Hi, How to convert this sumologic query to splunk _collector="M2" "Memory Monitor" | parse ",DB Job-Connection-Pool: */*/*/" as db_job_1,db_job_2,db_job_3 | parse "Host/Appserver/Version: */*/*" as host,appserver,version | parse "DB General-Connection-Pool: */" as db_1 | parse ",Used File Descriptors: *," as used_fd | parse "Used Client Connections: */300," as used_client_conn // this extracts the # of work item threads in use | parse ",Used Work Item Threads: */100," as used_wit | timeslice 5m // find the peak in 5 minutes | max(used_wit) as maxwit, max(used_client_conn) as max_cc, max(db_1) as max_db1 by _timeslice, appserver // add up all the WIT in use across the environment, count the number of appservers shown in the logs available | sum (maxwit) as env_wit, count_distinct (appserver) as appserver_count by _timeslice // Divide the total # of work item threads in use over the number of appservers in use, express as a percentage | env_wit / appserver_count / 100 as wit_pct | fields wit_pct,_timeslice // Show the same time frames per day on the same graph | compare with timeshift 1d 7 ... View more

Hi, need your thoughts and help, Scenario: someone rebooted several servers and updated the kernel from one version to another. Question: how can we find what kernel version that is running now and what was running before reboot I saw in the “last | grep reboot” I see that one a given date I see reboot like this For example: Server1$ last | grep reboot reboot system boot 4.9.0-3-amd64 Sat Jul 15 19:19 still running reboot system boot 3.9. 0-3-amd64 Fri Jul 14 19:19 running I want to get the two lines and display what is current kernel version and what was previous kernel version Is this possible in splunk? Thanks, Dinesh ... View more

Hi, is it possible to kill or disable long running searches automatically. For example whenever we hit performance issues we observe that people are running 30 day searches or 10 day searches like that, so we did educate the users not to run long running searches but few listen few don’t so wanted to know whether to it’s possible to kill or warn or disable long running searches? ... View more

Hi, We have three different URLs for Splunk for example, https://splunk1.com, https://splunk2.com; https://splunk3.com 2. User1, User2, User3, User4 will have access to all the splunk interface User1 willl always access https://splunk1.com User3 and User4 will always access https://splunk3.com User2 will always access https://splunk2.com Is it possible to have a single common interface like https://splunk_companyname.com so that the User1, User2, User3, User4, can go to their respective preferred interfaces? Thanks for any inputs, Dinesh ... View more

Hi, Architecture: We have syslog-ng running in our infra. This syslog resides behind a LB This alerts come to LB and from LB it gets processed at syslog-ng The syslog logs are forwarded to splunk Issue: When the syslog-ng are sent to LB alerts are getting dropped, this was confirmed by doing a netstat -us netstat -us IcmpMsg: InType3: 86 InType8: 63 InType11: 24 InType13: 6 InType17: 18 OutType0: 63 OutType3: 1719 OutType11: 3394 OutType14: 6 Udp: 3541784219 packets received 6194 packets to unknown port received. 13334858510 packet receive errors 3292282273 packets sent 13334858510 receive buffer errors 44 send buffer errors UdpLite: IpExt: InNoRoutes: 3728 InMcastPkts: 6 InOctets: 13341061420695 OutOctets: 6925411558186 InMcastOctets: 216 InNoECTPkts: 20437111460 InECT0Pkts: 48 The configuration in syslog-ng.conf is cat syslog-ng.conf | more @version: 3.5 options { threaded (yes); flush_lines (0); keep_timestamp (no); stats-freq (600); mark-freq (0); time_reopen (10); log_fifo_size (120000); create_dirs (no); keep_hostname (yes); dir_perm(0755); perm(0644); chain_hostnames(no); normalize_hostnames(yes); use_dns (yes); use_fqdn (yes); dns_cache(yes); }; source s_tcp { tcp(ip(10.xxx.xx.xx) port(6514) keep-alive(yes) tcp-keep-alive(yes) max_connections(3000)); tcp(ip(10.xxx.xx.xx) port(6514) keep-alive(yes) tcp-keep-alive(yes) max_connections(3000)); tcp(ip(10.xxx.xx.xx) port(6514) keep-alive(yes) tcp-keep-alive(yes) max_connections(3000)); tcp(ip(10.xxx.xx.xx) port(6514) keep-alive(yes) tcp-keep-alive(yes) max_connections(3000)); tcp(ip(10.xxx.xx.xx) port(6514) keep-alive(yes) tcp-keep-alive(yes) max_connections(3000)); }; source s_udp { udp(ip(10.xxx.xx.xx) port(6514) so_rcvbuf(128000000)); udp(ip(10.xxx.xx.xx) port(6514)); udp(ip(10.xxx.xx.xx) port(6514)); udp(ip(10.xxx.xx.xx) port(6514)); udp(ip(10.xxx.xx.xx) port(6514)); }; source s_internal { internal(); }; cat /etc/sysctl.conf To increase TCP max buffer size up to 128MB net.core.rmem_max = 128000000 net.core.wmem_max = 128000000 free -m total used free shared buff/cache available Mem: 64249 2914 530 4 60805 60650 Swap: 3967 1097 2870 Environment syslog-ng and snmp (looperng) RHEL 7.3 grep -c ^processor /proc/cpuinfo 16 64GB Memory 2TB disk How do we reduce the "packet receive errors". Is there any tweaking that splunk can recommend so that we don't loose syslog data? Thanks for any inputs Dinesh ... View more

Hi, I need help in extracting the hostname after equal to sign in the transform.conf file. The string pattern is like this cs1=host-name-01-02 I tried the pattern but it seems to not work. REGEX = .+cs1=(\S+) could someone help? Thanks, Dinesh ... View more

Hi, I have a following text coming in splunk abcd, 2000-01-10 10:40:43, P:welcome, welcome_to_all, 0, 2000-01-10 16:09:04 abcd, 2000-01-10 10:40:45, P:welcome, welcome_to_all, 1, 2000-01-10 16:10:04 I want to write a search which will get me only having text "welcome_to_all" and the next field should be greater than or equal to 1. I am able to write the regex but regex _raw="(welcome_to_all,\d{0})" but not sure how to get the greater than 1. The regex which I wrote is pulling all 0 but I need which are greater than 0. Thanks, ... View more

Hi, I am looking for a splunk search to find which IP's are connecting to port 9997? index=sys_*prod source=netstat | search State='ESTABLISHED' and LocalAddress=':9997' I tried but I am not getting the proper result. Any idea how I can get the result. Thanks, Dinesh ... View more