Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About iKate
iKate
Builder
Member since:
03-01-2012
12-09-2020
Community Statistics
| Posts | 153 |
| Solutions | 7 |
| Karma Given | 58 |
| Karma Received | 56 |
| Member Since | 03-01-2012 |
Activity Feed
- Got Karma for Silent hit of limit. 03-22-2021 01:04 PM
- Got Karma for Why kv store lookup is much slower than csv lookup?. 03-15-2021 10:59 PM
- Karma Re: How to match an IP address from a lookup table of cidr ranges? for lguinn2. 12-09-2020 12:21 PM
- Got Karma for Silent hit of limit. 11-19-2020 12:48 PM
- Got Karma for Re: Align all values of a table to the left (for PDF export). 10-29-2020 10:55 AM
- Got Karma for Re: Is there a way to hide column in a table but still use it for drilldown in HTML Dashboards in Splunk 6. 06-16-2020 01:57 PM
- Got Karma for How to setup scheduled search to run after fulfillment of another?. 06-05-2020 12:51 AM
- Karma Re: Align all values of a table to the left (for PDF export) for arayapati83. 06-05-2020 12:49 AM
- Karma Re: What *exactly* are the rules/requirements for using "|tstats append=t"? for Kenshiro70. 06-05-2020 12:49 AM
- Got Karma for Unable to make several independent tab areas in a dashboard. 06-05-2020 12:49 AM
- Karma Re: How to make panel appear from a conditional token chosen on time picker? for niketn. 06-05-2020 12:48 AM
- Karma How to deal with datamodel retention period as summary range is not working for thambisetty_bal. 06-05-2020 12:48 AM
- Karma Pdf Reports Won't Open on iPhone for ErikaE. 06-05-2020 12:48 AM
- Karma Re: How to monitor Splunk 6.4 performance? for bchung_splunk. 06-05-2020 12:48 AM
- Karma Re: Problem with "Custom time" in Advanced XML dashboards after upgrading to 6.5.0 for pmerlin1. 06-05-2020 12:48 AM
- Karma How can I set the size of a Single Value Indicator? for dcrooks_us. 06-05-2020 12:48 AM
- Karma Where can I download DbConnect v1 (dbx)? for fredmeews. 06-05-2020 12:48 AM
- Karma Re: How to hide all form input filters in a dashboard by default? for lakromani. 06-05-2020 12:48 AM
- Karma Re: Silent hit of limit for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: Make map command process values in series for DalJeanis. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 3 |
12-20-2013
12:23 AM
It turned out that this was a known issue and was fixed in 6.0.1
"Upgrading causes crash in "Crashing Thread: archivereader" (SPL-74873)"
... View more
11-27-2013
06:58 AM
here's what helped in my case: http://answers.splunk.com/answers/111222/splunk-crashes-repeatedly-cannot-open-manifest-file
... View more
11-21-2013
01:13 AM
@lukejadamec thank you for the answer! We've tried your radical surgery treatment with elimination of ill buckets and it works. At least there were no more crushes.
Nevertheless are you aware of the way to restore journal.gz? We've found no missing journals and all in all there were 42 corrupted buckets.
... View more
11-15-2013
03:06 AM
1 Karma
Splunk started crushing with crash logs enries like this:
[build 182037] 2013-11-14 11:02:27
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 4283 running under UID 0.
Crashing thread: archivereader
Registers:
RIP: [0x00007F4DC9918B25] gsignal + 53 (/lib/libc.so.6)
RDI: [0x00000000000010BB]
RSI: [0x00000000000010F1]
RBP: [0x00007F4DC9A2E74C]
RSP: [0x00007F4DB7BEE068]
RAX: [0x0000000000000000]
RBX: [0x00007FFF8B497801]
RCX: [0xFFFFFFFFFFFFFFFF]
RDX: [0x0000000000000006]
R8: [0x00007F4DB7BFF700]
R9: [0x00007F4DC9A306B4]
R10: [0x0000000000000008]
R11: [0x0000000000000206]
R12: [0x00000000012747F9]
R13: [0x00000000013871A0]
R14: [0x00007F4DC9A2E74C]
R15: [0x00000000000006DC]
EFL: [0x0000000000000206]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace:
[0x00007F4DC9918B25] gsignal + 53 (/lib/libc.so.6)
[0x00007F4DC991C670] abort + 384 (/lib/libc.so.6)
[0x00007F4DC99119F1] __assert_fail + 241 (/lib/libc.so.6)
[0x0000000000D025F3] _ZN14PolledReadPipeD2Ev + 147 (splunkd)
[0x0000000000D4D261] _ZN12PipeToLoggerD2Ev + 97 (splunkd)
[0x0000000000AA0880] _ZN14ArchiveContext7processERK8PathnameP13ISourceWriter + 1216 (splunkd)
[0x0000000000AA0E95] _ZN14ArchiveContext9readFullyEP13ISourceWriterRb + 1221 (splunkd)
[0x000000000083CFA2] _ZN16ArchiveProcessor20haveReadAsNonArchiveE14FileDescriptorlPK3Str + 578 (splunkd)
[0x000000000083EE53] _ZN16ArchiveProcessor4mainEv + 2755 (splunkd)
[0x0000000000D81A2D] _ZN6Thread8callMainEPv + 61 (splunkd)
[0x00007F4DC9C719CA] ? (/lib/libpthread.so.0)
[0x00007F4DC99CE21D] clone + 109 (/lib/libc.so.6)
Linux / css-prod-back.scartel.dc / 2.6.32-45-server / #99-Ubuntu SMP Tue Oct 16 16:41:38 UTC 2012 / x86_64
Last few lines of stderr (may contain info on assertion failure, but also could be old):
2013-11-14 11:00:55.156 +0400 splunkd started (build 182037)
Cannot open manifest file inside "/opt/splunk/var/lib/splunk/audit/db/db_1384412390_1384412390_623/rawdata": No such file or directory
splunkd: /opt/splunk/p4/splunk/branches/6.0.0/src/util/EventLoop.cpp:1756: virtual PolledReadPipe::~PolledReadPipe(): Assertion `!isActive()' failed.
2013-11-14 11:02:25.275 +0400 splunkd started (build 182037)
Cannot open manifest file inside "/opt/splunk/var/lib/splunk/audit/db/db_1384412455_1384412455_624/rawdata": No such file or directory
splunkd: /opt/splunk/p4/splunk/branches/6.0.0/src/util/EventLoop.cpp:1756: virtual PolledReadPipe::~PolledReadPipe(): Assertion `!isActive()' failed.
/etc/debian_version: squeeze/sid
glibc version: 2.11.1
glibc release: stable
Last errno: 11
Threads running: 40
argv: [splunkd -p 8089 start]
Thread: "archivereader", did_join=0, ready_to_run=Y, main_thread=N
First 8 bytes of Thread token @0x7f4db7c2b330:
00000000 00 f7 bf b7 4d 7f 00 00 |....M...|
00000008
x86 CPUID registers:
0: 0000000A 756E6547 6C65746E 49656E69
1: 00010676 04040800 000CE3BD BFEBFBFF
2: 05B0B101 005657F0 00000000 2CB4304E
3: 00000000 00000000 00000000 00000000
4: 00000000 00000000 00000000 00000000
5: 00000040 00000040 00000003 00002220
6: 00000001 00000002 00000001 00000000
7: 00000000 00000000 00000000 00000000
8: 00000400 00000000 00000000 00000000
9: 00000000 00000000 00000000 00000000
A: 07280202 00000000 00000000 00000503
80000000: 80000008 00000000 00000000 00000000
80000001: 00000000 00000000 00000001 20000800
80000002: 65746E49 2952286C 6F655820 2952286E
80000003: 55504320 20202020 20202020 45202020
80000004: 30353435 20402020 30302E33 007A4847
80000005: 00000000 00000000 00000000 00000000
80000006: 00000000 00000000 18008040 00000000
80000007: 00000000 00000000 00000000 00000000
80000008: 00003026 00000000 00000000 00000000
terminating...
We've already tried repair with splunk-fsck but no result and in fact there were no corrupted indexes.
The directory that is stated in the crash-message exists, but not sure about manifest file.
Here's what in stated directory:
root@css-prod-back:/opt/splunk/bin# ls /opt/splunk/var/lib/splunk/audit/db/db_1384412390_1384412390_623/rawdata/
0 slicesv2.dat
And here's another directory that splunk doesn't complain at:
root@css-prod-back:/opt/splunk/bin# ls /opt/splunk/var/lib/splunk/audit/db/db_1351635002_1351550304_461/rawdata/
journal.gz slicemin.dat slices.dat slicesv2.dat
Seems it's the same problem like here: http://answers.splunk.com/answers/108806/splunkd-keeps-on-crashing-crashing-thread-archivereader?page=1&focusedAnswerId=111215#111215
And unfourtunately it's not square bracket case like here: http://answers.splunk.com/answers/110135/splunk-crashing
So how to rebuid this "missing" manifest file (if the reason in it really)?
What is its exact name?
Why could this happen?
Thanks in advance for help, it is vital for us.
... View more
11-15-2013
02:31 AM
The same thing. Did you manage to solve the problem?
... View more
11-13-2013
08:05 AM
and if our database hasn't been noticed in purging rows then it's a bug?
... View more
11-13-2013
05:54 AM
@sowings btw) Maybe this question can be as easy for you as one above:) It will help us greatly
http://answers.splunk.com/answers/110399/db-connect-app-execution-of-input-successfalse-continuemonitoringfalse
... View more
11-13-2013
05:50 AM
@sowings cool, thank you!
I complemented my date string like this and it worked finally:
...
| eval date=date.".".01
| convert timeformat="%Y.%m.%d" mktime(date) as date
...
You're right it's weird thing, I expected splunk could cope with time strings of any completion..
... View more
11-13-2013
05:40 AM
Hi @MuS, the issue isn't in final charting. Before chart/timechart command results go with wrong time: 1/1/70 3:33:33.110 AM
instead of November 2013
... View more
11-13-2013
05:33 AM
I've already tried it) no result
... View more
11-13-2013
04:57 AM
Hi!
I have a lookup table with time srings like this: 2013.11 and I want splunk to understand it is a time and make it use it in timechart but can't make it work properly.
Here's a piece of csv file:
"uid",date,"type"
1010174,"2013.11",MIX
1014625,"2013.11",MIX
Here's how I try to do it:
| inputlookup file.csv
| eval date=strptime(date, "%Y.%m")
| eval _time=date
| timechart count
and got nothing
OR
| inputlookup file.csv
| convert timeformat="%Y.%m" mktime(date)
| eval _time=date
| timechart count
Treats all entries like they were in 1970th, so it couldn't parse it and assigned epochtime 0.
Where is the mistake?
Thanks in advance
... View more
11-11-2013
05:20 AM
1 Karma
Hi all,
One of our external db inputs stopped receiving data. We use dbconnect app, that's what is written about problem input in /opt/splunk/var/log/splunk/dbx.log:
monsch1:INFO:Scheduler - Execution of input=[dbmon-tail://database/dbtable] finished in duration=188 ms with resultCount=0 success=false continueMonitoring=false
Seems this could start after our splunk was shutted down for several hours.
So now we need to fill index with missing data. How can we do this without rebuiding index?
Connection to database is valid and I can view db results using dbquery command.
inputs.conf:
[dbmon-tail://database/dbtable]
host = xxxxxxx
index = prepayment
interval = 40 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = create_ts
output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSSZ
table = "public".dbtable
tail.rising.column = create_ts
Other inputs that continue working have similar entries in inputs.conf.
Thanks in advance
... View more
10-26-2013
02:50 PM
@sowings thank you! I'll surely install and check it!
... View more
10-26-2013
01:26 PM
It's an honour for me to be answered by @sideview:)
To be honest I haven't noticed module ValueSetter yet, maybe because we updated SideviewUtils to 2.7 just several days ago)
Seems the second variant you suggested can work well for me. Thank you!
... View more
10-23-2013
01:33 AM
Thanks for try but it's quite not what is needed, as in license_info timerangepickers simply belong to different Hiddensearch modules. And I'm interested in case when they can be used in one search module.
... View more
10-17-2013
10:22 AM
1 Karma
Hi! How can one add two timerangepickers to one search in advanced xml?
I've used simple xml form with its tokens for time inputs and it worked well, but simple xml still has constraints like I cannot select several options in a drilldown and it's crucial in my case. So I need to rebuild form into advanced xml (using SideView features) and don't see how to cope with my time ranges.
The suggestion from this answer cannot be applied as both of timeranges should be custom
http://answers.splunk.com/answers/77362/timerangepicker-as-intention
Thanks
UPDATE:
This is how the result looks in simple xml, and needed the same but in advanced to have possibility to select several options in pulldowns. OR alternative question: how to select several options in pulldowns in simple xml?:)
... View more
10-17-2013
05:14 AM
4 Karma
You do not necessarily have to use Advanced XML for this at least in Splunk v6.0. Here's my example of how device_type selected with radio button is passed to the search populating dropdown. In two words: just add in the beginning of populating search your previous value like device_type=$device_type$
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="cohort"> <default>Last 30 days</default> </input>
<input type="time" searchWhenChanged="true" token="search"> <default>Last 30 days</default> </input>
<!-- Specify search when changed for the inputs -->
<input type="radio" token="device_type" searchWhenChanged="true">
<label>Select a device type:</label>
<default>All</default>
<!-- Define the choices in code -->
<choice value="*">All</choice>
<choice value="TV">TV</choice>
<choice value="BDP">BDP</choice>
<choice value="WEB">WEB</choice>
<choice value="TBL">TBL</choice>
<choice value="MOB">MOB</choice>
</input>
<input type="dropdown" token="device_manufacturer" searchWhenChanged="true">
<label>Select a device manfacturer:</label>
<prefix>device_manufacturer="</prefix>
<suffix>"</suffix>
<default>*</default>
<!-- Define the default value -->
<choice value="*">All</choice>
<!-- Define the choices with a populating search -->
<populatingSearch fieldForValue="device_manufacturer" fieldForLabel="device_manufacturer" earliest="-48h" latest="now">
<![CDATA[source=sc_context_creation device_type="$device_type$" | eval device_manufacturer=lower(device_manufacturer)
| stats count by device_manufacturer | sort 0 - count]]>
</populatingSearch>
</input>
... View more
10-16-2013
12:11 PM
@ChrisG guys you are great! I really love Splunk and its documentation!:)
... View more
10-15-2013
03:46 AM
1 Karma
thanks! I was misled with description of iplocation command in documentation where were no mention of latitude or longitude:
"The IP address field, specified in ip-address-fieldname, is looked up in a database and location fields information is added to the event. The fields are country, city, metroCode, areaCode, region, postalCode."
... View more
10-14-2013
10:01 AM
5 Karma
Seems that better decision for this now is old good Google Maps app http://apps.splunk.com/app/368/#versionBox
Also what dissapointed me with new inbuilt maps that latitude and longitude are not defined from ipaddress field and that visualization is supported just in simple xml (or it's not covered in docs).
... View more
06-24-2013
02:08 AM
1 Karma
I faced the same issue. As far as I understood exceeding of default volume of lookup table doesn't impact on the data itself as it just starts to be indexed. So it's enough just to hide this message from a dashboard. To do so add the level field to your Message module:
< module name="Message" layoutPanel="messaging" >
...
< param name="level">error< /param >
< /module >
And it will only emit messages equal to or higher than the specified level.
Splunk's internal logging levels are DEBUG INFO WARN ERROR FATAL (from most to least verbose).
... View more
05-29-2013
08:51 AM
thanks for the answer Gilberto. Nevertheless I hope some day there will be such plugin.
... View more
05-29-2013
06:33 AM
1 Karma
How can one get Google Analytics data in Splunk? I'm interested more in business data of an Internet service rather than system administrator's params that can be collected by Sideview Web Analytics addon.
At the moment we use script that extracts necessary params out of GA into csv file that is then indexed in Splunk. But it's not convenient way of getting data in, comparing with some BI products that can do this (e.g. Datameer). Why not to enrich splunk with this functionality that can be used widely?
... View more
- Tags:
- app_request
- ga
04-02-2013
01:29 PM
@benjaminwyatt thanks for the suggestion! It lead me to search reference for specifying the command you mentioned 'output' and to my shame only then I found out there's more than one command that can do output. 'outputlookup' can solve my case within the search exactly as you say. But current way of solving this case using configs seems lacks of the option I've asked at first.
... View more
04-02-2013
09:40 AM
Hello,
can one set up the way how data populates lookup table with results from a saved search: by appending new results or by adding new to the end of file?
It seems that at the moment it overrides all the data in the file each time the search runs by a schedule.
I used thisinstruction
Hope there is a way to add data. Command outputcsv has such option but it writes to a weird destination that can't be changed(?) and the result of outputcsv normally needed in /lookups folder.
... View more
