Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Vladimir
Vladimir
Path Finder
Member since:
06-23-2011
06-05-2020
Community Statistics
| Posts | 32 |
| Solutions | 4 |
| Karma Given | 13 |
| Karma Received | 21 |
| Member Since | 06-23-2011 |
Activity Feed
- Got Karma for Re: number max of timechart column. 02-04-2022 03:15 AM
- Karma Event Field Data Lost When Using Collect to Populate Summary Index for EStallcup. 06-05-2020 12:46 AM
- Karma Re: Event Field Data Lost When Using Collect to Populate Summary Index for EStallcup. 06-05-2020 12:46 AM
- Karma Re: monitoring files - how does splunk count the size? for Lamar. 06-05-2020 12:46 AM
- Karma Re: TCP vs Splunk cmd for ziegfried. 06-05-2020 12:46 AM
- Karma Re: 500MB/day: How is compressed data counted for Ayn. 06-05-2020 12:46 AM
- Karma PDF Server Timed out while waiting for a response for mrenfr0. 06-05-2020 12:46 AM
- Karma Re: PDF Server Timed out while waiting for a response for mrenfr0. 06-05-2020 12:46 AM
- Karma Re: Timestamp format for echalex. 06-05-2020 12:46 AM
- Karma Re: Custom Searches - 'Out of Hours' timeframe for Ayn. 06-05-2020 12:46 AM
- Got Karma for Re: number max of timechart column. 06-05-2020 12:46 AM
- Got Karma for Re: How to send events over long-lived TCP connection?. 06-05-2020 12:46 AM
- Got Karma for Timestamp format. 06-05-2020 12:46 AM
- Got Karma for Timestamp format. 06-05-2020 12:46 AM
- Got Karma for Re: number max of timechart column. 06-05-2020 12:46 AM
- Karma Re: Autostart Splunk on boot for the_wolverine. 06-05-2020 12:45 AM
- Karma Re: Splunk Heavy Forwarder for sseekamp. 06-05-2020 12:45 AM
- Karma Re: Splunk Heavy Forwarder for OL. 06-05-2020 12:45 AM
- Karma Re: SplunkUniversalForwarder & UDP transfer for jbsplunk. 06-05-2020 12:45 AM
- Got Karma for Re: New Forwarder Added. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
10-05-2012
04:24 AM
and one more thing - this issue started from October only, for last months I didn't have such problem
... View more
10-05-2012
04:21 AM
2 Karma
Hi,
I have log files which have timestamp format like
04/10/2012 07:50:09 - dd/mm/yyyy HH:MM:SS
but indexer thinks it's a mm/dd instead of dd/mm. Logs are monitored by forwarder which has a props.conf
[source::E:\Logging\]
TIME_FORMAT = %d/%m/%Y %H:%M:%S
But still nothing changed. Data with timestamp, for example 04/10/2012 I can find for April, but not for October. Any suggestions?
Splunk forwarder version - 4.3.4, splunk indexer - 4.3
... View more
- Tags:
- timestamp
03-20-2012
03:03 AM
You can try just to copy existing installation to another folder, change guid parameter in system/local/server.conf and change values in splunk-launch.conf. But I don't know how to configure a new service in this case, not so familiar with windows stuff but in linux it can be just ./splunk enable boot-start
... View more
03-20-2012
02:54 AM
Probably your host has a multicore CPU or several CPUs so in this case you have utilization for each core. Like a solution you can add core number to output and calculate utilization for each core or calculate average value of all rows or use just CPU=all
... View more
03-16-2012
04:25 AM
And another weird thing is everything works good for old search heads 4.2.x
... View more
03-16-2012
04:08 AM
It can weird but it's not working for me 🙂
I upgrade search heads to 4.3.1, remote pdf server is also on 4.3.1 but...
... View more
03-16-2012
02:06 AM
Thanks much, will try it.
... View more
03-12-2012
09:35 AM
I have the same issue, were you able to resolve it?
... View more
01-27-2012
09:07 AM
hm.. it doesn't work
I can still see in _internal index splunk is polling the data from archive. Current configuration is:
followTail = 1
recursive = false
disabled = 0
whitelist = *.log
blacklist = *.zip #tried to exclude somehow zip files 🙂
... View more
01-27-2012
08:23 AM
will recursive = false help in this case?
... View more
01-27-2012
08:16 AM
there is no any subfolders but I figured out there are several archive files (*.zip with old files) and looks like (in metrics.log) splunk unzipped it and indexed... arrrhh
... View more
01-27-2012
02:26 AM
Hi,
I've configured a directory for monitoring in inputs.conf ([monitor://path_to_dir]) and separated index for this folder several days ago. Everything is ok except one thing... the total size of files is ~500 Mb but splunk shows (in index activity->index volume) that it indexing ~800 Mb per hour ... how is it possible? There is 10 Mb of new logs/day only. Does splunk resend the whole file if it has been changed (even if added 1 row)?
The total amount of events is ~800-900 per 1 hour. My rsyslog index with ~12-15 000 events/h is increased ~100 Mb/h only.
The same situation I have for one more monitored folder.
splunk v4.3,
... View more
- Tags:
- file-monitoring
01-18-2012
02:32 AM
1 Karma
one note I forgot to say... if you have splunk user in your system it'd be better to use "sudo -u splunk ..." to run under this user
before this command probably you will need to run "sudo chown -R splunk:splunk /opt/splunk" to change the owner from root to splunk
... View more
11-07-2011
02:58 AM
1 Karma
You can add timestamp/unix time to the begging of event line. For example:
1320663001,event1
1320663002,event2
In this case splunk will divide events
unix time is a "date +%s" command in linux systems, or $sTimeStamp = get-date ((Get-Date).touniversaltime()) -uformat "%s" in PowerShell
... View more
08-25-2011
03:57 AM
I've had the similar problem there http://splunk-base.splunk.com/answers/27441/forwarder-doesnt-collect-or-pull-data-after-some-time
... View more
08-24-2011
05:05 AM
I even can't calculate any numeric values (stats sum/avg/mix/max/etc).
Splunk 4.2.2
Splunk Universal Forwarder 4.2.1 (input for tcp)
... View more
08-24-2011
02:11 AM
Hi all!
I'm a little bit upset with next problem...
If I run some script within splunk (powershell, python, etc) and put something to standard output, the event will be in splunk index and I can do normal search. For example:
Output Message: Metric=MyMetric,Value=MyValue
Search query in splunk: Metric=MyMetric
In this case I can search my event but...
if I send the same event within TCP, the search query can't find anything. It can but only if I use "Metric=MyMetric" (in quotes)
Does anybody know why? And what should I do in this case? Should I send my event in some special format?
Thanks
... View more
07-22-2011
12:26 AM
Thanks. I've checked it, there wasn't any failures in log so it wasn't a splunk problem. The problem was in firewall rules.
... View more
07-21-2011
05:29 AM
Hey!
Is it possible to configure SplunkUniversalForwarder to receive data by udp and send this data to indexer? How?
In my forwarder's inputs.conf
[udp://:9999]
index = myindex
source = mysource
sourcetype = mysource
Output is also configured, i'm pulling wmi data within it. But when I'm sending data to forwarder's udp port I cannot see it in indexer. What am I doing wrong?
Thanks
... View more
- Tags:
- forwarder
07-13-2011
03:13 AM
3 Karma
Maybe it's not a right way but I used some similar query for alarm to check if I "lost" some hosts
index=my_index host earliest=-5m latest=now | dedup host | eval StatusBefore=1 | join type=left host [search index=my_index host earliest=-65m latest=-60m | dedup host | eval StatusNow=1 ] | eval Status=if(StatusBefore=StatusNow,1,0) | table host, Status | where Status=0
This query do:
check available hosts for last 5 minutes
check available hosts for 5 minutes - 1 hour
compare two results (status = 1 - OK, status = 0 - new host)
Depending on your data polling interval you can set your own periods.
... View more
07-12-2011
03:16 AM
There is no default value and you can configure the interval of polling, check wmi.conf documentation http://www.splunk.com/base/Documentation/latest/admin/Wmiconf
interval = <integer>
* How often, in seconds, to poll for new data.
* This attribute is required, and the input will not run if the attribute is
not present.
* There is no default.
... View more
07-12-2011
01:50 AM
The "problem" was in max_retries_at_max_backoff parameter of wmi.conf
max_retries_at_max_backoff = <integer>
* Once max_backoff is reached, tells Splunk how many times to attempt to reconnect to the WMI provider.
* Splunk will try to reconnect every max_backoff seconds.
* If reconnection fails after max_retries, give up forever (until restart).
* Defaults to 2.
I've set it to 30000. Will see.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
