Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nibinabr
nibinabr
Communicator
Member since:
11-18-2014
06-05-2020
Community Statistics
| Posts | 56 |
| Solutions | 0 |
| Karma Given | 18 |
| Karma Received | 10 |
| Member Since | 11-18-2014 |
Activity Feed
- Karma Re: Why are my searches becoming unscheduled but still have a schedule configured? for David_C. 06-05-2020 12:49 AM
- Karma Why are my searches becoming unscheduled but still have a schedule configured? for David_C. 06-05-2020 12:49 AM
- Karma Re: Are Cisco, eBay, and Wells Fargo using Splunk? for acharlieh. 06-05-2020 12:48 AM
- Got Karma for Re: How do you automate the "Apply Change" to register new servers on the Distributed Management Console?. 06-05-2020 12:48 AM
- Got Karma for Why am I unable to migrate custom settings in the default Search app from a standalone search head to members of a search head cluster?. 06-05-2020 12:48 AM
- Karma Re: How does dedup work in splunk ? for musskopf. 06-05-2020 12:47 AM
- Karma Re: Why am I unable to connect my forwarder to an indexer cluster with error "failed to extract FwdTarget from json node..."? for MuS. 06-05-2020 12:47 AM
- Karma Re: Why is a .gz file created by log rotation indexed again by Splunk ? for dwaddle. 06-05-2020 12:47 AM
- Karma File monitor behavior when thruput maxKBps is exceeded for bbrownz. 06-05-2020 12:47 AM
- Karma Re: Can searches with joins be accelerated ? for acharlieh. 06-05-2020 12:47 AM
- Karma Re: Can searches with joins be accelerated ? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Time Chart to display active events by comparing start and stop time. for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Time Chart to display active events by comparing start and stop time. for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Time Chart to display active events by comparing start and stop time. for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Why does Splunk DB Connect cause duplicate events after a Splunk restart? for jcoates_splunk. 06-05-2020 12:47 AM
- Karma Re: How to extract a key value pair, convert it to a JSON format and assign it to a variable using eval? for _d_. 06-05-2020 12:47 AM
- Got Karma for How to include an app name as a part of the search query?. 06-05-2020 12:47 AM
- Got Karma for How to include an app name as a part of the search query?. 06-05-2020 12:47 AM
- Got Karma for Re: How to dynamically set the subject field in sendresults command app ?. 06-05-2020 12:47 AM
- Got Karma for Throwing errors in splunk dashboards. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
08-30-2018
04:02 PM
I was able to get it to work after renaming the xml and then restarting splunk.
... View more
03-29-2018
11:38 AM
I updated my comment above with a gist of everything that I had to do to get this working. Try giving it a shot.
... View more
02-08-2018
05:10 PM
1 Karma
I ended up tracking the HTTP requests and automated Apply Changes hitting the following endpoints.
/servicesNS/nobody/splunk_monitoring_console/configs/conf-splunk_monitoring_console_assets/settings -d configuredPeers=<comma separated lists of peers> -d output_mode=json -d disabled=0 -d eai:appName=splunk_monitoring_console -d eai:userName=nobody
/servicesNS/nobody/splunk_monitoring_console/saved/searches/DMC+Asset+-+Build+Full/dispatch -d output_mode=json -d trigger_actions=true -d dispatch.auto_cancel=30 -d dispatch.buckets=300 -d dispatch.enablePreview=true
/servicesNS/nobody/system/apps/local/splunk_monitoring_console -d output_mode=json -d author=Splunk -d check_for_updates=1 -d configured=1 -d description=The+Splunk+Monitoring+Console+application+gives+you+insight+into+your+Splunk+deployment. -d label=Monitoring+Console -d version=7.0.1 -d visible=1
First endpoint will update the splunk_monitoring_console_assets.conf. Second endpoint will run the DMC Asset search which is what I believe is building the assets and the last one to update the app.conf.
UPDATE: There were few more updates that I had to make to get this fully automated. I put this gist together.
https://gist.github.com/nmattam/bcfbc8a4ebd9a520c2ac50ab0137e58f
... View more
11-14-2017
07:12 AM
Maybe my question wasn't clear enough. My use case is that I want one forwarder to talk to two different multisite clusters and I want to configure site awareness for these two multisite clusters.
... View more
11-10-2017
08:12 AM
I have been reading this doc on how to configure forwarders to use indexer discovery in a multisite cluster. http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/indexerdiscovery#Use_indexer_discovery_in_a_multisite_cluster
The doc talks about setting the following in server.conf for site awareness.
[general]
site = site-id
How do I configure site awareness if I want my forwarder to talk to site1 in multisite-cluster1 and to site2 in multisite-cluster2?
Thanks in advance.
... View more
10-28-2016
02:20 PM
The reason why I want to override the name is because I would like to keep the underscores in the stanza name (my OCD) in the savedsearches.conf but don't want that to be shown in the display name in the UI.
... View more
10-28-2016
12:24 PM
I have a savedsearch defined in my savedsearches.conf like the following
[my_saved_search]
search = "index=........"
earliest = "-30d@d"
.......
Hence the savedsearch view and the mysplunk.com/myapp/reports/ shows this saved search as "my_saved_search".
Is there an attribute that I can set to override the name of the saved search (because I don't want the display to have underscore). As mentioned in the savedsearches.conf I tried setting
displayview = My Saved Search
but doesn't seem to work.
Any help is appreciated.
... View more
05-03-2016
06:34 AM
In my $SPLUNK_HOME/var/run/splunk/deploy, I see the search_migration_app with an empty default folder. The apps also has a metadata folder with default.meta containing configs to export the settings globally.
May be a workaround is to copy the local directory from the search app (in the standalone SH) and place it in the local directory for the search app in cluster members. However I don't want to do it this way because 1) Not the splunk recommended way of doing it. 2) I want to assign the responsibility of managing these configs to the deployer.
... View more
05-02-2016
04:04 PM
1 Karma
I'm trying to migrate the custom settings in the default search app in a standalone SH to the cluster members in a Search Head Custer and I'm following this documentation.
http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Migratefromstandalonesearchheads
I created an app called search_migration_app and copied the contents of the local directory (from the search app) to the this app. I also created the local.meta file under the metadata directory in search_migration_app and added the configs to export the settings globally.
Once I push this app from the deployer, the search heads contains the search_migration_app directory with only an app.conf file under the default folder and a default.meta inside the metadata folder. I can't find any objects that I'm trying to migrate.
Any idea what is happening here? May be I'm missing something simple here.
Any help is appreciated.
... View more
06-02-2015
02:25 PM
That is an option and I'm trying it out now. However I was expecting that there would be a way to accelerate searches with JOINS.
... View more
05-12-2015
09:19 AM
I did a quick test by slightly modifying my subsearch so that it doesn't use the summary (if it is using) anymore.
Comparing the runduration field in the job inspector the modified search (which doesn't use the summary for the subsearch) took almost the same time as the search that used the summary for subsearch. So the subsearch was not using the summaries for acceleration.
... View more
05-12-2015
08:35 AM
I was only looking at the job inspector. Since there is a section in the debug output that starts with "[subsearch]" which didn't show anything like "using summaries for search", my assumption is that the subsearch is not using summaries for search.
The search is certainly faster than the normal search as the first search uses summaries for searching. I can do a quick test to see if the subsearch is really using the summaries by removing the summaries for the subsearch and check if search becomes slower.
... View more
05-07-2015
07:17 AM
>In order to let your subsearch be accelerated as well you would need to save the subsearch as a report and accelerate that.
I think I wasn't clear. I also tried accelerating each search separately(main search and subsearch). However when I try to run the whole search only the main search is accelerated (uses the summary created by the accelerated main search) and not the sub search (doesn't use the summary created by the accelerated subsearch).
When both the searches are executed individually, it uses the summaries for the search.
... View more
05-06-2015
02:14 PM
1 Karma
I was trying to accelerate a search with join command(trying to accelerate two searches). When I look at the job inspector, it says the search is using summaries for the search. But I think only the first search is accelerated and the second search is executes normally because the job inspector doesn't show the subsearch using any summaries.
I also tried accelerating the searches separately, with the expectation that each search in the combined search (search with JOIN) would match with the individual accelerated search and use the summary for searching. However the combined search only uses the summary created by the first search.
Lets say if this is the structure of the search
index=myindex sourcetype=sourcetype1 | eval something =1| stats count(something) as count by somethingelse |JOIN somethingelse [search index=myindex sourcetype=sourcetype2|stats max(splunk_is_awesome) as max by somethingelse] | table somethingelse max count
In the above search
index=myindex sourcetype=sourcetype1 | eval something =1| stats count(something) as count by somethingelse
gets accelerated but the subsearch doesn't get accelerated
index=myindex sourcetype=sourcetype2|stats max(splunk_is_awesome) as max by somethingelse
Any thoughts ??
... View more
- Tags:
- accelerated-report
04-27-2015
06:39 AM
I think my question wasn't clear enough. Which index and sourcetype are you referring to here ? My logs doesn't contain this info. Are there any logs internal to splunk that keeps track of this information ? I'm trying to find the last time an app was installed (or a newer version of the app is installed).
... View more
04-26-2015
07:46 PM
Is there a splunk search that I can use to find the latest timestamp when an app was installed? Is there an internal index that contains this information?
... View more
04-15-2015
08:33 AM
1 Karma
Good to know. Even though I didn't do a deep dive into the code, this comment[1] actually made me think that if there is a field called subject in the events returned, it will be set as the subject of the email.
[1] https://github.com/DiscoveredIntelligence/sendresults/blob/master/bin/sendresults.py#l73
... View more
04-13-2015
09:00 PM
Thanks jcoates_splunk.
... View more
04-13-2015
08:51 PM
Sure sendemail is an option. I was under the assumption that sendemail cannot take variables as their email subject etc and that was the reason I was trying out sendresults. How do I acheive this using sendemail ?
... View more
04-13-2015
01:14 PM
Is there a way to set the subject field in the sendresults command app dynamically ?
I'm looking for something like the following:
index=myindex | eval email_to="abc@splunk.com" |eval new_subject="Index is ".index | sendresults showemail=f subject=new_subject body="Body of the email" showemail=f
What happens in the above scenario is that the subject of the email will be the string "new_subject" instead of its value. I need the subject to be "index is myindex".
Any thoughts ??
... View more
04-07-2015
04:22 PM
I started noticing some duplicate events in my logs recently. As I was curious to know what was happening, I searched in the dbx logs to see if something went wrong around the time I could see the duplicates. I saw the message "WARN:Shutdown - Performing Java Bridge Server shutdown... " in the logs close to the time when the duplicates occurred and I guess this message was logged due to splunk restart.
After taking a closer look at the logs, my understanding is that whenever splunk is restarted, the last rising column value recorded before the Java Bridge Server shutdown is somehow lost, and when splunk is up and running again, it doesn't see the actual latest rising column value. Instead, it sees the value before that. Hence, if there are new events between the two rising column time period, they will get indexed again. The duplicates that I see in the logs supports this assumption.
Example is:
3/25/15 3:31:00.019 PM Applying latest tail.rising.column value=2015-03-25 15:27:49.0
3/25/15 3:29:00.019 PM Applying latest tail.rising.column value=2015-03-25 15:25:22.0
3/25/15 3:25:00.019 PM WARN:Shutdown - Performing Java Bridge Server shutdown...
3/25/15 3:24:00.018 PM Applying latest tail.rising.column value=2015-03-25 15:21:53.0
3/25/15 3:22:00.020 PM Applying latest tail.rising.column value=2015-03-25 15:19:55.0
In the above scenario, when splunk restarts, all the events with last_modified_time > 2015-03-25 15:19:55.0 will be indexed which causes duplicates if there are new events between 2015-03-25 15:21:53.0 and 2015-03-25 15:19:55.0.
Anyone came across such an issue ??
... View more
03-24-2015
06:20 AM
I was planning to increase the log file size if I cannot find an solution to this problem even though it is not a preferred solution. As mentioned in a previous comment I don't have a continuous flow of data into the log file. Logging happens only once in 5 minutes. So I decided to have a time_before_close attribute in the inputs.conf so that the file handler doesn't close and I end up missing logs. But then I came across this problem
http://answers.splunk.com/answers/224653/why-is-time-before-close-attribute-causing-a-delay.html
... View more
03-24-2015
06:05 AM
I had set the value of time_before_close attribute to 300 (5 mins) in one of my monitor stanzas. What I observed is that splunk indexes the logs for the first few seconds and then stops indexing for the next 5 mins. After 5 mins next set of logs are indexed by splunk and then continues to wait for 5 mins.
I was expecting that time_before_close attribute would just keep the file handler open for the specified seconds after the last line was written in to the file but with continues indexing.
Any thoughts on why I see this behavior ? Or can someone direct me to somewhere I can find the answer ?
... View more
03-20-2015
06:41 AM
That was interesting. I looked into the way my log rotation works.
1) test_log.log is created when logging starts.
2) Once it hits the max size, it is rotated to test_log.log.1.
3) test_log.log.1 is now compressed to test_log.log.1.gz.
4) test_log.log.1.gz that was already existing is renamed to test_log.log.2.gz
I see the possibility of the .gz file being looked at by splunk while it is being created and hence getting re-indexed and as far as I understand it should only be a problem with the test_log.log and test_log.log.1.gz as that is the only place where compression happens. For other files just renaming happens.
To test this out I blacklisted 1.gz file. This time I see, test_log.log and test_log.log.2.gz files indexed causing duplicates. Also test_log.log.3.gz and test_log.log.4.gz are not indexed.
... View more
03-19-2015
01:45 PM
Thanks for the response. I have explained the reason why I'm indexing the gz logs here http://answers.splunk.com/comments/223267/view.html.
Based on my understanding (Please correct me if I'm wrong), before indexing it looks at the first 256 bytes to see if it is already indexed. According to my usecase, most of the time It wont have to index the gz files as they will already be indexed. I'm doing this just to make sure that I don't loose any logs.
... View more
