Activity Feed
- Got Karma for Re: How to troubleshoot why startup.handoff in the Search Job Inspector always seems to take a long time?. 10-19-2020 08:44 AM
- Got Karma for Re: How to troubleshoot why startup.handoff in the Search Job Inspector always seems to take a long time?. 10-19-2020 08:44 AM
- Got Karma for How to troubleshoot why startup.handoff in the Search Job Inspector always seems to take a long time?. 10-19-2020 08:43 AM
- Got Karma for Splunk Stream: Forwarder management group has no effect on clients. 06-05-2020 12:49 AM
- Karma Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled? for jwelch_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: How to debug why a change in the Search Head Cluster Captain causes summary indexing jobs to look for data in the past?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are REPORT field extractions not being applied in my distributed search environment?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are REPORT field extractions not being applied in my distributed search environment?. 06-05-2020 12:47 AM
- Got Karma for How to troubleshoot why startup.handoff in the Search Job Inspector always seems to take a long time?. 06-05-2020 12:47 AM
- Karma Re: Extract multi valued XML field as key/value pairs for martin_mueller. 06-05-2020 12:46 AM
- Karma Re: Extract multi valued XML field as key/value pairs for antlefebvre. 06-05-2020 12:46 AM
- Karma Re: How to pass tokens in url using the new web framework for peter_krammer. 06-05-2020 12:46 AM
- Got Karma for Extract multi valued XML field as key/value pairs. 06-05-2020 12:46 AM
- Got Karma for Extract multi valued XML field as key/value pairs. 06-05-2020 12:46 AM
- Posted Splunk Stream: Forwarder management group has no effect on clients on All Apps and Add-ons. 11-28-2017 01:51 PM
- Tagged Splunk Stream: Forwarder management group has no effect on clients on All Apps and Add-ons. 11-28-2017 01:51 PM
- Tagged Splunk Stream: Forwarder management group has no effect on clients on All Apps and Add-ons. 11-28-2017 01:51 PM
- Posted Re: How to set and configure the sourcetype to format events written to Splunk's HTTP event collector? on Getting Data In. 02-18-2016 06:55 AM
- Posted Re: How to get a Splunk 6.3 SingleView visualization to only show number precision with decimal places if available, not for integers? on Dashboards & Visualizations. 01-08-2016 09:27 AM
- Posted Re: How to get a Splunk 6.3 SingleView visualization to only show number precision with decimal places if available, not for integers? on Dashboards & Visualizations. 12-29-2015 06:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
11-28-2017
01:51 PM
1 Karma
Hello,
Trying to create a specific forwarder group in the Stream app. Using Stream 7.1.1 on a 6.6.1 Search Head Cluster.
In Distributed Forwarder Management, the group is created and the preview matches the nodes:
However, the change never takes effect and the hosts remain in the defaultgroup.
Any clues what is going on?
... View more
02-18-2016
06:55 AM
What specific Splunk Enterprise version this is supposed to be fixed? Just tried with 6.3.3 and got the same escaped quotes issue, and I am trying to avoid using any workarounds.
... View more
01-08-2016
09:27 AM
This works, but I just needed to round the value when the if for count > 1 is true.
Nice hack, transformed it into a string with the % sign 🙂
Thank you
... View more
12-29-2015
06:12 AM
SLA numbers are usually up to 4 (or more) decimal places, and that's what the visualizations are for. I guess v1.1 in Splunk 6.2 used to leave integers as they were and round floats up to 4 decimal places as I didn't do any special treatment on rounding or whatnot.
It works the way it is, but it was nicer before.
... View more
12-29-2015
05:30 AM
It seems the SingleView visualization in Web Framework v1.2 in Splunk 6.3 introduced a bunch of properties, one of them being called numberPrecision. The default is 0 with available options being adding up to 4 zeroes (like 0.0000 ).
I have a custom dashboard which displays percentages in single visualizations, and I want to use the decimal places but only when they are available. If the value is an integer (100%), I don't want to have extra zeroes added to it:
I don't see a way to do it with the current controls, something like "only round if not integer". Does anyone have any ideas?
Thank you
... View more
08-03-2015
02:44 PM
1 Karma
What version are you using? 6.2.4 included a fix for summary searches (SPL-99279 - http://docs.splunk.com/Documentation/Splunk/6.2.4/ReleaseNotes/6.2.4) which might be related.
... View more
06-26-2015
01:33 PM
1 Karma
Well I am out of ideas, but thanks for your help anyway.
In the end I was able to improve performance overall by reducing swappiness on the hosts to 10, the search heads seem way more responsive now.
If someone has any additional ideas on troubleshooting startup.handoff it would be great to hear.
... View more
06-25-2015
02:36 PM
1 Karma
Thanks for your reply. I don't get anything over 1 second, the closest is stuff like:
06-25-2015 21:23:56.002 INFO DispatchThread - Generating results preview took 2 ms
06-25-2015 21:23:56.844 INFO NewTransam - Finalizing. Committing all open txns withheld
06-25-2015 21:30:12.649 INFO DispatchThread - Generating results preview took 5 ms
06-25-2015 21:30:13.527 INFO NewTransam - Finalizing. Committing all open txns withheld
Remaining events are very close, the max gap I can find is 0.2/0.3 seconds for a handful, most are milliseconds apart.
I don't get why search total times are lower than the time in startup.handoff , like:
This search has completed and has returned 49 results by scanning 24,453 events in 4.975 seconds.
8.03 startup.handoff
Thank you
... View more
06-22-2015
04:23 AM
2 Karma
Hi everyone,
I am running Splunk 6.2.2 on a distributed setup with 3 search heads in a search head cluster and 4 non-clustered indexers. Splunk seems sluggish and I am trying to figure out why startup.handoff always seem to take a long time. For example:
This search has completed and has returned 595 results by scanning 806 events in 6.179 seconds.
Duration (seconds) Component Invocations Input count Output count
0.01 command.fields 14 595 595
0.02 command.remotetl 14 595 -
0.26 command.search 14 - 595
0.02 command.search.fieldalias 8 806 806
0.02 command.search.calcfields 8 806 806
0.01 command.search.index 14 - -
0.01 command.search.filter 8 - -
0.00 command.search.index.usec_1_8 1,431 - -
0.00 command.search.index.usec_8_64 25 - -
0.08 command.search.rawdata 8 - -
0.07 command.search.kv 8 - -
0.05 command.search.typer 8 595 595
0.03 command.search.lookups 8 806 806
0.01 command.search.tags 8 595 595
0.00 command.search.summary 14 - -
0.00 dispatch.check_disk_usage 1 - -
0.12 dispatch.createdSearchResultInfrastructure 1 - -
1.00 dispatch.evaluate 1 - -
1.00 dispatch.evaluate.search 1 - -
0.28 dispatch.fetch 15 - -
1.04 dispatch.finalizeRemoteTimeline 1 - -
0.00 dispatch.localSearch 1 - -
0.01 dispatch.parserThread 13 - -
0.02 dispatch.process_remote_timeline 2 109,035 -
0.17 dispatch.readEventsInResults 1 - -
0.04 dispatch.remote_timeline_fullevents 7 673,420 363
0.00 dispatch.stream.local 1 - -
0.28 dispatch.stream.remote 13 - 869,624
0.08 dispatch.stream.remote.SPLUNKIDX06 3 - 259,267
0.07 dispatch.stream.remote.SPLUNKIDX05 3 - 263,521
0.07 dispatch.stream.remote.SPLUNKIDX04 3 - 190,198
0.06 dispatch.stream.remote.SPLUNKIDX03 3 - 152,511
0.06 dispatch.timeline 15 - -
0.03 dispatch.writeStatus 8 - -
0.17 startup.configuration 6 - -
6.40 startup.handoff 6 - -
Any good tips where to look for the problem?
Thank you
... View more
06-09-2015
02:22 AM
Answering myself:
{% searchmanager
id="search1"
search="| inputlookup apps | search app="|add:appname
cache=True
%}
... View more
06-09-2015
01:44 AM
Hi all,
Using Splunk 6.2.2.
I want to use a single Django template for several different sources that follow the same format. I was able to set the rules in urls.py and send the expected variables to the template through views.py , as I can successfully use the variables in the content area for the template. Like:
<p class="description">Overview of the operational status for {{ pagetitle }}</p>
Now I need to use variables in search managers, for example:
{% searchmanager
id="search1"
search="| inputlookup apps | search app={{ appname }}"
cache=True
%}
And this doesn't work.
I've seen a solution in http://answers.splunk.com/answers/181510/how-to-use-django-template-tags-inside-a-search-ma.html but I am trying to prevent doing stuff directly and JS and I'd rather have a clean Django solution.
Does anyone have any idea?
Thank you
... View more
03-03-2015
06:28 AM
2 Karma
Managed to get it working, the problem was the objects were not available to the search app. Basically needed to add to the app:
metadata/default.meta
[]
export = system
App is distributed to the search head tier only, so the information on the wiki page is validated.
... View more
03-03-2015
02:17 AM
Hey all,
Using Splunk 6.0.2 across the board, I'm trying to extract key="value" pairs from WinEventLog entries present in the Message field using REPORT because there will be multiple pairs. I'm using the following:
props.conf
[source::WinEventLog...]
REPORT-MESSAGE1-extrafields= wel-extrafields-kv
transforms.conf
[wel-extrafields-kv]
SOURCE_KEY = Message
REGEX = ([\w-]+)="*([\w-]+)"*
FORMAT = $1::$2
MV_ADD = true
This works well on a single server acting as the indexer/search head, however I can't make it work on a distributed environment (events come from UF, indexed at the indexer tier and searched at the search head tier - using search head pooling). According to http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F I should add those files to the search head tier only. I already tried adding then to the indexing as well, to no avail.
What am I missing?
Thank you
Some debug data:
# /opt/splunk/bin/splunk btool props list "source::WinEventLog" --debug
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/props.conf [source::WinEventLog...]
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf KV_MODE = none
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-action-for_fs_notification = nix_endpoint_change_action_lookup vendor_action OUTPUT action
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-dropdowns = dropdownsLookup host OUTPUT unix_category unix_group
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-object_category-for_fs_notification = nix_endpoint_change_fs_notification_object_category_lookup vendor_object_category OUTPUTNEW object_category
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 30
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/props.conf REPORT-MESSAGE1-extrafields = wel-extrafields-kv
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = false
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/system/default/props.conf TRANSFORMS-FIELDS = strip-winevt-linebreaker
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk_shared_storage/sh_pool/etc/apps/splunk_app_windows_infrastructure/default/props.conf [source::WinEventLog:System]
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-action-for_fs_notification = nix_endpoint_change_action_lookup vendor_action OUTPUT action
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-dropdowns = dropdownsLookup host OUTPUT unix_category unix_group
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-nix/default/props.conf LOOKUP-object_category-for_fs_notification = nix_endpoint_change_fs_notification_object_category_lookup vendor_object_category OUTPUTNEW object_category
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk_shared_storage/sh_pool/etc/apps/splunk_app_windows_infrastructure/default/props.conf TRANSFORMS-force_sourcetype_system_ias_for_wineventlog = force_sourcetype_system_ias_for_wineventlog
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
# /opt/splunk/bin/splunk btool transforms list wel-extrafields-kv --debug
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/transforms.conf [wel-extrafields-kv]
/opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True
/opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True
/opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =
/opt/splunk/etc/system/default/transforms.conf DEST_KEY =
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/transforms.conf FORMAT = $1::$2
/opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False
/opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/transforms.conf MV_ADD = true
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/transforms.conf REGEX = ([\w-]+)="*([\w-]+)"*
/opt/splunk_shared_storage/sh_pool/etc/apps/SA-extrafields/default/transforms.conf SOURCE_KEY = Message
/opt/splunk/etc/system/default/transforms.conf WRITE_META = False
... View more
05-05-2014
12:33 PM
Thanks for your answer.
I was looking for a solution without having to rely on regexes... I'm sorry, I should have mentioned it in the original post, but it won't let me edit as the captcha always fails.
... View more
05-05-2014
11:36 AM
Thanks for your answer.
I was looking for a solution without having to rely on regexes... I'm sorry, I should have mentioned it in the original post.
... View more
05-05-2014
08:25 AM
2 Karma
Hello,
I have the following XML (the dots are removed parts):
<Exception timestamp="05/05/2014 14:25:53" ...>
<StackTrace>
<Frame exceptionType=...>
<Context>
<Data name="Request_ApplicationPath">the_path</Data>
<Data name="Request_Url_AbsoluteUri">the_url</Data>
<Data name="ApplicationName">the_appname</Data>
</Context>
</Frame>
</StackTrace>
How can I get key/value fields as:
Request_ApplicationPath = the_path
Request_Url_AbsoluteUri = the_url
ApplicationName = the_appname
I'm trying to use spath but all I can get is either the key or the value, not the combination of them as fields.
Thank you,
Edit: I was looking for a solution without having to rely on regexes... I'm sorry, I should have mentioned it in the original post.
... View more
- Tags:
- xml
04-10-2014
11:30 AM
I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.
All set now.
... View more
04-10-2014
10:53 AM
Hey all,
I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder while on version 4.3.1. The entry in inputs.conf is a simple [monitor://<path to file>] , no additional options are used.
I performed an in place upgrade to UF 6.0.2 and I don't get anything from that file indexed anymore. I still get event log entries, it's just that specific file that is not being indexed.
splunkd.log on the host shows the file is being monitored as I see the TailingProcessor entries mentioning the stanza. splunk list monitor shows the file is being monitored.
Any ideas on how to debug this?
Thank you,
... View more
