cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
johntobin
Explorer
Member since: ‎02-25-2014
‎06-05-2020
Community Statistics
Posts 8
Solutions 2
Karma Given 12
Karma Received 2
Member Since ‎02-25-2014
Activity Feed
View All

Re: How do I 'chain' events together where the com...

by in Splunk Search
‎04-17-2015 08:48 AM
‎04-17-2015 08:48 AM
We resolved the issue using a result on this answer. Essentially we joined the two linking fields together into a new temporary field using eval, with a delimiter between the two, and then used makemv to put those two fields back into a single multi value field (splitting over the delimiter we picked). This meant we had all the 'joining' or 'chaining' fields in a single field value, so we could simply run the transaction command over that field. There may be other or better ways to do this. I was wondering about a new command, like transaction, but which takes multiple fields. This made me read the doc for the transaction command again and it looks like it does take multiple fields. In fact, in reading the answer that I link to, I see there's an update that specifies just this. Probably a change to the transaction command in the past fixed this. Perhaps this wasn't an issue after all, and this 'solution' is overkill. ... View more

How do I 'chain' events together where the common ...

by in Splunk Search
‎03-05-2015 10:03 AM
‎03-05-2015 10:03 AM
Trying to solve a problem about ‘chaining’ events together. Here’s a set of typical log lines - (in real life, A1, B2, C2, etc, etc, are all really long, random, unique token strings, not values that are actually related): request token: proof_token=A1 new_token=A2 request token: proof_token=B1 new_token=B2 request token: proof_token=A2 new_token=A3 request token: proof_token=C1 new_token=C2 request token: proof_token=A3 new_token=A4 request token: proof_token=C2 new_token=C3 If I group them, I get three groups, in that these groups of events all 'chain' together (not because they share the same A, B, and C values in their tokens): request token: proof_token=A1 new_token=A2 request token: proof_token=A2 new_token=A3 request token: proof_token=A3 new_token=A4 request token: proof_token=B1 new_token=B2 request token: proof_token=C1 new_token=C2 request token: proof_token=C2 new_token=C3 I want to be able to create and report on these groupings of events, ‘chaining’ them together, in Splunk. The first group count of events is 3, the second one is 1, the third one is 2. I would like to add those up, divide by 3, and get an average of the number of times someone is using their first token and keeping the ‘chain’ of token requests going (in this case, the average is 2). Is there a way to do this? Even the transaction command doesn’t seem to do the trick here? Is there a stats or streamstats trick I can use? Any help appreciated. Thanks. ... View more

Re: Why are scheduled Splunk dashboard emails not ...

by in Dashboards & Visualizations
‎10-09-2014 06:20 AM
1 Karma
‎10-09-2014 06:20 AM
1 Karma
A lot of times, group email aliases require authentication in the email server. For example, in the company I'm working for as a consultant I can't email group aliases (they're running exchange) from my outside email address, I have to use my internal email address to access those group aliases. I imagine something similar is occurring here - perhaps check with your email admins? ... View more

Re: splunk enable boot-start -user in Splunk 6.1.1

by in Installation
‎10-09-2014 06:07 AM
‎10-09-2014 06:07 AM
We've seen the same problem: indexes and config files owned by root. Probably going to have to switch back to the old style startup script to be sure - but this seems like a bug, currently. ... View more

Re: Master clustering dashboard - how to get statu...

by in Getting Data In
‎07-16-2014 10:48 AM
‎07-16-2014 10:48 AM
Thanks for this. The rest call works for the indexers. Does anyone know the rest call to get the Search Head server statuses (the master server knows about the other instances statuses)? ... View more

Master clustering dashboard - how to get status?

by in Getting Data In
‎07-09-2014 09:32 AM
‎07-09-2014 09:32 AM
On a master node, the clustering dashboard has a column called 'status' for indexers and search heads. They're either 'up', or several other statuses. I would like to write a search that replicates that output, that I can execute every minute or two, so that I can provide an alert if one of the components in my clustered infrastructure fails, so my operations team can remedy the situation. There's even a 'last heartbeat' for index nodes which is at most 5 seconds old - this value would be great too! I want to do the same for the forwarder manager forwarder phone home status too. Does anyone know which of the million entries in _internal or _audit might help with providing this status? Or is it somewhere else? Any pointers appreciated, I've been looking at the _internal logs and am going blind. Thanks. ... View more

Re: Extracting multiple fields

by in Splunk Search
‎04-03-2014 07:19 AM
1 Karma
‎04-03-2014 07:19 AM
1 Karma
Thank you so much for your quick reply! This worked perfectly. I also created the following in 'props.conf' to leverage the stanza, as per the documentation (not sure if I had to do this, but it's working). I thought I'd mention this for anyone else who is trying to get this to work: [mysourcetype] REPORT-myattributes = yourstanza Relevant documentation for the version I'm using: http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles Thanks again! ... View more

Extracting multiple fields

by in Splunk Search
‎04-02-2014 11:29 AM
‎04-02-2014 11:29 AM
Hi all, My logs have strings like the following: Mon Mar 31 2014 10:41:48 [info] wsgw(parlayx-all-interfaces): tid(2658703090)[response][96.1.1.1]: attachment-size:{0} Mon Mar 31 2014 10:41:48 [info] wsgw(parlayx-all-interfaces): tid(2658703090)[response][96.1.1.1]: applicationid:{} Mon Mar 31 2014 10:41:48 [info] wsgw(parlayx-all-interfaces): tid(2658703090)[response][96.1.1.1]: operation:{getWirelessNetworkSubscriberProfileResponse} BillingType:{postpaid} EquipmentId:{} nil:{true} SimId:{} nil:{true} Imsi:{302220007118231} IpAddress:{} GatewayId:{MMS-22990121_wap2.company.com} SubscriberId:{22167135} TechnologyType:{HSPA} uri:{14185648339} PreferredLanguage:{fr-ca} ServiceProviderId:{COMPANY} UserStatus:{active} Mon Mar 31 2014 10:41:48 [info] wsgw(parlayx-all-interfaces): tid(3159363380)[response][96.1.1.1]: attachment-size:{0} I would like to extract all the fields such as "operation:{getWirelessNetworkSubscriberProfileResponse}" and "TechnologyType:{HSPA}", each as a field, with the value inside the {}'s. This command works well: source=sdf | extract extract kvdelim=":" pairdelim=" " ...except that the curly brackets are left behind in the field value. Is there a way to tell extract that the value in the key/value pair has quotes (a delimiter) around it? Should I execute an additional transform? I'd love to have all these fields automatically extracted whenever I search this source, but I can't see how to do this easily. I'm sure it's possible, but I have no idea how to do that. Hope you can help, thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to