Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About brianirwin
brianirwin
Path Finder
Member since:
08-20-2010
06-05-2020
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 08-20-2010 |
Activity Feed
- Karma Re: What's the best way to track down props.conf problems? for Lowell. 06-05-2020 12:45 AM
- Karma Re: inputs.conf overlapping regex whitelist help for gkanapathy. 06-05-2020 12:45 AM
- Got Karma for Re: What's the best way to track down props.conf problems?. 06-05-2020 12:45 AM
- Got Karma for Re: Monitoring large number of files. 06-05-2020 12:45 AM
- Posted Re: inputs.conf overlapping regex whitelist help on Splunk Search. 07-06-2011 08:43 AM
- Posted inputs.conf overlapping regex whitelist help on Splunk Search. 06-03-2011 04:35 PM
- Tagged inputs.conf overlapping regex whitelist help on Splunk Search. 06-03-2011 04:35 PM
- Tagged inputs.conf overlapping regex whitelist help on Splunk Search. 06-03-2011 04:35 PM
- Tagged inputs.conf overlapping regex whitelist help on Splunk Search. 06-03-2011 04:35 PM
- Posted Re: CSV coming in report is out of order on Getting Data In. 12-19-2010 10:38 PM
- Posted CSV coming in report is out of order on Getting Data In. 12-09-2010 11:16 PM
- Tagged CSV coming in report is out of order on Getting Data In. 12-09-2010 11:16 PM
- Tagged CSV coming in report is out of order on Getting Data In. 12-09-2010 11:16 PM
- Tagged CSV coming in report is out of order on Getting Data In. 12-09-2010 11:16 PM
- Posted Re: How can I force web clients to use only SSLv3 and TLSv1? on Security. 12-09-2010 02:08 PM
- Posted Re: How can I force web clients to use only SSLv3 and TLSv1? on Security. 11-29-2010 02:38 PM
- Posted Re: Monitoring large number of files on Getting Data In. 11-24-2010 03:41 PM
- Posted Re: Change sourcetype in props.conf on Getting Data In. 11-24-2010 03:22 PM
- Posted Re: What's the best way to track down props.conf problems? on Installation. 10-20-2010 08:47 PM
- Posted Re: Log file indexes correctly on initial run but considers 8K chunks a single record on Getting Data In. 10-17-2010 04:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-06-2011
08:43 AM
The first one didn't quite work, and when I tried to debug it it was a bit too involved. The less accurate one worked nicely and I tweaked it a little with some blacklisting.
Very good catch re: _whitelist v whitelist, I should have used the current version of the manual, and missed that first time I read your suggestion.
_blacklist = (.*adm-access|.*\.gz|.*10\.05|\.\d+\.csv)
_whitelist = (.*\.csv|.*NPS-.*\.log)
[monitor:///opt/logs]
... View more
06-03-2011
04:35 PM
Hello all,
I am really sorry to be posing this question, as I see that many variants of it have already been answered, but I just can't seem to crack my version of it and its a Friday and my brain is broken. It also looks like this may be a bit easier in 4.1 but for now my LW forwarders are all 4.0.11.
Problem:
I have a lot of collisions in my name space of files I want to index, I have externalized sourcetypes etc. to props.conf so I do not need to worry about that in my inputs.
Files I want to monitor
[monitor:///opt/logs/*.prd/*-access.log]
[monitor:///opt/logs/*.prd/*/*EndAudit.csv]
[monitor:///opt/logs/*.prd/*/*NPS-*.log]
Files I do not want to monitor
i) All the other data under /opt/logs including rotated logs e.g. /opt/logs/.prd/-access.log.1
ii) Everything in the lower subdirectory where NPS is stored that is not NPS-.log e.g. /opt/logs/.prd//*foo-.log
iii) Any file with 10.05 in it, as that version had some issues that made it useless in Splunk
Two versions of my broken config
[monitor:///opt/logs/*.prd/]
whitelist = (NPS*\.log|*EndAudit\.csv)
disabled = false
crcSalt = <SOURCE>
time_before_close = 8
blacklist = \10.05$
[monitor:///opt/logs/*.prd/*/*]
whitelist = (^\/NPS-*.log$|^\/*EndAudit.csv$)
disabled = false
crcSalt = <SOURCE>
time_before_close = 8
blacklist = \10.05$
What is the problem?
You Regex gurus may have looked at this and immediately seen my mistake, but my problem is that in addition to the things I intended have indexed, everything under /opt/logs/.prd/ or /opt/logs/.prd/*/ is being indexed (I did not verify if it was everything but hundreds of other files ending in .log are being indexed)
I have read http://www.splunk.com/base/Documentation/latest/Data/Specifyinputpathswithwildcards more times than I wish to count
If I choose not to regex the directories and get explicit about what to index all works fine, but as you have likely guessed we run more than one instance of the server per host, across many dozen hosts so hard-coding all the permutations and combinations of directory paths seems tedious at best.
I know this is largely a duplicate and I apologize for that, on the upside if you answer works I will mark you as correct and lend what weak credibility I have to your name 🙂
Brian
... View more
12-09-2010
11:16 PM
I have a pretty weird question. I have a query that I have saved and is emailing out nightly. In the query I have used the 'fields' option to lay out the report in the order I want. When I get my nightly report with .csv attached the fields are not in the correct order, but if I click the link in the email (or go to the saved search in the Web UI) they are in the correct order.
My query is listed below for reference but this is happening with several queries.
Name: 'Service Calls by Time'
Query Terms: 'index=app-myapp sourcetype="AccessLog" ServiceName="*" | stats count, avg(ResponseTime) as AverageResposeTime, min(ResponseTime) as MinResponsetime, max(ResponseTime) as MaxResponsetime, stdev(ResponseTime) as STDDevResponseTime by ServiceName, AccessLogsHTTPResposeCode | eventstats sum(count) as total_hits by ServiceName| eval percent_errors=(100 - (count/total_hits)*100) | eval server_errors(500s)=(total_hits-count) | eval success=(count) | where AccessLogsHTTPResposeCode=200| fields ServiceName, success, server_errors(500s), percent_errors, total_hits, AverageResposeTime,MinResponsetime, MaxResponsetime,STDDevResponseTime | sort - total_hits'
from last nights .csv the output fields are in the following order
success, MaxResponsetime, ServiceName, server_errors(500s), percent_errors, AverageResposeTime, STDDevResponseTime, MinResponsetime, total_hits
Also in writing this question I went back and reviewwed the past 7 days worth or reports and the fields seem to be consistent in how they are wrong.
But if I run interactively they look fine.
Brian
... View more
12-09-2010
02:08 PM
Araitz,
Re-reading the question, I see that I was offbase, I ranted at a complete tangent to the actual question. Disabling v2 by saying SSLv3 only will resolve the issue I went off on.
Is it considered good Splunk etiquette to leave my tangent in place, or should I remove it?
I still think I see some value in the SSLv3 or better switch, I know TLS 1.0 and SSLv3 are very similar, but I believe some Python implementations are now starting to support TLSv1.1 and 1.2 can not be too far behind.
Per the RFC, 1.1 claims protection against some CBC attacks and several other attack vectors.
... View more
11-29-2010
02:38 PM
Aratiz,
I would very much like to see SSLv3/TLS+ only support, mainly for these two reasons.
i) SSLv2 is basically broken, its basic building blocks for Crypto has issues, so if the purpose of using SSL is to keep data safe (for example if login/password information could be pulled from logs) SSLv2 does not protect you.
Since SSL handshake will pick the best security that both sides support, it is unlikely that in normal usage a browser would end up on v2, but weird things happen.
ii) There have been a significant number of flaws found in the SSLv2 code that can be used to attack a server running in v2 mode, perhaps the Python used in the web server is not vulnerable to any known hacks, but there is always a chance of a zero day attack.
A lot of hack attempts involve performing a v2 only handshake as that gives the attacker the most leverage, for that reason on all systems that I can, I disable v2 handshakes.
Hope that helps.
Brian
... View more
11-24-2010
03:41 PM
1 Karma
Using monitor I would issue is the time_before_close, this exists to tell Splunk to not close a file until x seconds after the last write.
Default value for this is 3 seconds, and with only 86400 seconds in a day just opening and closing 100K files uses up more time than you have.
Looking at the manual it seems when you override this for monitor in inputs.conf you can only set to an integer, so even if you go to 1, you will be in trouble.
You could try setting it to time_before_close = 1, but if you have 100K files you are still going to take longer than you want.
To the earlier point you may need to tarball, or cat x number of files together and send to a separate directory where you sinkhole/batch them or do anything to reduce the number of files to be eaten.
If nothing else I think your inode tables will thank you if you can combine some of these files.
... View more
11-24-2010
03:22 PM
If you have a file/directory that is matched in multiple regex patterns it is important to help Splunk know which one you want to win. Defaul priority is 100, and it is possible that you have something like /var/log defined with another sourcetype.
I would try changing the priority in your props.conf to be > 100, and maybe just use a regex at the end. You can specify what files to eat in your inputs.conf
props.conf
[source::/var/log/httpd/access.log*]
sourcetype = apache_access
priority = 101
I hope that helps.
... View more
10-20-2010
08:47 PM
1 Karma
Lowell, this is fantastic, I had been working some issues around props.conf but it would have taken me months to resolve indexing a few records at a time. With these steps I had great success and have ironed out the majority of my issues.
Brian
... View more
10-17-2010
04:52 AM
Stephen, thank you for all the input. Now that we have updated the Splunk 4 on some of our LW Forwarders the files are working great.
It also seems like my configs that were not being pulled were due to a combination of functions not in the 3.4.10 forwarder, and also having multiple regex matching files in a single directory causing issues.
Again thank you for your help 🙂
... View more
08-24-2010
03:45 AM
Stephen,
I agree re: my props.conf must not be getting linked incorrectly, clearly the inputs.conf is parsing (files are being picked up, sourcetype correct etc.), but my link to props.conf must be wrong. I removed all references from /system config files, and moved them all to the app directory to hopefully reduce confusion.
... View more
08-23-2010
06:33 AM
Stephen,
I dropped your suggested string into my props.conf and had no success, I went back and blew away and other references to HTTPCon- in my props.confs leaving just the one in my custom app directory but the only timestamps I am seeing are NONE.
It would be much easier if I could just say (?im)^(?:[^,],){16}(?P [^,] )(?=,) but that is not to be.
For a similar file I tried utilizing 'splunk train dates ', but I had no luck with that either.
I think I need to go back to basics, I must be missing something fundamental in my configs, not even should_linemerge is working.
... View more
08-21-2010
08:17 AM
Hey Stephen,
The queries show the sourcetype=HttpCon-10.07-BackEnd. A very good catch re: configs, I had worked on the -1 that was auto generated, and did not notice that there was a "HttpCon-10.07-BackEnd" I was not updating.
As for timestamps, they are not reading correctly, they all show as NONE via SplunkWeb.
My Regex is not very strong, to hit the field prior to the comma and date I can use "(?im)^(?:[^,],){15}(?P [^,] )(?=,)", but as I read the DOC for TIME_PREFIX I need to land on that comma and that is not working. Any additional help you can offer would be appreciated.
... View more
08-20-2010
01:50 AM
Greetings
I am pretty new to Splunk and am having issues when it comes to indexing some of our files. They are written to by some Java code I do not own, and looking at the file sizes they grow in 8K chunks.
On the first pass everything works great, each line is parsed and then stored as a unique record. After Splunk becomes current however it starts compressing multiple lines from the log file it is parsing into a single Splunk event with a linecount ~ 20-30.
The log file is a .csv and is being written from a Java library I do not own, and looking at the filesystem it looks as if the file grows in perfect 8K chunks. Our best guess is that since records do not always end on the 8192 boundary that Splunk is treating all of these 8K block writes as a single event. I have dumped some of multi-line records from SplunkWeb into Microsoft Office and I get a word count right about 8K.
I don't own this system (nor have root) so can not upgrade from the Splunk 3.4.10 (build 60883).
Any suggestions you can offer would be greatly appreciated, the 8K chunks may be a red herring, but it is the best guess we have.
Brian
@gkanapathy, sample files (including CSV header below), the current setup is six indexers (in two data centers) and one search head.
Message ID,WS-Security ID,Source System ID,Source System User ID,Source Server ID,Tracking ID,Transaction Key,Market,Farm Name,Server Node Name,Managed Node Name,Service Name,Service Version,Service Operation Name,Back End Name,API Name,Start Date/Time,End Date/Time,Hour of Day,Response Time,Cache Hit,Fault,Fault Code,Fault Message,Connection Timeout,Connection Timeout Retries,Socket/Read Timeout,Socket/Read Timeout Retries,Internal Timeout,Internal Timeout Retries
a7289d9b-14f9-ce47-a263-a1b08dd37c4b,client_user,IVR-2009,IVRUser,DAS_Server,XbgCWmmc1MLvirO4,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,76,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
540762e4-83a3-3bd7-f721-a699fd502a71,client_user,IVR-2009,IVRUser,DAS_Server,8mO3mD7ThheFj4os,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,82,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
c7ac5267-62e7-f603-0c65-36759db1a2e9,client_user,IVR-2009,IVRUser,DAS_Server,FvgTFtQJfx1vDEqD,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,76,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
c7ac5267-62e7-f603-0c65-36759db1a2e9,client_user,IVR-2009,IVRUser,DAS_Server,FvgTFtQJfx1vDEqD,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,74,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
5dd84b60-eea7-7cc0-a10a-c5f8856427ee,client_user,IVR-2009,IVRUser,DAS_Server,lAoOTh4ebgqdqLK5,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,72,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
5dd84b60-eea7-7cc0-a10a-c5f8856427ee,client_user,IVR-2009,IVRUser,DAS_Server,lAoOTh4ebgqdqLK5,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:27,8/19/2010 14:27,14,75,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
bd62210e-7070-7b77-7565-a8fa93497b1f,client_user,IVR-2009,IVRUser,DAS_Server,3hh5nhBe3sJ2mXzx,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,62,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
2219fd91-df32-5d04-1f71-34efff65bc49,client_user,IVR-2009,IVRUser,DAS_Server,H0V6dvWpcyoDK1kB,,,F2CON,farm2host,domain1,ChannelService,10.07,queryChannelsInCustArea,Billling.System.1.Dispatch,GetHouseInfo,8/19/2010 14:30,8/19/2010 14:30,14,0,TRUE,FALSE,,,FALSE,0,FALSE,0,FALSE,0
2219fd91-df32-5d04-1f71-34efff65bc49,client_user,IVR-2009,IVRUser,DAS_Server,H0V6dvWpcyoDK1kB,,,F2CON,farm2host,domain1,ChannelService,10.07,queryChannelsInCustArea,Billling.System.1.Dispatch,GetOrderParams,8/19/2010 14:30,8/19/2010 14:30,14,122,TRUE,FALSE,,,FALSE,0,FALSE,0,FALSE,0
b38a1308-698c-c2ee-05cb-0c0c22524e57,client_user,IVR-2009,IVRUser,DAS_Server,YKcN5dGxaYQ5L05J,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,59,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
b38a1308-698c-c2ee-05cb-0c0c22524e57,client_user,IVR-2009,IVRUser,DAS_Server,YKcN5dGxaYQ5L05J,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,88,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
36437008-dd71-1598-70df-89e23c51eda6,client_user,IVR-2009,IVRUser,DAS_Server,88uYn1yt6ITNb3TO,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,83,TRUE,FALSE,,,FALSE,0,FALSE,0,FALSE,0
b38a1308-698c-c2ee-05cb-0c0c22524e57,client_user,IVR-2009,IVRUser,DAS_Server,YKcN5dGxaYQ5L05J,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,61,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
36437008-dd71-1598-70df-89e23c51eda6,client_user,IVR-2009,IVRUser,DAS_Server,88uYn1yt6ITNb3TO,,,F2CON,farm2host,domain1,TroubleManagementService,10.06,query,Billling.System.1.Dispatch,GetWipInfo,8/19/2010 14:30,8/19/2010 14:30,14,54,TRUE,TRUE,,,FALSE,0,FALSE,0,FALSE,0
Config Files in custom App Directory
ls -lart
drwxr-xr-x 4 <removed> 4096 Jul 27 15:41 ..
-rw-r--r-- 1 <removed> 596 Aug 23 22:44 transforms.conf
-rw-r--r-- 1 <removed> 556 Aug 23 22:47 inputs.conf
-r--r--r-- 1 <removed> 6390 Aug 23 23:11 datetime.xml
-rw-r--r-- 1 <removed> 297 Aug 23 23:38 props.conf
drwxr-xr-x 2 <removed> 4096 Aug 23 23:38 .
more inputs.conf
disable = false
_blacklist = \.(txt|gz|\d+)$
host = <removed>
[monitor:///opt/logs/*prd/*-access.log]
sourcetype=ESPAccessLog
[monitor:///opt/logs/*.prd/*/ProvisionMitigation-10.07-FrontEndAudit.csv]
sourcetype=ProvisionMitigation-10.07-FrontEnd
index=cust_esp_application
[monitor:///opt/logs/*.prd/*/ServicesService-10.07-FrontEndAudit.csv]
sourcetype=ServicesService-10.07-FrontEnd
index=cust_esp_application
[monitor:///opt/logs/*.prd/*/HttpConnectorService-10.07-BackEndAudit.csv]
sourcetype=HttpCon-10.07-BackEnd
index=cust_esp_application
more props.conf
[HttpCon-10.07-BackEnd]
KV_MODE = none
MAX_TIMESTAMP_LOOKAHEAD = 1000
REPORT-AutoHeader = AutoHeader-1
TIME_PREFIX = ,(?=\d+/\d+/\d{4} \d\d:\d\d)
MAX_TIMESTAMP_LOOKAHEAD = 1000
SHOULD_LINEMERGE = False
MUST_BREAK_AFTER = <\n>
DATETIME_CONFIG = /opt/instance/splunk/etc/apps/esp/local/datetime.xml
more transforms.conf
[AutoHeader-1]
DELIMS = ","
FIELDS = "Message ID", "WS-Security ID", "Source System ID", "Source System User ID", "Source Server ID", "Tracking ID", "Transaction Key", "Market", "Farm Name", "Server Node Name", "Managed Node Name", "Service Name", "Service Version", "Service Operation Name", "Back End Name", "API Name", "Start Date/Time", "End Date/Time", "Hour of Day", "Response Time", "Cache Hit", "Fault", "Fault Code", "Fault Message", "Connection Timeout", "Connection Timeout Retries", "Socket/Read Timeout", "Socket/Read Timeout Retries", "Internal Timeout", "Internal Timeout Retries"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
