Activity Feed
- Got Karma for Re: Heavy Forwarder Costs and Licenses. 06-14-2024 07:54 AM
- Karma Has anyone seen this Error message: Monotonic time source didn't increase; is it stuck? for tywhite. 06-05-2020 12:49 AM
- Karma Re: Search head cluster failure with 2 of 3 nodes - Can the user access Search head ? for tiagofbmm. 06-05-2020 12:49 AM
- Got Karma for Re: How to monitor log files from /tmp/folder_name with a Universal Forwarder?. 06-05-2020 12:49 AM
- Got Karma for Re: Nothing gets indexed for unknown reason. 06-05-2020 12:49 AM
- Got Karma for Re: Is there SPL to hard code search mode?. 06-05-2020 12:49 AM
- Got Karma for Re: Is there a way to use some sort of regular expression with field aliases?. 06-05-2020 12:49 AM
- Got Karma for Re: How to get the difference between 2 queries?. 06-05-2020 12:49 AM
- Got Karma for Re: strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to change the sourcetype of an ingested log to a different sourcetype without affecting the index?. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: rex to extract field from csv. 06-05-2020 12:49 AM
- Got Karma for Re: What is this (search_startup_time) field in _audit index ?. 06-05-2020 12:49 AM
- Got Karma for Re: Advantages of rolling over warm bucket to cold bucket.. 06-05-2020 12:49 AM
- Got Karma for Re: How to setup auto search based on login name?. 06-05-2020 12:49 AM
- Got Karma for Re: Alert if Fortigate and Clearpass events match. 06-05-2020 12:49 AM
- Karma Extract a field using rex for davidda. 06-05-2020 12:48 AM
- Karma Why am I getting "bucket not serviceable" errors on an indexer cluster master and replication is failing for some buckets? for austinament. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-13-2019
12:30 AM
I have no scheduled searches in my environment. Only ad-hoc searches run by users. (that too very few)
Just would like to know does splunk cleared/wiped the queue during the restart - which means is a data loss ?
or how does it actually improve the indexing rate after restart ?
simple., what happen to the queued data during the restart ?
... View more
09-12-2019
02:25 AM
On my 3 indexers(which are in a cluster), sometimes the typing queue and indexing queue go almost full ( >90% or 100%) -
and those indexers indexing rate will go down(e.g. 300KB/sec | normal case it will be >3MB/sec) -
and after I restart all my indexers' splunk service it will be back to normal (means the indexing rate will be improved., queue get cleared. etc.)
How does the restart of splunk service actually improve the performance back in this case?
Does the restart of indexers actually indexed the data in the queue (which was full) ? (without data loss)
Or it has cleared the queue ( wiped away / not indexed / removed from being indexed) and this improves the indexing rate for new incoming logs? ( with data loss)
Is it recommended to restart the indexers (rolling-restart) when the queue/pipelines full ?
Thanks.
... View more
05-07-2019
03:08 AM
Below search form - prevent the user from entering "wildcard " inputs in the text field.
- if user entera any wildcard or blank value in text field - it will show error message.
Now, in this form I wanted to allow the user to do wildcard searches when the dropdown input value is only "audit"
<form>
<label>Text Box validation</label>
<fieldset submitButton="false">
<input type="dropdown" token="dropdown_input">
<label>Type</label>
<showClearButton>false</showClearButton>
<choice value="type1">audit</choice>
<choice value="type2">splunkd</choice>
</input>
<input type="text" token="selText">
<label>Enter Log Level (like INFO, WARN, ERROR, FATAL </label>
<change>
<eval token="tokLogLevel">case(len($value$)>0 AND NOT like($value$,"%*%"),$value$)</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<html rejects="$tokLogLevel$">
<div style="color:red;text-align:center;font-weight:bold;font-size:150%">
Log Level does not accept asterix (*)!!!
</div>
</html>
<table depends="$tokLogLevel$">
<title>Log Level Volume</title>
<search>
<query>index="_internal" sourcetype=$dropdown_input$ log_level="$tokLogLevel$"
| stats count by log_level
| appendpipe [| makeresults
| eval log_level="$tokLogLevel$",count=0
| fields - _time]
| dedup log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
... View more
- Tags:
- splunk-enterprise
- xml
10-01-2018
08:45 PM
Try this,
index=_audit action=search info=granted search=* NOT(user=splunk-system-user) NOT "search_id='scheduler" NOT "search='|history" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats values(search_id) values(search) by user _time | sort _time | convert ctime(_time)
... View more
10-01-2018
02:58 AM
3 Karma
For who search for time-picker options using stylesheet didnt work after upgrade to version 7.x.
Here is the updated stylesheet (.css) to restrict time-picker selections . Edit as needed to hide time-picker options selectively..
Tested and working in Splunk version in 7.1.2 !
/* ------------------------------------------------- */
/* Hides or display specific portions of the */
/* Datetimepicker accordion */
/* ------------------------------------------------- */
/* OPTIONS
div[data-test-panel-id^='presets']
div[data-test-panel-id^='relative']
div[data-test-panel-id^='realTime']
div[data-test-panel-id^='date']
div[data-test-panel-id^='dateTime']
div[data-test-panel-id^='advanced']
*/
/*Hide advanced, realtime, real, and few presets - tested in splunk v7.1.2*/
button[data-test^='Business week to date'],
button[data-test^='Week to date'],
button[data-test^='Year to date'],
button[data-test^='Previous week'],
button[data-test^='Previous business week'],
button[data-test^='Previous month'],
button[data-test^='Previous year'],
button[data-test^='Last 15 minutes'],
button[data-test^='Last 60 minutes'],
div[data-test^='real-time-column'],
div[data-test^='past'],
div[data-test^='other-column'],
div[data-test-panel-id^='advanced'],
div[data-test-panel-id^='relative'],
div[data-test-panel-id^='real']
{
display: none !important;
}
... View more
06-20-2018
01:20 AM
I encounter this error ., which I noticed that I have installed python on my machine 32-bit and 64-bit version and various versions - I uninstalled them and after that splunk installation is successfull
... View more
05-31-2018
01:47 AM
1 Karma
Search query:
| rest /services/authentication/current-context | where username!="splunk-system-user" | fields username| replace * with "Welcome \"*\" !" in username
Create a dashboard panel
Set the Visualization to "single value"
as like u may customize your search query and pass the username to load user related results
... View more
05-31-2018
01:34 AM
How to export logs from Splunk Enterprise with "host", "source" and "sourcetype" fields ?
<yoursearch> | table host, source, sourcetype, _raw
Once results are displayed click export to download logs.
How to upload into other Splunk.? (I use CLI command)
splunk add monitor c:\xxxx.log -index yourindexname -source yoursourcename -sourcetype yoursourcetypename -hostname yourhostname
... View more
04-06-2018
02:42 AM
Make your results 🙂
Index=* host=hostname source=sourcename| above query
... View more
04-06-2018
02:29 AM
How is your indexing performance? Did you take a look at your indexer splunkd.log ?
... View more
04-06-2018
02:22 AM
Makeresults| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60
... View more
04-06-2018
12:43 AM
you can place your lookup file in the below directory and can access from search query
location:
D:\Program Files\Splunk\etc\apps\search\lookups\example.csv
search query :
|inputlookup example.csv
... View more
04-05-2018
07:45 PM
try this,
basesearch| bucket _time span=5m|stats count by host , _time| where count >3
... View more
04-05-2018
07:39 PM
try to see the latency,
* | eval time=_time | eval itime=_indextime | eval latency=(itime - time) | stats count, avg(latency), min(latency), max(latency) by source
Negative latencies , if observed, usually indicate a system clock difference between the source server (log-source) and the Splunk-server(indexer).
This figure will of course be inaccurate when Splunk indexes historic logs.- just to let you know
... View more
04-05-2018
06:03 AM
check this link :
https://answers.splunk.com/answers/399009/how-to-migrate-buckets-from-a-standalone-indexer-t.html
... View more
04-05-2018
05:52 AM
Can you post the full windows logs ? so to figure out why do you see these ?
... View more
04-05-2018
05:44 AM
Are you executing your search for a exact time-range ? or realtime moving windows / last 5 min ,15min etc ?
from the time-range picker specify a fixed time-range and try ...
... View more
04-05-2018
05:38 AM
<single>
<title>Total devices</title>
<search base="devicesBaseSearch">
<query>|stats count</query>
</search>
<option name="drilldown">none</option>
</single>
</panel>
did u missed a pipe symbol ? in your <query>
... View more
04-05-2018
05:23 AM
1 Karma
i saved the results here - you can verify below
https://regex101.com/r/ZenZiK/1
... View more
04-05-2018
05:21 AM
1 Karma
try this,
yoursearch |rex '(?P<Emp_No>\d+),(?P<Emp_Name>\S+),(?P<Title>[\w|\s]+),(?P<Region>\w+),(?P<Country>[\w|\s]+),(?P<Completed>\d+),(?P<Not_Completed>\d+)' | table *
... View more
04-05-2018
04:56 AM
Does all your data will have the same comma or only for this particular event?
... View more
04-05-2018
04:45 AM
1 Karma
*|rename ip_address as src_ip |transaction.....
... View more
04-05-2018
04:41 AM
Youresult | collect index=your_desired_index
... View more
04-05-2018
04:37 AM
search1 |fields host| rename host as host1 | join host1 [search index=a source=b host="host from previous search"]
... View more
