Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rogue_carrot
rogue_carrot
Communicator
Member since:
05-08-2018
06-05-2020
Community Statistics
| Posts | 46 |
| Solutions | 3 |
| Karma Given | 8 |
| Karma Received | 2 |
| Member Since | 05-08-2018 |
Activity Feed
- Got Karma for Can someone provide the most simple example possible of using the chart command?. 02-17-2022 04:22 PM
- Karma Re: Can someone provide the most simple example possible of using the chart command? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Trouble Installing Splunk-6.0 on Windows-7 64-bit for adonio. 06-05-2020 12:49 AM
- Karma Re: Splunk Add Monitor Command Error: Why is "Parameter name: Path is not readable"? for amiftah. 06-05-2020 12:49 AM
- Karma Re: Why am I receiving a Warning/Error Message - Unsupported JRE detected on Splunk DB Connect after upgrading to 7.1? for solarboyz1. 06-05-2020 12:49 AM
- Karma Re: Cannot Connect to Database - Splunk DB Connect for richgalloway. 06-05-2020 12:49 AM
- Karma Re: Question - What is a "single-instance Splunk environment"? for renjith_nair. 06-05-2020 12:49 AM
- Got Karma for Re: Can someone provide the most simple example possible of using the chart command?. 06-05-2020 12:49 AM
- Karma Re: Can't login when setting up a universal forwarder for mslvrstn. 06-05-2020 12:46 AM
- Karma Files & Directories: Path does not exist for kmattern. 06-05-2020 12:45 AM
- Posted Re: Can someone provide the most simple example possible of using the chart command? on Dashboards & Visualizations. 08-14-2018 03:22 PM
- Posted Re: Can someone provide the most simple example possible of using the chart command? on Dashboards & Visualizations. 08-14-2018 03:18 PM
- Posted Re: How to Interpret License Usage Page - Splunk Enterprise on All Apps and Add-ons. 08-13-2018 06:23 PM
- Posted How to Interpret License Usage Page - Splunk Enterprise on All Apps and Add-ons. 08-13-2018 05:26 PM
- Tagged How to Interpret License Usage Page - Splunk Enterprise on All Apps and Add-ons. 08-13-2018 05:26 PM
- Tagged How to Interpret License Usage Page - Splunk Enterprise on All Apps and Add-ons. 08-13-2018 05:26 PM
- Tagged How to Interpret License Usage Page - Splunk Enterprise on All Apps and Add-ons. 08-13-2018 05:26 PM
- Posted Re: splunk db connect index1 out of range error on All Apps and Add-ons. 08-02-2018 05:13 PM
- Posted Re: Splunk DB Connect: How to resolve "Can not communicate with task server, check your settings" error message? on All Apps and Add-ons. 08-02-2018 01:07 PM
- Posted Can someone provide the most simple example possible of using the chart command? on Dashboards & Visualizations. 08-01-2018 02:59 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-14-2018
03:22 PM
Thank-you for providing an example. I copy and pasted your SPL into my Splunk instance and was surprised that some results were returned. Your SPL is way over my head... Something simpler would be very appreciated.
... View more
08-14-2018
03:18 PM
1 Karma
Thank-you for providing the in-depth answer. I went through it and learned some stuff. I was hoping for even simpler ways to use the chart command but I think you have some useful examples.
... View more
08-13-2018
06:23 PM
Interesting. Thank-you for the reply. I turned off all data coming into the Splunk server so as to not obtain any more license warnings. I think I have three more weeks before I can search again. I will research how to configure the indexer with enough space. If you look the first warnings say the pool size is 500MB. I wonder how the value changed from 500MB to 0MB?
How do I "Make sure your indexers all have sufficiently large license pools"?
Thank-you again for the helpful reply.
... View more
08-13-2018
05:26 PM
Hello Team Splunk!
I am having some trouble interpreting the license usage page in Splunk Enterprise. Figures 1 and 2 below show the parts I am confused about. Figure 1 shows that there was some type of license violation on July 25, 2018 while Figure 2 shows this date without any skyrocketing bar indicating that index went over its allowance of data, 500MB per day.
Also, does anyone know what "stack size" means in Figure 2?
Also, in Figure 1, how can a warning be generated if the poolsize is equal to zero? Seems like a warning would be generated if the poolsize is over 524288000 Bytes. I looked this up and found that 500 MB = 524288000 Bytes (in binary). Of course 500MB is the limit on the amount of data that the indexer can consume with the free license.
Figure 1: July 25, Poolsize = 0 bytes
Figure 2: Daily License Usage
... View more
08-02-2018
05:13 PM
Question mark did not work for me. 0_o
... View more
08-02-2018
01:07 PM
Yes, If I change the port number and restart splunk it seems to work! Thank-you for the helpful answer.
./splunk restart
... View more
08-01-2018
02:59 PM
1 Karma
Hello!
I am reading the documentation here: http://docs.splunk[dot]com/Documentation/Splunk/7.1.2/SearchReference/CommonStatsFunctions
I was hoping that after reading through this I would be able to use some of these functions/commands. I tried to Google to find simpler examples but did not come up with anything. Can someone please provide the most simple example possible of using the chart command?
For instance I am trying to find the number of errors for each month. I have the following search:
host="localhost" sourcetype=alert_DBMS | chart values(date_month)
This does not show anything useful though. Any tips splunk land?
I also have this search which does show a chart but the chart is useless. The chart is shown below in Figure 1.
host="localhost" sourcetype=alert_DBMS | chart count by date_hour, date_wday
Figure 1: Useless chart created with very limited SPL skills
Finally, does anyone have a link to more readable documentation? I think the documentation is info overload with links to more links to more links... a confusing frustrating experience. A Head First type of documentation website would be ideal.
Regards,
rogue_carrot
... View more
07-30-2018
10:53 AM
I installed splunk in a new directory of Linux and then copied the /etc file over and then re-started splunk from the new directory. I thought I was using the new version of splunk in the new directory. But I looked in the settings and saw that the previous version of splunk was running from the previous directory. 😕 I am not sure this answer really answers everything on moving one splunk instance to a new one while keeping settings in place. 😕
... View more
07-05-2018
10:55 AM
Maybe having a remote forwarder does make the topography a distributed configuration. I just read this, "You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers." This quote seems to say that forwarders entail a distributed architecture. I read this sentence at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/Data/Distributesourcetypeconfigurations
... View more
07-05-2018
10:53 AM
external?
... View more
07-05-2018
09:56 AM
I think there could be remote forwarders and this could still be a single instance. Is this incorrect? Thank-you for the help with this.
... View more
07-05-2018
09:55 AM
I thought maybe having remote forwarders would make my architecture not a single-instance but apparently this is not the case. The hyperlink in your answer points out that having forwarders still makes the architecture a single instance, when the amount of forwarders is below 100 or something. 0_o
... View more
07-03-2018
04:13 PM
Hello Team,
I am trying to figure out if I have a "single-instance splunk environment" or something else. I read this phrase a few times in the manuals and am unclear as to what this means exactly. Figure 1 shows this phrase in an Enterprise installation. Does this mean that my Splunk architecture does not include a cluster or does this mean something else?
I think I am in a "single-instance Splunk environment" as I have one indexer and a few forwarders sending data to the indexer from remote computers. Is this correct? Or is this not a "single-instance Splunk environment" because I am using forwarders in addition to the Splunk Enterprise installation that is indexing the events from the forwarders?
Figure 1: Settings -> Add Data -> Forwarder
Thanks for reading this question.
Regards,
Your Rogue Carrot
... View more
06-28-2018
10:21 AM
I was not able to use the find command to find the log file which gave me a clue to the problem.
... View more
06-28-2018
10:20 AM
The solution was to recursively change all the permissions for the group to read write execute. The command was something like chmod -R 775 /app
After this command was issued I was able to add the file to the monitor and forward the log to the remote indexer with the ./splunk add monitor <path to file> command. 🙂
... View more
06-28-2018
09:15 AM
Hello renjith.nair and MuS I am able to ls the directory with the log file I want to forward and I am able to use the tail command on the log file. I checked the permissions and I think the splunk user can both read and execute the directory where the log file is. Any other ideas?
Mus, you were saying the entire path needs to have the correct permissions? I have not checked every directory but I can cd (change directories) to the log file that I am trying to forward.
... View more
06-27-2018
03:58 PM
Hello Team,
I am trying to do a simple thing. I am trying to forward a log file to my remote Splunk indexer. I am using the command : ./splunk add monitor /path/to/log/file/appname.log . I am able to tab complete all the way to the log file so I know the file is there on the disk. However Splunk still throws the "Parameter name: Path does not exist." error.
This command has worked in the past. However I have been receiving the below error, Figure 1, for the last four hours and counting.
Figure 1: Add Monitor Error
I saw someone had a similar question but I did not see any helpful answers. I think this must be a permissions issue. Splunk does not have the same privileges as the normal user of the operating system. Can anyone point me in right direction? Also, I noticed something else.
Figure 2 shows a screenshot of the different partitions of the operating system (OS). I am trying to forward the log file under the /app directory which is on /dev/mapper/VolGroup00-app_lv from where splunk is installed on the /opt directory which is on /dev/mapper/VolGroup00-root_lv. Do you all think the fact that these two folders are on different partitions has anything to do with the problem?
Figure 2: Different partitions of same drive
This error seems similar to this question: https://answers.splunk[dot]com/answers/29019/the-system-cannot-find-the-path-specified.html
Thank-you for reading this.
Regards,
rogue_carrot
... View more
- Tags:
- splunk-enterprise
06-27-2018
02:27 PM
I just gave read and write privileges to the file i want splunk to monitor to the splunk user and now I receive the errror, "bash: ./splunk: Permission denied". 😕 Things changed when I changed the privileges but still I have an error.
... View more
06-27-2018
02:09 PM
I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/
... View more
06-27-2018
02:08 PM
I have a directory and files that I can tab complete on the command line in linux but I receive this error. If I can tab complete the path to the file I want to monitor then I know for sure the file is there otherwise I would not be able to tab complete to the file.
I am completely confused. I think this must be a permissions issue as the splunk user may not have the same permissions as the normal user on this operating system (OS) that created these files. I did add the splunk user to the main group that the main user is in though so they appear to have the same permissions from my perspective. Thanks for asking this question. Frustrating/confusing situation.
... View more
06-25-2018
04:38 PM
I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/
... View more
06-25-2018
03:29 PM
Thank-you for the reply. 🙂 I stopped the running splunk process that was executing as root and restarted the splunk process as the splunk user.
... View more
06-25-2018
03:02 PM
Hello Team Splunk,
I am trying to add a monitor to a log file. When I do this as either the 'splunk' user or the 'root' user I receive the following error: "Parameter name: Path is not readable." I noticed that as the 'splunk' user I cannot read the file with the vi program. However I can read the file as the root user. So why would I receive this error if the 'root' user can read the file and I am running the ./splunk program as 'root'. I also noticed that the log files I am trying to forward are on a network file system that is mounted on the operating system (OS). I am not sure if this mount makes a difference or not.
Also, I noticed I can add the entire directory but not the specific file I want to forward to the indexer. Also, when I monitor the entire directory the indexer only monitors some other out of date log file and not the log file I am after. 0_o I noticed that the files in this directory are executable except for the specific log file I am trying to monitor.
Regards,
rogue_carrot
... View more
06-24-2018
06:55 PM
I figured out my problem. 🙂 Feels great...
In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂
Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.
... View more
06-24-2018
06:37 PM
I tried specifying an index with the wildcard, index=*, but this did not change anything. Still there are no results in the search. 😕 Please see the following screenshot.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
