Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Venkat_16
Venkat_16
Contributor
Member since:
09-16-2014
06-05-2020
Community Statistics
| Posts | 107 |
| Solutions | 4 |
| Karma Given | 34 |
| Karma Received | 21 |
| Member Since | 09-16-2014 |
Activity Feed
- Got Karma for Re: Geostats display values on map?. 09-24-2020 09:30 AM
- Karma website-monitoring 271 The read operation timed out for nautni1. 06-05-2020 12:49 AM
- Karma Re: What are the house keeping activities we can do in Splunk apart from clearing dispatch directory? for gjanders. 06-05-2020 12:49 AM
- Karma Re: What are the house keeping activities we can do in Splunk apart from clearing dispatch directory? for p_gurav. 06-05-2020 12:49 AM
- Karma Re: Trying to Anonymise data using SED command for mayurr98. 06-05-2020 12:49 AM
- Karma Re: Trying to Anonymise data using SED command for 493669. 06-05-2020 12:49 AM
- Karma Re: Trying to Anonymise data using SED command for horsefez. 06-05-2020 12:49 AM
- Karma Re: How can I search for users that haven't logged into Splunk for 90+ days? for gcusello. 06-05-2020 12:49 AM
- Karma Re: How to monitor log files from /tmp/folder_name with a Universal Forwarder? for splunker12er. 06-05-2020 12:49 AM
- Karma Re: Did they deprecate Splunk app for Ansible Tower ? for muebel. 06-05-2020 12:49 AM
- Got Karma for Splunk Transforms REGEX Wildcard Help. 06-05-2020 12:49 AM
- Karma Re: SQL database error in Splunk for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Calling Java Script from Dashboard for jeffland. 06-05-2020 12:48 AM
- Karma Re: Saving extracted field in Props.conf Vs Using regex extraction directly in search with out saving in props.conf for woodcock. 06-05-2020 12:48 AM
- Karma Re: Saving extracted field in Props.conf Vs Using regex extraction directly in search with out saving in props.conf for jmallorquin. 06-05-2020 12:48 AM
- Karma Re: Unable to index to Splunk server from MuleSoft for jplumsdaine22. 06-05-2020 12:48 AM
- Karma Re: What information do we need from respective server and application owners for installing and configuring Splunk forwarders to collect event logs? for jimodonald. 06-05-2020 12:47 AM
- Karma Re: What would be the best bucket rotation policy to enhance Splunk performance with our current index file configuration? for yannK. 06-05-2020 12:47 AM
- Karma Re: How to correct my regex to extract text from two or more lines? for MuS. 06-05-2020 12:47 AM
- Karma Re: How to stop the eventgen and how to get the number of events generated by eventgen? for lmyrefelt. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-03-2018
10:59 AM
In our environment, the application writes logs into Windows Events in JSON format under Message section.
We need to segregate these application logs and remove the default windows metadata/envelope around it.
Please see my config below:
inputs.conf
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
sourcetype = my_temp_windows_sourcetype
index=my_index
props.conf
[my_temp_windows_sourcetype]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
TRANSFORMS-sourcetype_raw = my_windows_event_default,my_windows_event_sourcetype,my_windows_event_raw
transforms.conf
[my_windows_event_default]
REGEX = .
FORMAT = sourcetype::WinEventLog:Application
DEST_KEY = MetaData:Sourcetype
[my_windows_event_sourcetype]
REGEX = ImportantKeyWord
FORMAT = sourcetype::my_new_sourcetype
DEST_KEY = MetaData:Sourcetype
[my_windows_event_raw]
REGEX = Message=(.*ImportantKeyWord.*)$
FORMAT = $1
DEST_KEY = _raw
This works fine when the length of the JSON Message is small (<3000 characters).
However, for bigger JSON, events are getting truncated.
We also see a pattern here, events are truncated at same length (approx 3800-3900).
I doubt if the REGEX = Message=(.*ImportantKeyWord.*)$ here might be causing the truncation?
Because, if we try with SED in props.conf, events are not getting truncated, however, that is not I want.
SEDCMD-drop = s/(?ims)[0-9][0-9]\/[0-9][0-9]\/[0-9][0-9][0-9][0-9] [0-9][0-9]\:[0-9][0-9]\:[0-9][0-9].*[\r\n].*Message\=//g
I want only events with ImportantKeyWord in the Message to be re-written as _raw
Any suggestions welcome.
... View more
03-22-2018
04:45 AM
Been trying to create a manual for doing a daily house keeping activities on Splunk and Universal forwarder to make the product work better. Please kindly suggest the same
... View more
02-28-2018
06:04 AM
clients which show on delpyment server share below result:
tcp 0 287 X1.X1.X1.X1:47010 X2.X2.X2.X2:8089 ESTABLISHED
client which do not show share this result
tcp 0 287 X1.X1.X1.X1:47010 X2.X2.X2.X2:8089 FIN_WAIT1
... View more
02-28-2018
05:14 AM
In the other client same configuration works...thats y i was confused
... View more
02-28-2018
05:02 AM
Yes it does show the repose as :
Deployment Server URI is set to "X2.X2.X2.X2:8089".
... View more
02-28-2018
04:24 AM
The configurations are perfect and the ping and telnet are working between the deployment server and the client but am getting this log when I checked the internal logs.
INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
this is was the response of netstat:
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN
tcp 0 287 X1.X1.X1.X1:47010 X2.X2.X2.X2:8089 FIN_WAIT1
x1.x1.x1.x1 - client where agent is installed
x2.x2.x2.x2 - deployment server
Has anyone faced this issue? please, kindly advice.
... View more
02-16-2018
02:03 AM
Was trying to set up the Splunk app for Ansible tower, but was unable to find the app in Splunk base. please advice if the app was deprecated
... View more
02-13-2018
04:16 AM
i am running the query from license master only
... View more
02-13-2018
04:05 AM
am running the query in search head which is assocaite with all the indexers :
Was able to reterive only the below log
01-29-2018 10:06:30.048 +0000 INFO LicenseUsage - type=Message - License usage logging not available for slave licensing instances, please see license_usage.log on license master=https://X.X.X.X:8089 for usage breakdown
... View more
02-13-2018
03:43 AM
I was trying to find the license usage logs using the query: index=_internal source=license_usage.log but we are not getting any data. Am able to see one-day data as it runs the query using |rest... I check the list monitor command which also showed the license usage logs being monitored by Splunk.
Note: license master + cluster master + Distributed Management Console are all residing in the same instance.
Please advice
... View more
01-16-2018
06:04 AM
I guess all your answers helped me thanks alot for that...i liked this one beucase it helped us learn a new command....make results...thanks aton
... View more
01-16-2018
05:42 AM
I have been trying out to Anonymise below logs using SED function,but its not wokring, Please find the use case below:
Input:
10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD5SL10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971
Output:
10.192.1.46 - - [30/Jul/2014:23:59:15] "POST /flower_store/order.do HTTP/1.1" 200 13849 "http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=#####10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1463 2971
Have deployed the below configuration in Indexer as using Sed command:
sourcetype is testing.
props.conf
[testing]
SEDCMD-testing = s/JSESSIONID=\w{2}\d\w{2}\d{2}\w{2}/JSESSIONID=#####\1/g
... View more
11-28-2017
04:24 AM
i was tyring to filter a set of data to indexer by filtering out few data and below are the sample logs and configurations:
Here trying to pass only category_id=FLOWERS to the indexer and ignore GIFTS events.
sample log:
177.23.21.50 - - [24/Jul/2014:03:42:00] "GET /flower_store/category.screen?category_id=GIFTS HTTP/1.1" 200 10591 "http://mystore.splunk.com/flower_store/main\\.screen&JSESSIONID=SD2SL2FF7ADFF5" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2035 1226
233.77.49.46 - - [24/Jul/2014:03:41:46] "GET /flower_store/product.screen?product_id=K9-BD-01 HTTP/1.1" 200 10560 "http://mystore.splunk.com/flower_store/category.screen?category_id=GIFTS&JSESSIONID=SD2SL2FF7ADFF5" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 661 1822
177.23.21.50 - - [24/Jul/2014:03:42:00] "GET /flower_store/category.screen?category_id=FLOWERSHTTP/1.1" 200 10591 "http://mystore.splunk.com/flower_store/main\\.screen&JSESSIONID=SD2SL2FF7ADFF5" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2035 1226
Configuration:
inputs.conf
[monitor:///opt/log/willwork.log]
sourcetype = access_common
index=heavy
outputs.conf
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=indexerip:9997
[monitor:///opt/log/willwork.log]
sourcetype = access_common
index=heavy
props.conf
[access-combine]
TRANSFORMS-routing=accessrouting
transforms.conf
[accessrouting]
REGEX=FLOWERS
DEST_KEY=_TCP_ROUTING
FORMAT=my_search_peers
data is getting indexer but GIFTS even is also getting indexed
... View more
11-28-2017
04:03 AM
Thanks alot for helping patiently but still it didnt work:
[access_common]
TRANSFORMS-anonymize = session-anonymizer
[session-anonymizer]
REGEX = (?m)^(.)JSESSIONID=.((?=\"\s\").*)$
FORMAT = $1JSESSIONID=#######$2
DEST_KEY = _raw
... View more
11-28-2017
02:35 AM
sorry it was copy paste error:
[session-anonymizer]
REGEX = (?m)^(.)JSESSIONID=.((?=\"\s\").*)$
FORMAT = $1JSESSIONID=#######$2
DEST_KEY = _raw
is the one am using
... View more
11-28-2017
02:30 AM
Thanks for your answer @harsmarvania57. But it didnt work 😞
[access_common]
TRANSFORMS-anonymize = session-anonymizer
[session-anonymizer]
REGEX = (?m)^(.)JSESSIONID=\w{2}\d\w{2}\d{2}(\w+.)
FORMAT = $1JSESSIONID=#######$2
DEST_KEY = _raw
i restarted heavy forwarder also....logs are getting indexed with out any masking
... View more
11-27-2017
11:09 PM
Been trying to mask data before indexing into indexer using heavy forwarders. below is the log sample and data am trying to mask
JSESSIONID=SD1SL10FF3ADFF3" to JSESSIONID=#######FF3ADFF3"
189.222.1.46 - - [24/Jul/2014:11:27:00] "GET /flower_store/product.screen?product_id=RP-SN-01 HTTP/1.1" 200 10897 "http://mystore.splunk.com/flower_store/category.screen?category_id=BALLOONS&JSESSIONID=SD1SL10FF3ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 527 3006
10.2.91.38 - - [24/Jul/2014:11:28:00] "POST /flower_store/j_signon_check HTTP/1.1" 302 309
"http://mystore.splunk.com/flower_store/enter_order_information.screen&JSESSIONID=SD1SL10FF3ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 3441 2576
192.0.1.38 - - [24/Jul/2014:11:28:15] "GET /flower_store/images/cat3.gif HTTP/1.1" 200 5024 "http://mystore.splunk.com/flower_store/item.screen?item_id=EST-21&JSESSIONID=SD1SL10FF3ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 4323 3071
below is my props.conf and transforms.conf:
[access_common]
TRANSFORMS-anonymize = session-anonymizer
[session-anonymizer]
REGEX = (?m)^(.)JSESSIONID=\w{2}\d\w{2}\d{2}(\w+.)
FORMAT = $1JSESSIONID=#######$2
DEST_KEY = _raw
Kindly advice....i do not see and changes in fields after applying this configuration
... View more
10-16-2017
07:55 AM
We have the similar issue on DB Connect 2.4.x as well.
Could you please share the workaround?
... View more
10-16-2017
07:34 AM
Below is my sample log format
%timestamp% com_java_package1.subpackage someMessage exceptionMessage
%timestamp% someText com_java_package2.v1.subpackage exceptionMessage
%timestamp% com_java_package3_v2.subpackage exceptionMessage
%timestamp% someText someOtherText someVeryBigText com_java_package4.subpackage someMessage exceptionMessage
Usage 1:
index=someIndex sourcetype=someSourceType (packageName=com_java_package1 OR packageName=com_java_package2)
Usage 2:
index=someIndex sourcetype=someSourceType ("com_java_package1" OR "com_java_package2")
The logs are in a very bad shape where I cannot write a generic regex to extract packageName field.
It requires lot of effort to put all combination to extract the packageName field.
Now my question is - do I really need field extraction for packageName?
Is there any potential benefits in performance of above usage over the other?
... View more
10-16-2017
06:00 AM
Any updates on the resolution please?
... View more
01-11-2017
09:06 PM
This issue occurs when you change the app folder name to something else.
Restore the original directory name, this should be fixed.
... View more
08-25-2016
12:25 AM
Thanks for the response, but it shows an error : The IP address 'xx.xx.xx.xx' is a reserved IP address (private, multicast, etc.).
... View more
08-24-2016
08:36 AM
Hi all,
IP location is not displaying any of the fields it should return when used in search app. But the iplocation command is working in built apps like splunk app for aws and box app for splunk. But when i manually try to use iplocation command it does not return any. we are using splunk 6.4.2 . Attached screenshot for reference
... View more
