.
Lp
... View more
07-15-2015
11:39 AM
I am not able to connect to one hadoop cluster. I am getting this error:
Encountered the following error while trying to save: In handler 'hdfs': Unable to validate resource: {"cluster": "69.252.246.137:54310", "message": "Could not find cluster configuration", "id": "HCERR0007"}
Any idea how to solve this issue? We have multiple connections that are working find, but for this particular cluster, I am getting this error.
Thanks,
LP
... View more
03-03-2015
07:21 AM
Work around that solves the issue:
1) add the configuration stanza "appServerPorts = 0" in /opt/splunk/etc/system/local/web.conf
2) Restart splunk services /opt/splunk/bin/splunk restart
Role of the configuration change in appServerPorts:
appServerPorts =
* Port number(s) for the python-based application server to listen on.
This port is bound only on the loopback interface -- it is not
exposed to the network at large.
* If set to "0", this will prevent the application server from
being run from splunkd. Instead, splunkweb will be started as
a separate python-based service which directly listens to the
'httpport'. This is how Splunk 6.1.X and earlier behaved.
* Generally, you should only set one port number here. For most
deployments a single application server won't be a performance
bottleneck. However you can provide a comma-separated list of
port numbers here and splunkd will start a load-balanced
application server on each one.
* It is recommended that this be set to a non-zero value. Setting
this to "0" should only be done if you experience a compatibility
problem. The new separate application server configuration is faster
and supports more configuration options. Also, setting this to
"0" may cause problems when using the Search Head Clustering feature
(see the [shclustering] stanza in server.conf)
* Defaults to 8065.
... View more
03-02-2015
10:31 AM
The only way I am able to get the latest file is by doing:
http://splunkserver.com/debug/refresh
... View more
03-02-2015
10:19 AM
We use the static splunk web service to access static files. Example:
http://splunkserver.com/en-US/static/app/appname/file.json
It has been working fine until the server was upgraded to version 6.2.2.
This was our previous config in server.conf. It did not have any issues.
[httpServer]
max-age = 3600
* Set the maximum time (in seconds) to cache a static asset served off of the '/static' directory.
* This value is passed along in the 'Cache-Control' HTTP header.
* Defaults to 3600.
I reduced the value to max-age=5. Problem continues.
... View more
01-23-2015
08:58 AM
Has anyone calculated the Percentile Distribution using Splunk?
Thanks,
Lp
... View more
- Tags:
- percentile
12-02-2014
09:59 AM
1 Karma
I took the following approach:
1) Monitor using splunk only the error log file.
2) Created a custom splunk search command to obtain couchbase cluster and node information. The custom search command is scheduled to obtain the state of the cluster every 5 min. Depending on the state of the cluster, we trigger notification alerts.
Lp
... View more
10-27-2014
05:27 AM
Use the delete command If the bucket you want to delete has a period from 2014/09/01 to 2014/03/30, but, you only want to delete events from 2014/09/10 to 2014/09/20.
... View more
10-24-2014
06:28 AM
Try this:
(index="AAA" sourcetype="XXXX" ) OR (index=BBB sourcetype=YYY service=ABC country=QQQQ ) | rex "sss][(?.?)]" | rex "](?.?) ::" | rex "(?.*?)]" | bucket span=1d _time | stats dc(AAAAAA) as something, list(BBBBBBB), list(ASDSA) by CD,_time | where something>1 | stats count as "Total Count" by _time|fillnull value=0 'Total Count'
... View more
10-24-2014
06:20 AM
You need to know what you are doing before deleting any bucket. If you proceed do it at your own risk.
The general steps are the following:
1) To be safe stop splunkd.
2) Select the splunk indexer and index you want to delete a bucket from.
3) From the selected indexer: a) Run the following splunk query with the period of time you may want to delete events from.
|dbinspect index=your_index_name |
4) If you are running 6.x, the returned fields will be these:
bucketId endEpoch eventCount guId hostCount id index modTime path rawSize sizeOnDiskMB sourceCount sourceTypeCount splunk_server startEpoch state
5) endEpoch and startEpoch show the earliest and latest events contained in the bucket. The bucket file system path is found in field "path".
6) Delete the bucket that you need to. For unix run " rm -rf path"
As I said, You need to know what you are doing before deleting any bucket from the file system.
I hope these steps will help.
... View more
10-23-2014
09:43 AM
Has anyone monitored couchbase logs using Splunk?
http://docs.couchbase.com/couchbase-manual-2.2/#logs-and-logging
Could you share your experience?
Thanks,
Lp
... View more
10-01-2014
10:40 AM
Issue address in release 6.1.4.
vulnerability is :CVE-2014-1912
... View more
09-26-2014
06:20 AM
Our problem is that splunkd stop responding due to a deadlock bug. Therefore, we are forced to restart the splunk service.
... View more
09-26-2014
06:18 AM
We are still being affected by this issue. We have captured pstacks. Splunk tech support identified a dead lock bug in openssl. However, the issue is not fixed in Splunk 6.1.2. Are you still being affected by this issue?
... View more
06-25-2014
05:20 AM
I am not sure what you need to but try this query. It might help you to get what you need:
index=ngcc*|fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host|streamstats count
... View more
06-17-2014
04:32 AM
However, After reading the answer presented bellow I made a little change for the eval expression to work, < > needs to be surrounded by single quotes.
... View more
06-17-2014
04:29 AM
Thanks. I made a little change for the eval expression to work, < > needs to be surrounded by single quotes. I updated the original question.
|Splunk search to get result set 1|eval Over=0 | foreach Over_* [eval Over=Over+'< >']|table method success failures Over
... View more
06-16-2014
11:49 AM
The result of a splunk query is the following:
Result set 1:
method success failures Over_method1 Over_method2 Over_method3
method1 0 73 3 0 0
method2 196 0 0 2 0
I need to reduce this result set as follow:
method success failures Over
method1 0 73 3
method2 196 0 2
I tried using the search command foreach but no success.
Splunk search to get result set 1|
foreach Over_* [eval Over=Over+<<FIELD>>]|
table method success failures Over
OR
Splunk to get result set 1|
foreach Over_* [eval Over=Over+'<<FIELD>>']|
table method success failures Over
This could be done with the following query:
Splunk search to get result set 1|
=if(Over_method1>0,Over_method1,if(Over_method2>0,Over_method2,0))|
table method success failures Over
However, A simpler way is to use the foreach function. To make it work the mapping variable needs to be initialized as presented in below answer. If not the result set will not be reduced correctly. So the final query is:
Splunk to get result set 1|eval Over=0|
foreach Over_* [eval Over=Over+'<<FIELD>>']|
table method success failures Over
Thanks,
Lp
... View more
- Tags:
- foreach
06-02-2014
06:11 AM
Each indexer and search head has its own license configuration. If you are using a license server all the indexers and search heads has to point to the same license server. If you have 2 license servers, you could have a set of indexers and search heads pointing to one license server and the other set pointing to the other license server.
More information about license server:
http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/HowSplunklicensingworks
... View more
06-02-2014
05:16 AM
1 Karma
Yes. It is possible to define the specific search peers you need in each search head.
More information:
http://docs.splunk.com/Documentation/Splunk/6.1.1/DistSearch/Configuredistributedsearch
Thanks,
Lp
... View more
05-16-2014
06:30 AM
Try this:
your query |rex "FieldA\=(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"|table FieldA FieldB FieldC FieldD
Lp
... View more
04-28-2014
10:40 AM
11 Karma
Include this row in your dashboard. Then, test the link. It should give a starting point.
<row>
<html>
<a href="http://www.google.com">Google</a>
</html>
</row>
Lp
... View more
04-28-2014
10:35 AM
In python under splunklib.client you have the service class as well. From here you can use restart method to restart your splunkd instance.
... View more
03-28-2014
04:26 AM
Using the Splunk query language how would be a splunk query that returns the Top 1 from a set of Top N?
Data set sample:
time Term count
2014-03-28 10:00 hello 10
2014-03-28 10:00 ciao 9
2014-03-28 10:00 nice 7
2014-03-28 11:00 nice 11
2014-03-28 11:00 great 8
2014-03-28 11:00 precise 6
2014-03-28 12:00 yougotit 6
2014-03-28 12:00 ok 4
2014-03-28 12:00 thanks 3
The splunk query should return the top 1 of each Top N set. Example:
time Term count
2014-03-28 10:00 hello 10
2014-03-28 11:00 nice 11
2014-03-28 12:00 yougotit 6
Thanks,
Lp
My solution:
After reading the suggestions provided in below answers,I took the following approach:
1) Create a summary index.
2) Create an hourly schedule search to get the Top N and store the results in the summary index. Splunk query:
index="my_raw_index" |eval time=strftime(_time, "%m/%d/%Y:%H:%M") |
top limit=0 term by time|streamstats count as rank|table time term count
Result set:
time rank Term count
2014-03-28 10:00 1 hello 10
2014-03-28 10:00 2 nice 11
2014-03-28 10:00 3 yougotit 6
3) Then, by using the rank field, it is quite simple to get the Top 1 from the set of Top N result set from the summary index. Query example:
index=my_summary_index rank=1|table time Term count.
I think this approach would scale quite well.
Thanks,
Lp
... View more
- Tags:
- top
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma from
Karma given to
