Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About JdeFalconr
JdeFalconr
Explorer
Member since:
03-13-2014
09-28-2023
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 03-13-2014 |
Activity Feed
- Got Karma for Re: How to create a search to predict license violations?. 12-06-2023 12:59 AM
- Posted Re: v9.1 upgrade issues - Why does Top tool bar shows Loading? on Splunk Enterprise. 09-28-2023 12:15 PM
- Got Karma for How to create a search to predict license violations?. 06-05-2020 12:47 AM
- Got Karma for How to create a search to predict license violations?. 06-05-2020 12:47 AM
- Posted Re: Forwarder reconfiguration when migrating Indexer? on Installation. 07-25-2019 11:34 AM
- Posted Re: Forwarder reconfiguration when migrating Indexer? on Installation. 07-25-2019 11:29 AM
- Posted Forwarder reconfiguration when migrating Indexer? on Installation. 07-25-2019 07:49 AM
- Tagged Forwarder reconfiguration when migrating Indexer? on Installation. 07-25-2019 07:49 AM
- Tagged Forwarder reconfiguration when migrating Indexer? on Installation. 07-25-2019 07:49 AM
- Posted Return raw results for a search filtered by event counts on All Apps and Add-ons. 11-14-2018 03:07 PM
- Tagged Return raw results for a search filtered by event counts on All Apps and Add-ons. 11-14-2018 03:07 PM
- Posted If an identical input is specified in inputs.conf for multiple apps on a universal forwarder, will this result in duplicate data? on Getting Data In. 02-24-2016 02:28 PM
- Tagged If an identical input is specified in inputs.conf for multiple apps on a universal forwarder, will this result in duplicate data? on Getting Data In. 02-24-2016 02:28 PM
- Tagged If an identical input is specified in inputs.conf for multiple apps on a universal forwarder, will this result in duplicate data? on Getting Data In. 02-24-2016 02:28 PM
- Posted Re: Why am I getting an unresponsive setup screen trying to install Cisco Security Suite on Splunk 6.3? on All Apps and Add-ons. 01-13-2016 08:57 AM
- Posted Re: Why am I getting an unresponsive setup screen trying to install Cisco Security Suite on Splunk 6.3? on All Apps and Add-ons. 01-12-2016 10:00 AM
- Posted Re: How to define an index per Source for a shared UDP 514 input? on Getting Data In. 12-15-2015 01:05 PM
- Posted How to define an index per Source for a shared UDP 514 input? on Getting Data In. 12-15-2015 10:56 AM
- Tagged How to define an index per Source for a shared UDP 514 input? on Getting Data In. 12-15-2015 10:56 AM
- Tagged How to define an index per Source for a shared UDP 514 input? on Getting Data In. 12-15-2015 10:56 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
09-28-2023
12:15 PM
Just came here to say this worked for me, thanks for posting it.
... View more
07-25-2019
11:34 AM
Thank you! My forwarders should already be pointed at a hostname and not an IP. I think what I'll do is be slightly messy and once the old Indexer is gone I'll recycle its A record and turn it into a CNAME that I'll point at the new server. I can also re-IP the new server for good measure.
Thanks too for updating the documentation, that will be most helpful.
... View more
07-25-2019
07:49 AM
I'm working to migrate our existing Indexer to a new machine. The instructions at https://docs.splunk.com/Documentation/Splunk/6.3.3/Installation/MigrateaSplunkinstance unfortunately are completely silent on the topic of what to do with forwarders.
If the new machine has a different IP than the existing indexer, do you have to manually go to every forwarder and re-point it? That seems thoroughly ridiculous. Alternatively, I see that for distributed environments you're supposed to remove the host to be upgraded from the distributed environment before migration. Would it be an option for my Indexer to remove it from the environment, swap IP addresses for the new and old machine (thus putting the new machine in the same IP as the old), reinstall, update DNS and be off to the races? That would seem to resolve quite a few potential issues.
... View more
11-14-2018
03:07 PM
I am searching Cisco calling records via the Splunk Cisco CDR app, examining the calling and called party numbers and their counts. I need to create a search that returns raw results only where a given calling party number shows up X or more times; I want to eliminate any results where its calling party number does not show up above that threshold. I unfortunately have had great difficulty in generating such a search and being able to export the raw events to CSV. In order to generate a table of counts by calling party number (only part of what I need) I use this:
`cdr_events`
earliest=-4h latest=now | stats min(_time) as _time values(callId) as callId values(callingPartyNumber) as callingPartyNumber by globalCallID_callId globalCallID_callManagerId globalCallId_ClusterID
| search | stats dc(callId) as CallCount by callingPartyNumber | where CallCount > 500
Unfortunately I do not have confidence that search's raw results (the "Events" tab on the search screen) only correspond to the events identified by the "where" clause. Moreover if I try to export results to CSV only the table of stats is returned.
The search is already scheduled to email out the table of stats. In a perfect world, though, I would have that table of stats emailed and the raw results - filtered in the manner I described above - included in the email as an attachment. At this point, however, I would gladly take just the raw log lines for all instances where the count of callingPartyNumber exceeds value X that I designate.
... View more
02-24-2016
02:28 PM
If an input is specified identically in the inputs.conf file of multiple apps running on a Universal forwarder, will the same data be gathered multiple times (and thus generate extra license usage) or just once?
I'm looking at indexed data volume in our Splunk environment for a particular sourcetype within the Splunk App for Microsoft Exchange (winhostmon). In looking at .conf files on one of our Exchange servers' Universal Forwarder, I see that the inputs.conf file within the "TA-Exchange-2010-CAS" app, the "TA-Exchange-2010-HUB" app, and the TA-Windows-2008R2-Exchange-IIS" app all have inputs for "winhostmon" defined precisely the same. None are disabled. Does that mean this data is being gathered and indexed once per application specifying this input? Or is the forwarder smart enough to only gather it once?
... View more
01-13-2016
08:57 AM
Thanks for the suggestion. I'd read similarly elsewhere and it looks like I have that set to 1200 on my Search Head. I'm thinking bumping it to 1400 probably won't have too much of an effect if it's already choking.
... View more
01-12-2016
10:00 AM
I'm getting the same thing on Splunk 6.2.6. When opening the app after installation I get the screen:
The "Cisco Security Suite" app has not been fully configured yet.
This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.
When I click on the "Continue to app setup page" button the browser window sits there for an indefinite period of time and the app never completes setup.
... View more
12-15-2015
01:05 PM
Thank you, that's extremely helpful. That article was spot-on what I needed.
I do have to say I'm completely mystified that doing what I'm asking is so incredibly difficult to configure on the Indexer. It really seems like this was an intentional decision to leave this feature out. Obviously Splunk is able to examine what network port data comes in on and make a decision purely based on that as to which index data goes into. Furthermore it can include or exclude data based on what host the data is sourced from on that port. Yet for some reason while it can differentiate between multiple hosts on a single port for data inclusion/exclusion it is unable to perform the same differentiation in terms of what the destination index should be! Ridiculous! Even worse, you're saying it can be done based on regex inspection of the content of the data, yet as I've previously illustrated you can do what I'm asking without looking at any of the contents of the incoming data at all!
... View more
12-15-2015
10:56 AM
I'm trying to figure out how to have data from a particular host (i.e. Source) sent to a specific index. To get more specific for my example, I am trying to send Syslog data in on UDP 514. I would like to make it such that multiple devices can all send data to my Indexer on UDP 514, but send data to different indexes based on which host it comes from. I am using only the syslog functionality within the hosts I'm sending data from, not a forwarder installed on those hosts.
With a shared input and no control on the sending end, how do I configure things on my indexer to move data from specific hosts into a separate index? I know I can define individual inputs and define a destination index per input, but that seems like a terrible waste to use a separate port for each input (i.e. this batch of servers comes in on UDP 514 and data goes to index A, this other batch uses UDP 515 and goes to index B, and so on) not to mention the many different firewall ports I might have to open up.
Is it possible to define multiple inputs for the same port and differentiate them between their sending host? That would allow me to use the same port but move data to separate indexes. For instance, say I configure two inputs for UDP 514. One specifies a particular set of hosts and an index for their data while the other one does not specify a host (meaning any other data coming in on UDP 514 goes to that index).
Thanks for the help.
... View more
12-03-2015
09:55 AM
So I'm a bit confused now. My goal is to avoid saved searches executing on both my indexer as well as my search head. But are you saying that they are not ever going to execute from my indexer and thus my concern is unfounded?
We do have universal forwarders active in our environment but they're all pointed to the Search Head. otherwise I'm not too concerned about local or remote data inputs being duplicated.
... View more
12-03-2015
09:46 AM
Thanks, that's extremely helpful. So what's a good way to tell if an app has inputs? Simply whether there's an inputs.conf present? Also should I assume that I should go through and remove any SavedSearch.conf files present for apps on my Indexer?
... View more
12-03-2015
09:06 AM
We have a distributed environment of one search head, one indexer and one deployment server + license master. I'm working on resolving CPU utilization issues right now related to too many scheduled searches running during the day and towards that end, I'm trying to prune extraneous applications. I've noticed that I have a number of applications installed on my Indexer as well as my Search Head and I'm concerned that they are causing scheduled searches to be executed extraneously. On which of those servers do I need to install each application? Both Search Head and Indexer or only the Search Head?
... View more
Labels
- Labels:
-
app
-
indexer
-
search head
11-05-2015
09:18 AM
I think so, yes, that's closest to what I was originally after. I'd mark it as an answer but it looks like it's placed as a comment instead.
In any case, thank you!
... View more
11-02-2015
02:58 PM
Thanks for the idea, I appreciate it. However a dashboard is far more effort than I wanted to put into creating this search. Isn't there an easy way to simply split the results by host and visualize?
... View more
11-02-2015
01:51 PM
I'm trying to analyze the makeup of different event types coming from a series of different hosts. To do that, I would like to create a search that will create one pie chart per host. Each pie chart will show the percentages of Sourcetypes coming from that host. This would seem to be a very simple operation conceptually, but as is typical of Splunk, the execution is quite difficult. It's a no-brainer to produce the raw stats with this search:
index=myindex | stats count by host,sourcetype
I can even produce a pie chart where it mashes all of the results into a single pie chart, showing each host's event count in terms of the whole. That's by replacing the "Stats" command with "Chart." But splitting those charts out per host is what's escaping me.
Thanks for the help.
... View more
11-20-2014
09:19 AM
1 Karma
Wow that's fantastic! Much more than I had anticipated getting. That search worked great too. The one challenge I have in it is I can't seem to get any results for "volume_so_far" relative start/end times with Earliest and Latest to "@d" and "@h," respectively; I'm guessing that's conflicting with the "where" statements. But that's not a big deal, I've been able to surmount that with the scheduled search settings which don't seem to offend the results much.
Thanks again for the great help and for the complete response.
In case others see this and want the results in GB as opposed to raw bytes I modified the search ever so slightly to give results in terms of GB:
index=_internal source=*license_usage.log* type=Usage
| eval GB=((b/1024)/1024)/1024
| timechart span=1h sum(GB) AS volume_b | predict volume_b as prediction future_timespan=24
| addinfo | where _time>=relative_time(info_max_time, "@d") AND _time<relative_time(info_max_time, "+d@d") | fields - info*
| eval merged = coalesce(volume_b, prediction) | stats sum(merged) as predicted_volume sum(volume_b) as volume_so_far
... View more
11-13-2014
04:44 PM
2 Karma
I'm trying to use commands like predict and trendline to write a search that will alert on a predicted license violation for the day. While http://answers.splunk.com/answers/39980/license-violation-prediction.html has some good information as noted in its comments the search does not return accurate results in terms of data volume.
In writing this search I've realized that what I need to predict is the ever-growing sum of license volume during the day. In other words, say X is my total license volume for the day. Each data point in my search is going to be an ever-increasing value for X as more and more data is indexed (example of data points: 1GB at 1AM, 2GB at 2AM, 3GB at 3AM, 4GB at 4AM, etc). My goal, of course, is to predict what X will be at midnight.
While the search commands I know of (such as those in http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume) will provide a total indexed volume for a time span I know of none that will plot a series of data points which represent a sum of a value at different points in the day, as with index volume. In other words, right now I can run a search that spans from midnight today until the current time and sums up the total volume of indexed data. However the search I would need to execute in order to make a prediction would have to give me the sum volume of indexed data from midnight until 1am as well as from midnight until 2am, from midnight until 3am, and so on up to the current time.
How would I go about creating such a search that gives me the data points I need to make a prediction?
... View more
03-13-2014
04:11 PM
I've successfully installed the Splunk App for F5 Networks and Splunk App for F5 Access apps into our Splunk 5.0.5 installation. I configured a non-default index for logs to go into named "f5" and configured the input set up for the app to direct data into that new index. That input is configured for source type of "syslog". At this time we only have data coming in from AFM as we haven't completed configuring other modules. I've confirmed logs are appearing in that index and they're of the proper source type ("F5:AFM:Syslog"). However the app refuses to return any results for any of its dashboards regardless of search settings.
I believe the issue is that we're using a different index for the data. When inspecting all of the app's queries I see that they're all prepended with the text "search" which I think is directing Splunk to look in the wrong index. Here's an example of one:
search sourcetype="F5:AFM:Syslog" | stats count by action src_ip dest_ip dest_port bigip_mgmt_ip hostname src_port _time
If I remove the text "search" from the above query and insert "index=f5" at the beginning the search returns results without issue. Oddly leaving the "search" text while also specifying the index does not produce results.
I've tried the following to correct this:
A custom eventtypes.conf with stanzas for each F5 sourcetype and a "search = index=f5" line under each
a custom indexes.conf with the line "defaultdatabase=f5"
a custom inputs.conf with the line "index = f5"
editing savedsearches.conf to add "index=f5" to all the "search" items under each search entry that don't already define an index
Evidence seems to indicate that the problem is that the app is searching the wrong index. How in the world do I go about directing it to search the "f5" index I've created?
... View more
