Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Elsurion
Elsurion
Communicator
Member since:
02-17-2012
09-20-2021
Community Statistics
| Posts | 67 |
| Solutions | 7 |
| Karma Given | 1 |
| Karma Received | 8 |
| Member Since | 02-17-2012 |
Activity Feed
- Got Karma for Re: How do i check how much i am exceeding my license limit by?. 02-06-2025 10:12 PM
- Got Karma for Custom Script and python 3.7 gives strange Loglevel Error. 02-24-2021 05:13 AM
- Posted Re: Custom Script and python 3.7 gives strange Loglevel Error on Splunk Dev. 07-17-2020 06:25 AM
- Posted Custom Script and python 3.7 gives strange Loglevel Error on Splunk Dev. 07-17-2020 02:10 AM
- Got Karma for Re: How can I take Backup of My Saved Searches,Macros and Index Data ?. 06-05-2020 12:49 AM
- Got Karma for Re: HTTP event collector client AJAX error "readyState 0, status 0, statusText error". 06-05-2020 12:49 AM
- Got Karma for Re: Splunk Forwarding doesn't forward data. 06-05-2020 12:49 AM
- Got Karma for Re: extract part of a string from the fields. 06-05-2020 12:49 AM
- Got Karma for Re: 【emergency】I can not migrate indexed data. 06-05-2020 12:49 AM
- Got Karma for Re: How to add scripts as data input?. 06-05-2020 12:49 AM
- Karma Re: alert on license usage for dantimola. 06-05-2020 12:46 AM
- Posted Re: How to enable the proxy configuration for this add-on on All Apps and Add-ons. 06-04-2019 05:44 AM
- Posted How to enable the proxy configuration for this add-on on All Apps and Add-ons. 06-03-2019 11:34 PM
- Tagged How to enable the proxy configuration for this add-on on All Apps and Add-ons. 06-03-2019 11:34 PM
- Tagged How to enable the proxy configuration for this add-on on All Apps and Add-ons. 06-03-2019 11:34 PM
- Posted Re: Using DB CONNECT to query data but the value of "where condition" is variable on Splunk Search. 04-04-2018 03:19 AM
- Posted Re: Using DB CONNECT to query data but the value of "where condition" is variable on Splunk Search. 04-04-2018 01:20 AM
- Posted Re: How do i check how much i am exceeding my license limit by? on Installation. 03-27-2018 11:54 PM
- Posted Re: How to get at two fields from a subsearch to the main search results on Splunk Search. 03-23-2018 04:37 AM
- Posted Re: HTTP event collector client AJAX error "readyState 0, status 0, statusText error" on Getting Data In. 03-23-2018 04:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
02-02-2018
12:56 AM
I don't have this app, but you could try, before you run setup.sh, that you are logged in into splunk.
You could do that this way
# splunk login -auth ${logname}:${mypwd}
On a Test system you could take the admin account, on a productive system you better take a low priv user before using an admin user.
To logout on the shell use this
# splunk logout
... View more
01-25-2018
11:42 PM
For the Number you can use this Regex, assuming that the message itself can alter
|rex field=_raw "TEST_LOG.+\((?<position_number>\d+)\)"
For the Logfile you can use this regex
| rex field=_raw "(\S+\\){0,}(?<error_file>\S+)$"
Can you check if the last Regex is working for you? It should not take in account in how many subfolders the file is stored.
... View more
01-25-2018
07:06 AM
I've tried a few settings.
What can be, that the source_a.csv has a path in the field, like in the metrics.log example (source = /opt/splunk/var/log/splunk/metrics.log) , if so then you could use this if pattern.
index=_internal
| eval a=if(source like "%metrics.log","1","0")
If the field source is only "source_a.csv", then you can use the noted if pattern.
index=_internal
| eval a=if(source="metrics.log","1","0")
... View more
01-24-2018
05:30 AM
This kind of solution I like the most 😉
... View more
01-23-2018
03:48 AM
Hello
I've done it that way.
The checkbox has a searchfragment in it, where i select only Errors in my case
<input type="checkbox" token="only_errors" searchWhenChanged="true">
<label>Zeige</label>
<default></default>
<choice value="OSCOMPSTAT != 0">Nur Errors</choice>
</input>
In the Tablequery i'm using then the fragment like this:
<query>index=controlm sourcetype=controlm-ajf JOBNAME="$jobname$" $only_errors$ host=$ctmsrv$
| eval STARTRUN=strptime(STARTRUN,"%Y%m%d%H%M%S")
| eval ENDRUN=strptime(ENDRUN,"%Y%m%d%H%M%S")
| eval start=strftime(STARTRUN,"%F %T")
| eval end=strftime(ENDRUN,"%F %T")
| eval duration=round(ELAPTIME/100,2)
| ctmbase36
| rename NODEID as exechost, OSCOMPSTAT as exitcode
| table start, end, orderid, exechost duration, exitcode</query>
This will expand the search with "OSCOMPSTAT != 0 when ticked and with "" when not ticked.
... View more
01-23-2018
03:02 AM
I don't think so. Unless you have just one disc which is used for others as well and not a whole cabinet.
But you could run bonnie++ to check your filesystem for benchmark issues.
... View more
01-23-2018
02:08 AM
Your whole index is 10TB and a the day to freeze is how many GB?
My system here is freezing about 10GB/day, but only because the events should be frozen. The Index is about 1TB.
Also the discs are not highspeed just a bunch of normal discs.
... View more
01-23-2018
01:36 AM
According to the Doku, you can define there a global/indexbased value for your home and cold path.
I assume now (according this case), that both values have to be not null to work.
Since i'm normally not using it i cannot prove here, i took a note to test it on my own environment when i find the time ;).
https://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Configureindexstoragesize
... View more
01-23-2018
12:59 AM
Ok, try this setup. I've browsed trough the definitions and crosschecked with my normal setup script.
maxHotBuckets = 3
maxWarmDBCount = 5
maxHotSpanSecs = 180
frozenTimePeriodInSecs = 2592000
maxWarmDBCount = 5
maxDataSize = auto
maxTotalDataSizeMB = 20
homePath.maxDataSizeMB = 0
coldPath.maxDataSizeMB = 0
I nulled the max home/cold IDX size, just to be sure we don't run there in a problem.
... View more
01-22-2018
11:17 PM
You have entries like this on your System?
Picture:
./etc/apps/search/appserver/static/logincustombg/monsterine.png
And system/local/web.conf entrys?
[settings]
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/monsterine.png
And you've checked the logs for any error during startup?
And maybe the importantst part, have you cleared your WebChache?
... View more
01-22-2018
11:07 PM
That can have now four reasons
You haven't restarted Splunk>
The size of the Data is more then 20MB
The Event itself is older then the 30days
The Timestamp of the event is wrongly interpreted as too old
To the 2 is said, if your Index is more the 20MB in the Warm Buckets the cold will not be considered. And the Events will be frozen when reaching the 20MB Limit.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/HowSplunkstoresindexes
... View more
01-22-2018
07:01 AM
Depends on the input, my weather station has now 750MB with 14,8Mevt, but i'm collecting now sind 1 1/2 years.
But one part is the 3hrs delay for the freezing.
... View more
01-22-2018
05:11 AM
Hello,
The parameter frozenTimePeriodInSecs is the "bad" value for you problem, raise it from 3hrs to let's say 30days, then the data should be searchable in you cold folder and not already frozen.
frozenTimePeriodInSecs = 2592000
I have here even for large input of about 500Mio Events/day the online time set to 90days.
... View more
01-22-2018
01:46 AM
Hi there
Your approach is not too bad, but you have to take the token for the seachh. I assume that you set that in your first dropdown, since it's not visible here
An example, how i have to this multiple times. One with four dropdowns but showing only the first two.
<input type="dropdown" token="myindex" searchWhenChanged="true">
<label>Application Log</label>
<fieldForLabel>index</fieldForLabel>
<fieldForValue>index</fieldForValue>
<search>
<query>| eventcount summarize=false index=log_*
| dedup index
| fields index</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<change>
<unset token="cust"></unset>
<unset token="mysourcetype"></unset>
<unset token="mysource"></unset>
<unset token="myhost"></unset>
<unset token="form.cust"></unset>
<unset token="form.mysource"></unset>
<unset token="form.mysourcetype"></unset>
<unset token="form.myhost"></unset>
</change>
</input>
<input type="dropdown" token="mysourcetype" searchWhenChanged="true">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>index=$myindex$
| fields sourcetype
| dedup sourcetype
| table sourcetype</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<change>
<unset token="cust"></unset>
<unset token="mysource"></unset>
<unset token="myhost"></unset>
<unset token="form.cust"></unset>
<unset token="form.mysource"></unset>
<unset token="form.myhost"></unset>
</change>
</input>
... View more
01-19-2018
02:08 AM
one other thing i have done on an installation is a symbolic link from the var/lib/splunk to the index folder. Might help.
link between ~/var/lib/splunk and /data/Indexes
... View more
01-19-2018
01:08 AM
Hi Yutaka
Have you modified your SPUNK_DB Variable in the ~/etc/splunk-launch.conf Conffile?
Normaly it is not set, so the default path is taken.
# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#
# SPLUNK_DB=/home/build/build-home/ember/var/lib/splunk
SPLUNK_DB=/some/path
... View more
01-18-2018
12:33 AM
The indexes are stored (normaly) under
/opt/splunk/var/lib/splunk/<your_index>
When you want to move this data as well just follow this short howto.
stop the splunk indexer on the destination
Check that you don't getting new data in on the old location, otherwise you will have some holes in the data.
delete any existing data of the index you want to copy on the destination system
copy the index folder from the old location to the new location, keep the paths the same.
copy the .dat file from /opt/splunk/var/lib/splunk/ to the new location, overwrite it when existing.
start splunk indexer on the destination.
Check the startup messages if any error occured.
Check the data within splunk
Do not move the Data from A to B, since it could be that you make a mistake and in that case you would loos all data.
... View more
01-18-2018
12:25 AM
When the saved searches are stored in the app context yes, if not move them in the correct app context. either by move it from the wrong app to the correct or with the permissions from private to app.
When you save a search you can set the permissions, where you have three options.
Owner (Private)
App (App Context)
App apps (App Context)
When you copy the app to the new location and restart splunk, splunk will read the added configuration and add it to the available stuff.
The point about the indexed data will be answered in the other answer related to the question.
... View more
01-17-2018
11:20 PM
1 Karma
It depends if the saved searches etc is your private or in an app.
if private then you could move just your own folder under
/opt/splunk/etc/users/<your_user>
to the new Server.
If it is an app then you should move the whole app you want to move to the new server
/opt/splunk/etc/apps/<your_app>
... View more
01-09-2018
07:00 AM
When no Forwarder is connecting to the old DS and your old DS ist no License Master then just shut it down.
If you're not sure if all are gone from this DS, then you could check on the DS under DISTRIBUTED ENVIRONMENT --> Forwarder Management if there's any Forwarder still phoning home. If there's one then fix his deplyomentsclient.conf for the new DS.
Also you could check, if you see the old DS in the Monitoring Console and remove it there.
... View more
01-09-2018
06:34 AM
You have to to edit cluster configuration.
At the moment i haven't here a replication environment, but in my notes i have a note that you can just edit the cluster config to replace the old with the new ones.
But I suggest you give the old one a new site id and using for the new ones the old site id.
the parameter -site_replication_factor does the the magic with the replication.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor
... View more
01-09-2018
06:00 AM
This is quite simple.
You only have to replace the 4 old with your 4 new Indexer in the outputs.conf of your forwarders, and then they will send the data to the new ones.
On the Master you have to add the 4 new Indexers as Searchpeers
... View more
01-09-2018
03:31 AM
Since you can add a search restriction on a role base (i don't use it) it is whiser to add for every needed department (or groups of departments) it's own index. You'll generate a few more indexes, but on the indexer it won't eat much power.
Since a summary index is like a normal index, but w/o an own secstofrozen value.
And it don't count to your license.
A tutorial is here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configuresummaryindexes
But in short, you have a search which will select your needed data and will write it to a summary 😉
E.g. a collection of license data for longtime evaluation.
index=_internal source=*license* type="Usage"
| fields st, idx, h, b, i, _time
| bucket _time span=1m
| stats sum(b) as bytes by h st idx i _time
| lookup sysmgmt_hosts guid as i OUTPUT name as srv
| eval output=split(h,".")
| eval anz=mvcount(output)
| eval h=if(anz > 1,mvindex(output,0),h)
| eval output=split(srv,".")
| eval anz=mvcount(output)
| eval srv=if(anz > 1,mvindex(output,0),srv)
| eval indexer=if(isnull(srv),i,srv)
| eval type="license"
| fields - output, anz, srv, i
| collect index=sysmgmt_summary
... View more
01-09-2018
01:55 AM
A short win is when you add
| fields hostname, sourceIp
to your search, on my system it gave me about a win of 50% searchtime from 22sec to 11sec over a period of 60mins
Other question is, what are you expecting from your search here? Just a list when a certain host has sent last it's data?
... View more
01-09-2018
01:46 AM
The full regex for this string would be this one:
\S+\s\S+\|(?<Status>\w+)\|\w+=(?<ServiceName>\w+)\|\w+=(?<DropId>(\w+-){4}\w+)\|\w+=\(?<JobNumber>(\w+)\)\|\w+=\(?<DropNumber>(\w+)\)|\|\w+=(?<StampCycle>\w+)\|\w+=(?<TotalFiles>\w+)\|\w+=(?<FileId>(\w+-){4}\w+)\|\w+:\s(?<QueueName>\w+),\s\w+:\s(?<GUID>(\w+-){4}\w+)
It does not include now special characters like äöü.
You could also expand the placeholder \w+ to it's real name like ServiceName, etc. But this is only a solution when you getting faults with the extraction.
When you encounter some mismatch, you can test the regex also here:
https://regexr.com/
but you have to remove the fielddefintions, since this page does not recognize it.
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-20-2021
09:51 AM
|
