About Marinus

Marinus · ‎02-13-2014

Hi terryloar, Armadillo consists of various components including a Splunk Application, which is responsible for the enrichment of events with SAP metadata. Armadillo deployments have been private and only went GA in 2013.

Marinus · ‎11-06-2013

You now have some options. You could use the App on Splunk base which runs on the ABAP stack or you can use our Aramadillo virtual appliance to remotely collect machine data from both the ABAP and J2EE stacks. Check out http://bit.ly/15r1vq5

Marinus · ‎11-06-2013

You can have a look at Armadillo if you'd like to Splunk SAP machine data http://bit.ly/15r1vq5

Marinus · ‎11-06-2013

Splunk does not have native integration into BOBJ. You would need to export the data and then feed it to Splunk.

Marinus · ‎11-06-2013

You can use Armadillo to Splunk the SAP audit log http://bit.ly/15r1vq5.

Marinus · ‎12-07-2012

I prefer to keep them in a custom app, which you can easily move around. On the source you can also use something like GIT, to manage not just searches but config files also. Marinus

Marinus · ‎10-22-2012

It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline. Reverted back to an old forwarder.

Marinus · ‎10-16-2012

Adding a action=fail into the search could result in a case where a user now passes and no longer fails being missed.

Marinus · ‎10-16-2012

The dedup strategy is a simple one. Another one is where you use stats i.e. | stats latest(action) by user. The only problem is that you don't end up with a subset and additional useful fields.

Marinus · ‎10-16-2012

Or more specifically all users who failed | where action=fail | table user action data

Marinus · ‎10-16-2012

Ideally you'd like to end up with the last events. So I'd expect to see. user=a, action='pass', data=a user=b, action='fail', data=b user=c, action='pass', data=c you can then report with for example a table | table user action data

Marinus · ‎10-16-2012

Hi All I'm looking at the possible approaches to obtain events that contain the most recent values for one or more fields. consider the following events user=a, action='pass', data=a user=b, action='fail', data=b user=c, action='pass', data=c user=c, action='fail', data=d I'd like to filter on the most recent value of let's say action. Ideally you'd like to keep the result as events so that you can report on additional fields like data.

Marinus · ‎09-05-2012

Hi Dart I did a couple of tests and it doesn't appear that HEADER_MODE config affects they way it processes events 😞

Marinus · ‎09-04-2012

Thanks for the response Dart. The indexer uses a batch input to collect data. [batch:///data] move_policy=sinkhole crcSalt= The host, source and sourcetype are set by the splunk header i.e. SPLUNK host=acme source=xyz sourcetype=abc The indexer received the events from the forwarder and has props configured to deal with the source types, which in fact rewrite the source and host keys i.e. [abc] TRANSFORMS-fix=fix_a, fix_b When I look at the events on the indexer, I can see that raw events including the SPLUNK header, with no keys set.

Marinus · ‎09-03-2012

I recently moved to the universal forwarder (4.3.3) where I collect files using the batch input. It's a long story but I have to use the batch input. I use the SPLUNK header to set the host, source and source type. The receiving indexer performs the necessary transformations. I've noticed since I've moved to the new forwarder that the header is no longer being honoured. I changed the HEADER_MODE to always in the default etc/system/local/props.conf, however events arrive without the necessary host, source and sourcetypes. It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline.

Marinus · ‎08-02-2012

Guess it will have to be a feature request then 🙂

Marinus · ‎08-02-2012

Is it possible to produce a chart like this? A possible data set could be "spending catagories" vs "months"

Marinus · ‎06-15-2012

The answer is not pretty but it works, thanks Ayn. enter code here | reverse | accum value as totalvalue | timechart last(totalvalue) span=1d

Marinus · ‎06-15-2012

Ironically it produces the opposite result. It's stepping down from the cumulative total. | accum value as totalvalue | timechart last(totalvalue) span=1d

Marinus · ‎06-15-2012

I'm calculating the sum of spending over a month period. * | timechart sum(value) span=1mon This will produce the cumalative amount, but it won't show you how you arrived at the amount in day incements. Changing the span to 1 day, doesn't produce the desired result nor does bucketing ahead of the timechart. * | timechart sum(value) span=1mon How do you achieve this without some major delta hack?

Marinus · ‎06-05-2012

You have two options as I see it. You either have to fetch the data for lookup from outside of Splunk using something like SCP + some parsting or call a python program to look the data up in real time. You need to consider the performance impact. You could always implement some kind of caching strategy with your python program if the data is rather static. Here's an example props and transform [mylookup] LOOKUP-bucket_lookup=lookup_buckets narrative account OUTPUT bucket [lookup_buckets] external_type = python external_cmd = bucket_lookup.py fields_list = narrative,account,bucket If you are planning to call a SOAP web service from Python I'd suggest you use SUDS.

Marinus · ‎05-24-2012

I ended up using eventstats rather than stats, thanks Ziegfried!

Marinus · ‎05-24-2012

I'd like to build up a list of unique user id's that call a service. If I use eval to just concatenate the next user id, I'd end up with duplicates. eval userids=userid+","+userid

Marinus · ‎05-10-2012

creative, I think I'm going to hack together a quick script.

Marinus · ‎05-08-2012

I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way? * | table name phone Let's assume I need to add another name? * | dummy_event name=bob, phone=555-1234 |table name phone

Posts	74
Solutions	8
Karma Given	8
Karma Received	46
Member Since	‎03-30-2010

Online Status	Offline
Date Last Visited	‎10-11-2021 08:50 AM

What are possible search strategies to find most r...

Does the Universal Forwarder support the Splunk he...

How do you produce a chart like this

How do you chart a cumulative sum?

How do you build a list of unique items in a field...

How do you add dummy events to a search result?

Debugging custom search commands

How do you perform a sub search over indexes?

Can you use the metadata command over all indexes?

Why is the batch processor not honouring the metad...

Re: Armadillo for Splunk?

Re: How to get useful reports from logs generate b...

Re: Is there a splunk app for SAP?

Re: How to use Splunk Reports in SAP Business Obje...

Re: Parsing a SAP audit log

Re: version controlling my search definitions?

Re: Does the Universal Forwarder support the Splun...

Re: What are possible search strategies to find mo...

Re: What are possible search strategies to find mo...

Re: What are possible search strategies to find mo...

Re: What are possible search strategies to find mo...

What are possible search strategies to find most r...

Re: Does the Universal Forwarder support the Splun...

Re: Does the Universal Forwarder support the Splun...

Does the Universal Forwarder support the Splunk he...

Re: How do you produce a chart like this

How do you produce a chart like this

Re: How do you chart a cumulative sum?

Re: How do you chart a cumulative sum?

How do you chart a cumulative sum?

Re: Generate lookup files via webservices

Re: How do you build a list of unique items in a f...

How do you build a list of unique items in a field...

Re: How do you add dummy events to a search result...

How do you add dummy events to a search result?