Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vrmandadi
vrmandadi
Builder
Member since:
08-14-2015
06-18-2020
Community Statistics
| Posts | 530 |
| Solutions | 5 |
| Karma Given | 49 |
| Karma Received | 21 |
| Member Since | 08-14-2015 |
Activity Feed
- Karma Re: Will I get duplicate events if I have Multiple Heavy Forwarders (HF) having same inputs set up? for nickhillscpl. 06-05-2020 12:51 AM
- Karma Re: Can we add new indexer through UI and what happens to the data when indexers are removed for nickhillscpl. 06-05-2020 12:51 AM
- Got Karma for Re: Help in creating alert for sourcetype not receivng data. 06-05-2020 12:51 AM
- Got Karma for Re: Help in creating alert for sourcetype not receivng data. 06-05-2020 12:51 AM
- Karma Re: Can you help props.conf to break the event and mask the data? for somesoni2. 06-05-2020 12:50 AM
- Karma Re: Windows Monitoring Stanza help for richgalloway. 06-05-2020 12:50 AM
- Karma Re: Help with data masking for mayurr98. 06-05-2020 12:50 AM
- Karma Re: How to include "-" in between a field value? for gcusello. 06-05-2020 12:50 AM
- Karma Re: How to disable a index temporarily for Vijeta. 06-05-2020 12:50 AM
- Karma Re: How to get a trendline or show change when a value of a field is changed? for solarboyz1. 06-05-2020 12:50 AM
- Karma Re: How to convert hexadecimal IP to decimal for poete. 06-05-2020 12:50 AM
- Got Karma for How to disable an index temporarily?. 06-05-2020 12:50 AM
- Got Karma for HIGH CPU USAGE ON HEAVY FORWARDER WHERE AWS ADD ON IS INSTALLED. 06-05-2020 12:50 AM
- Got Karma for getting error for regex "exceeded configured match_limit, consider raising the value in limits.conf". 06-05-2020 12:50 AM
- Got Karma for help with regex. 06-05-2020 12:50 AM
- Karma Re: How to calculate the average of a field value for n number of days? for c_boggs. 06-05-2020 12:49 AM
- Karma Re: How to calculate the average of a field value for n number of days? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How to calculate the average of a field value for n number of days? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Help with multivalue field count for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Can we categorize the into fields based on the value of the field? for somesoni2. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-12-2020
01:19 PM
I have *nix add-on installed on all our linux machines and we get all the default data from the add-on , which source or sourcetype gives the user login details with root access.
I am trying get a list of all the users on hosts logged in as root.
Thanks in Advance!
... View more
03-27-2020
02:05 PM
Yes I checked everthing .
This worked for me.
[sourcetype]
SHOULD_LINEMERGE= false
LINE_BREAKER= ()(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3})
NO_BINARY_CHECK= true
MAX_DAYS_AGO= 2
... View more
03-27-2020
12:29 PM
Hello @richgalloway I tried this but it did not work . I am looking to break the events like below from the sample event
2020-03-27 00:00:00.003 [quartzJobExecutor-1] INFO c.c.c.r.c.s.r.i.BusinessAssetsForDataSetRecommenderDelegate - (dataset, asset): Starting model computation
2020-03-27 00:00:00.033 [quartzJobExecutor-1] INFO c.c.c.r.c.s.r.i.BusinessAssetsForDataSetRecommenderDelegate - (dataset, asset): # data set ids: 9 / # events: 0
2020-03-27 00:00:00.050 [quartzJobExecutor-1] INFO c.c.d.c.s.StatisticSchedulerJob - StatisticScheduler saving statistics for statistic
2020-03-27 00:00:00.050 [pool-9-thread-1] INFO c.c.d.core.statistic.StatisticBuffer - Persisting statistics
... View more
03-27-2020
10:52 AM
I have the following raw data and I am trying to break the individual events starting with timestamp and before another timestamp starts .
2020-03-27 00:00:00.003 [quartzJobExecutor-1] INFO c.c.c.r.c.s.r.i.BusinessAssetsForDataSetRecommenderDelegate - (dataset, asset): Starting model computation2020-03-27 00:00:00.033 [quartzJobExecutor-1] INFO c.c.c.r.c.s.r.i.BusinessAssetsForDataSetRecommenderDelegate - (dataset, asset): # data set ids: 9 / # events: 02020-03-27 00:00:00.050 [quartzJobExecutor-1] INFO c.c.d.c.s.StatisticSchedulerJob - StatisticScheduler saving <21> statistics for statistic 2020-03-27 00:00:00.050 [pool-9-thread-1] INFO c.c.d.core.statistic.StatisticBuffer - Persisting <21> statistics
Thanks in Advance
... View more
03-26-2020
06:50 PM
I have events with GMT time .I want to convert to EST.
Wed, 25 Mar 2020 21:43:31 GMT title="Webex Meetings: Users connecting to Webex Meetings may experience latency or failures joining computer audio"
Thanks in Advance
... View more
03-26-2020
03:06 PM
Hello ,
I have installed the syndication input app from splunk base https://splunkbase.splunk.com/app/2646/ .I gave the URL https://status.webex.com/history.rss and gave custom sourcetype and created new index=webex .But I see data going to index main and having source=/opt/splunk/var/spool/splunk/syndication___RSS_WEBEX_1585256859.14_12157.stash_syndication_input sourcetype=stash_syndication_input-too_small and does not recognize timestamp .I want to use the custom sourcetype and index so that the event breaks correctly and it recognizes the timestamp.How to create an input and which file to edit.
Thanks in Advance
... View more
03-26-2020
01:43 PM
Thanks.it went to index=main , I actually created a new index webex , but somehow it is overriding the sourcetype and index .Do you know how to change that
... View more
03-26-2020
01:22 PM
Thank you @richgalloway .What time format do I need to set for events which have Mar 25, 21:43 UTC as timestamp
... View more
03-26-2020
10:01 AM
Ya.I see that .I tried using the same one but did not get data into Splunk .Should I create a new input or disable and enable the existing ? .What settings you have made in the input like time interval ,Include only new or changed entries,Convert HTML to Text
... View more
03-26-2020
09:50 AM
What is the URL that you have used? .I used this URL https://status.webex.com/service/status?lang=en_US . If you see the URL that I sent ,you can see something like webex meeting , webex and it shows status operational .I am trying to get that data .Is that same as the URL you sent me or is it something different
... View more
03-26-2020
09:26 AM
I have a file that I am monitoring has time in epoch format milliseconds .What setting should be placed in the props.conf to convert it to human readable
... View more
03-26-2020
09:14 AM
I installed the add-on and gave the URL https://status.webex.com/service/status?lang=en_US but I dont see any data.I have attached a screenshot of the input created in the question
... View more
03-26-2020
08:42 AM
Is there an add-onn or way to get the RSS data for webex into splunk to know its health status? .I used https://splunkbase.splunk.com/app/2646/
Thanks in Advance
... View more
03-25-2020
02:32 PM
This worked.
[ alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON
KV_MODE=JSON
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=60
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX=(Date()\d+)\\/\"}]
... View more
03-25-2020
02:10 PM
Thank You @darrenfuller for your reply . I tried the props you told me but that did not work .
[alt ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=JSON
KV_MODE=JSON
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=25
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TRUNCATE=10000
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIME_PREFIX=(dateAdded:\s\/Date()\d+)\/}]
TIME_FORMAT=%s%3N
I am pasting the raw format of data how it looks like.the one in bold before collection id is what I am looking at
"dateAdded":"\/Date(1576263356219)\/"},{"addedById":"5d013cd01758d3c468","appId":"5d013d418c2cf","dateAdded":"\/Date(1576263482497)\/"},{"addedById":"5d013cd013c468","appId":"5d35d43d17588644c6c25","dateAdded":"\/Date(1576263489027)\/"},{"addedById":"5d013cd084d3c468","appId":"5e5dc7827acaa","dateAdded":"\/Date(1583177463548)\/"},{"addedById":"5d013cd01d3c468","appId":"5e5d5c7827af0c","dateAdded":"\/Date(1583177467959)\/"}],"collectionId"
... View more
03-25-2020
12:48 PM
Hello All ,
I have a json data format , which I am trying to import into splunk .I want to extract the timestamp from the last field value a multivalue field .For instance there is a field called appid which is a multivalue field with values 1573503539877 , 1573503539875,1573503539878,1573503539873 .I want to make the last value as the timestamp .
The last timestamp for the multivalue field appid has the following format with closed flower brackets and a square bracket but the others have just a flower bracket
MULTIVALUE FIELD "APPID" -first event
apps: [ [-]
{ [-]
addedById: 5d013c468
appId: 5d0d1fc13d418bdf5
dateAdded: /Date(1573503009489)/
MULTIVALUE FIELD APPID-last value which needs to be extracted
addedById: 398
appId:ccaaadb
dateAdded: /Date(1584128055615)/
}
]
... View more
03-23-2020
05:15 PM
I have done something like this and schedule to run every 15 minutes
| stats latest(component) AS v1 earliest(component) AS v2 latest(_time) as time latest(name) as name by fileName
| eval Match = if(v1=v2, "Match", "No Match")
| search Match="No Match"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-18-2020
10:50 AM
|
Karma from
Karma given to
