Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Yasaswy
Yasaswy
Contributor
Member since:
03-10-2014
04-10-2024
Community Statistics
| Posts | 108 |
| Solutions | 23 |
| Karma Given | 4 |
| Karma Received | 44 |
| Member Since | 03-10-2014 |
Activity Feed
- Got Karma for Re: Can you change the admin user password on forwarder if you dont know the current?. 07-11-2024 09:20 AM
- Got Karma for Re: RFE: Can you add support to write to influx cloud via HTTPS?. 06-05-2020 12:49 AM
- Karma Re: What to do first: Cluster Indexers, then Upgrade Linux, or upgrade Linux, then cluster indexers? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Re: How to display search results in JSON format using the Splunk SDK for Python. 06-05-2020 12:48 AM
- Got Karma for Re: Why am I unable to convert _time to epoch with my search?. 06-05-2020 12:48 AM
- Got Karma for Re: Running SearchManager in a dashboard, I get 165 results, but why does SplunkResultsModel only return the first 100 events?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does my Splunk indexer keep running out of space with my current indexes.conf?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does my Splunk indexer keep running out of space with my current indexes.conf?. 06-05-2020 12:48 AM
- Karma How to detect a deleted log for pkeller. 06-05-2020 12:47 AM
- Karma Re: How do I list all sourcetypes for each host per index, provided one sourcetype=apache? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Is it better to have Universal Forwarders on each server, or collect logs first in one place, and then forward them to the indexers? for woodcock. 06-05-2020 12:47 AM
- Got Karma for Re: Distributed Indexer Hardware. 06-05-2020 12:47 AM
- Got Karma for Re: Upgrade Splunk from 6.1.3 to the Latest version. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I unable to load an image in my app's home page in Splunk 6.2.5?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a way to reload splunkd.pid and splunkweb.pid?. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a way to reload splunkd.pid and splunkweb.pid?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk Architecture with two IP addresses. 06-05-2020 12:47 AM
- Got Karma for Re: How do search and trigger an alert for elevated values over a certain time frame?. 06-05-2020 12:47 AM
- Got Karma for Re: How users without read permission on Search App can change their password?. 06-05-2020 12:47 AM
- Got Karma for Re: How users without read permission on Search App can change their password?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
02-29-2016
09:44 AM
Hi,
To get the exact time your data is spends on wire between the forwarder and indexer, you will have to check on the network front. But if you are looking to get an estimate of the difference between the time the event gets logged on your forwarder and the time it gets indexed on the indexer, you can get it by:
your search .... host=your_forwarder |eval latency=(_indextime - _time),indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")|table _time, indextime, latency
... View more
02-29-2016
07:02 AM
Hi,
session key is passed along when script gets triggered. You can capture it by doing something like:
tokn = sys.stdin.readline().strip()
token will now hold the session key. It is urlencoded so will need to decode it. Typically ... if you are on the recent versions of splunk, something like below should work for you to connect:
tokn = tokn.replace("sessionKey=", "")
tokn = urllib2.unquote(tokn).decode('utf8')
service = client.connect(token = tokn, app = yourapp)
... View more
02-26-2016
11:27 AM
Hi, If the script is being called from splunk the best way to do this is with tokens. Can you explain how you tried to use passauth? Provide some code?
... View more
02-26-2016
07:51 AM
Good to hear on a Friday morning 🙂 .... have a nice weekend.
... View more
02-26-2016
06:47 AM
hi,
you should be able to try something like:
var myResults = mainSearch.data("events", { count: n});
check out the method data( results_type, { attributes } ) ... here
... View more
02-25-2016
01:18 PM
1 Karma
Hi, you will need to pass count: 0 in your search parameters to get all results... refer here
Eg... for a One Shot search
var searchParams = {
earliest_time: "2011-06-19T12:00:00.000-07:00",
latest_time: "2012-12-02T12:00:00.000-07:00",
count : 0 <-- Add this
};
... View more
02-25-2016
11:58 AM
Hi , you can try something like
index=aap_prod sourcetype="HDP:PROD:OOZIE" (":start:] with user-retry state" OR CASE(@end***]Action updated in DB))
... View more
02-25-2016
08:40 AM
2 Karma
Hi, Some observations... you have maxWarmDBCount = 300 and also have maxDataSize = auto_high_volume. On a 64bit system it would mean each bucket might take upto 10 GB and you have set the warm count at 300 (add 10 hot buckets as well).
It looks like, depending on the activity, in the worst case scenario the homepath will be almost full 3.2 TB (300 * 10 for your warmbuckets at 10 GB + 10 hot buckets). Why don't you reduce the warm count? Eg... setting the warmcount to 250 would mean 500 GB space left on your homepath ..... as they will start rolling over.
... View more
Hi, The positional arguments for the alert are available as env var. If the JSON you are working on is in the search results you should be able to access it from the dispatch file... os.environ['SPLUNK_ARG_8']
eg:
import os
json_results = os.environ['SPLUNK_ARG_8']
Check out full details Here
However, if you are planning to email out the formatted results, I think it will have to be done from your script itself. From the alert perspective the email and the script are triggered per the same condition...
... View more
12-17-2015
07:14 AM
Hi... just curious, does it work with / did you try using "EXTRACT" option?
... View more
12-11-2015
08:41 AM
Hi,
you can try frozenTimePeriodInSecs, rotatePeriodInSecs options.
Eg:
frozenTimePeriodInSecs=3600
rotatePeriodInSecs=30
Also dpeneding on the data size you are receiving you can try other options
maxTotalDataSizeMB
homePath.maxDataSizeMB
coldPath.maxDataSizeMB
check out the spec for options..
... View more
10-29-2015
01:05 PM
Hi, This will depend on kind of searches that will run:
If most of your searches access only few weeks or few months of data, then moving "older" data/buckets to cold will result in search performance improvement as there is now less data to search through. If the searches use /need to access all the historical data, then moving data to cold will negatively impact your searches... as the searches will now have to fetch data from cold buckets.
... View more
10-22-2015
09:15 AM
Hi.. yes... Best would be to use the S.o.S Splunk app. It should provide what you need and more. You can also search internal index(depending on your environment/search head configuration). Eg: Something like
index=_internal earliest=-30m per_index_thruput will give you info on the data received from various hosts in the past 30 min from indexers responding to your search head... check out the available Fields and tweak the search per your requirement. You do this on Web or Use CLI /REST.
... View more
10-21-2015
07:20 PM
Hi,
Buckets are not just limited to replication activity, they also include data being received. Depending on your deployment and how your forwarders are configured it's possible that some of your systems are forwarding to only few of the indexers in your cluster causing them to have higher bucket counts. Eg: if you have a cluster of 8 indexers with a replication factor of 2, but some of the forwarders in your environment are only set to forward to 3 of these, you will naturally see more buckets on these irrespective of your replication activities.
Similarly it's also possible that firewalls might be blocking the forwarder access to some of your indexers (again depends on your env) causing the same issue. If you have set up custom load balancing on your forwarders, it can also cause this... there might be other similar reasons.. but you get the idea.
... View more
10-19-2015
09:29 AM
1 Karma
Hi Damien,
Splunk Licensing is restrictive from an indexer perspective rather than an "index". Simply put an indexer can index a set amount of data per the license configured on it.
So, if you are saying you want to index the data locally (say on Site 1) and forward the "same" data to a second set of indexers in Site 2 for indexing again... you will be wasting you license (doubling the license consumption to be exact).
But if you are just asking if it's possible to set a license master on a single site and point all the other indexers (slaves) to the license master ... then yes. You can do that. You can set license pools for each of your sites (with set data limits) and allocate indexers to the pools as fits your needs.
Since your current intention seems to be to index and forward... you may gain by considering other ways to achieve the same end goal by considering multisite clustering options or even having distributed searcheads (searchheads having access to all your indexers across all sites) and avoiding double indexing.
Hope this helps.
... View more
10-16-2015
07:49 AM
1 Karma
Hi,
You can use appendcols.... something like (assuming and alert name of "aname"):
|inputlookup yourlookupfile|search alertname=aname alertdate="*Sep 25*" AND alertstatus="Problem"|eval stime=strptime(alertdate, "%a %b %d %H:%M:%S %Y")|appendcols [|inputlookup yourlookupfile|search alertname=aname alertdate="*Sep 25*" AND alertstatus="OK"|eval etime=strptime(alertdate, "%a %b %d %H:%M:%S %Y")]|eval problemDuration_Min=((etime-stime)/60)|fields alertdate,alertname,host,hostname,problemDuration_Min
you can tweak your search criteria per your requirement...
Check out available time functions and Date/Time format options
... View more
10-15-2015
09:05 AM
Hi, something like
index=_internal host=yourForwarder earliest=-1d@d latest=@d per_source_thruput|stats avg(kb) by series
might help
... View more
10-14-2015
08:06 PM
1 Karma
hi,
I am not sure if the exact info is in the above indexes and if it's easy enough to extract with a single search. That being said, the REST calls that you referenced above can help with this requirement. There might be simpler ways to do this, but one way I think of would be to:
-- write the current saved search titles and searches to a look up table (schedule this per your requirement).
eg:
|rest /servicesNS/-/-/saved/searches|search splunk_server=yourSearchHead AND disabled=0|fields title,qualifiedSearch|outputlookup ssearches.csv
--schedule another search to look for searches not in this list and alert you (schedule per your requirement... time it accordingly with above search)
eg:
|rest /servicesNS/-/-/saved/searches|search splunk_server=yourSearchHead AND disabled=0|fields title|search NOT [ inputlookup ssearches.csv| fields title ]
you can use the same process to look for modification as well (...fields qualifiedSearch)
... View more
10-13-2015
07:28 PM
Hi,
Assuming your question to mean "Is it possible to have multiple instances for trail or free Splunk on a single server?" The answer would be "yes". If you have several trail licenses.. you should be able to install them wherever you please.
If you are saying that you downloaded a single trail version and want to use the "same" downloaded version again and again.. to create multiple instances..... The trail and free licenses are totally different. Trail gives you more features over the trail length where as the free license has limited features/functionality. You can also set it to use the free license (which is included in every download). So if your intention is just to use the "free" features (500MB ,standalone etc)... I think you should be able to use your free install and have multiple "free/stand alone" instances for your team. But ... you cannot use the "same" trail license for multiple instances (in the sense run multiple Enterprise Splunk instances in parallel with same trail license )
... View more
10-09-2015
08:10 AM
1 Karma
Hi deepthi,
There are multiple ways you can handle this. A few here...
If you have the option to reorganize the input, You can use a separate "unique" sourcetype and you can just search by sourcetype="XXXX" or if it makes sense in your env... even get this data in a separate index as being suggested by piUek
Or
You can maintain "tags" and just use the tag instead of source. Eg: Create a tag "myrtrs" and maintain all your sources there.
Tag Name: myrtrs -- source=abc1,source=abc2... etc
or
You can name your sources logically. Eg: If you prefeix your csv files with something unique like myrtrs_yourcurrentname you can just use a wild card
source=myrtrs_* ....
... View more
I just did a quick test and it did work on my side. Notice that when you set a default app for the role the url automatically changes for that app. Eg:
http://ursplunk/en-US/manager/**search**/authentication/changepassword/admin?action=edit
vs
http://ursplunk/en-US/manager/**launcher**/authentication/changepassword/test?action=edit
This is what I did if it can help:
Created a new role "testr"
Made this role has no read access to any apps except the "launcher"
Gave this role the exact same capabilities of the "user" role (did not inherit the role but explicitly selected the capabilities)
copied the xml file
cd $SPLUNK_HOME/etc/apps/launcher/default/data/ui/
mkdir manager
cd manager
cp -v $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/authentication_change_user_password.xml .
Added a user "test" and assigned the role "testr"
Made sure "launcher" was set as his default app.
restarted splunk $SPLUNK_HOME/bin/splunk restart
Logged in as test user and tried the "edit account" was successfully presented the option to change.
... View more
Hi,
The UIs for user password changes by default are stored within the "search" app. So when you remove the read access to this app there is no way to render the ui for that user. Try copying the xml from the default search app.... usually:
$SPLUNK_HOME/search/default/data/ui/manager/authentication_change_user_password.xml to the default app set for the specific user role. Use the same path ... create "manager" dir if necessary.
Also assuming that your user role has the change_own_password capability set... as it seems like it was working before. Hopefully this should fix the issue for you.
... View more
10-08-2015
08:19 AM
Ah... restart is optional, there should be an option to "check" restart the forwarder on the deployment server when you deploy the app. You can also use btool to see what inputs are active Eg:
./splunk cmd btool inputs list
I think your issue might mostly be the app not being deployed to all the forwarders. Good to know it's resolved.
... View more
10-08-2015
07:17 AM
Hi, it would be difficult to pin point the exact issue with just the above information.... but if you have not set any clustering and just operating on distributed architecture .. it should have nothing to do with replication. Are the forwarders sending the data from the newly defined app? On the forwarder, you can check the splunkd.log and also run ./splunk list monitor to check if it has picked up your log file "/opt/logfile.log" ... just to make sure that the app has been picked up and inputs are being monitored.
Do you see any errors in the splunkd.log on your forwarders or indexers?
... View more
10-07-2015
05:44 PM
3 Karma
1.Do I need more Splunk instances?
Ideally Yes. A search head cluster requires a minimum of 3 members. So with just two search heads you will not be able to have a search head cluster.
Also for indexers, your options depend on your need for resiliency, the cluster can tolerate a failure of (replication factor - 1) peer nodes. And there are benefits to having a separate cluster master for your indexers.
Search head cluster will need a deployer as well. You do have the option of having a server take on multiple roles... still if your preference is to have both a search head and an Indexer cluster you will need more servers for a clean deployment.
2.Do I need to send syslog to only one indexer, or the same syslog to two indexers?
To get the maximum performance benefit it's preferable to send your data to all indexers (distribute the data). So when the searches hit the indexers, each peer node can process it's set of results and render them back much faster.
3.If I send data to only one indexer, with replication, will I have the same data in two indexers?
Yes. Else when an indexer goes down, your data is lost. Clustering requires indexers maintaining replicated copies of the data (as defined by the replication factor)
4.If I send same data to two indexers, with replication, will I have data copies twice, in two indexers?
I am assuming you mean, you want to send the data to two indexers and not send the "same" data (clone) to two indexers. You can also have the option of using an intermediate forwarder which will load balance the data for you. But yes, depending on how you will be sending the data there is the possibility of having duplicates ... which will get replicated.
5.If one indexer is down, will the other one be enough for service continuity?
Yes. If you enable clustering, a replication factor of 2 will ensure availability even on failure of 1 peer node.
6.If I have a traffic balancer, only for sending syslog data, can I send data to any indexer, do I need any special consideration?
Sending data to any indexer is fine... though as explained it’s better to distribute the data.
Additionally there is excellent documentation on clustering. Check out Indexer Clustering and Search Head Clustering.
Good luck with the deployment.
... View more
