Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About leantricity
leantricity
New Member
Member since:
07-11-2018
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-11-2018 |
Activity Feed
- Posted Field Extractions tutorial or recommended documentation? on Splunk Search. 07-16-2018 01:16 AM
- Tagged Field Extractions tutorial or recommended documentation? on Splunk Search. 07-16-2018 01:16 AM
- Tagged Field Extractions tutorial or recommended documentation? on Splunk Search. 07-16-2018 01:16 AM
- Posted Re: How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 11:17 PM
- Posted How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Tagged How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Tagged How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Tagged How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Tagged How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Tagged How to add a data input in Server GUI that modifies the inputs.conf file in the Universal Forwarders? on Getting Data In. 07-12-2018 04:29 PM
- Posted Re: How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 10:19 PM
- Posted Re: How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 12:53 PM
- Posted Re: How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 12:10 PM
- Posted How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 01:59 AM
- Tagged How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 01:59 AM
- Tagged How to totalise events from different and similar log files? on Splunk Search. 07-11-2018 01:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-16-2018
01:16 AM
Hi:
I want to extract 3 fields from this line
Create "/juanpablo/files/Splunk Info/universalforwarders.pdf" with fileid: 5242 by user ****, displayName , owner: juanpablo [CLIENT_IP: 10.255.0.2] [USER_AGENT: Mozilla/5.0 (Macintosh) mirall/2.4.1 (build 9367)]
The fields will be "Action" "File" and "InternalUser"
The Action is Create, Read, etc, the File field content is the path between "" and the InternalUser field content is what comes after the "by user" string.
Where can I learn how to properly extract 3 fields using the extractor and RegEx option?
The problem I find is that there can be different values after "by user" string and some of them are just IP addresses when the one that creates the file is an external (ownCloud) user.
I don't want explanations about how to do it, but some tutorials or documents about how to deal with this problem
Thanks a lot!
JP
... View more
07-12-2018
11:17 PM
Thanks! Found it inside $SPLUNK_HOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf
... View more
07-12-2018
04:29 PM
Hi:
I'm using Splunk in a Mac OS X system. I've installed Universal Forwarders in several Windows Machines. I 've used the installer's GUI for the forwarders, customised the options to monitor a folder and data IS getting into Splunk Server. But when I check the Universal Forwarders etc/system/local/inputs.conf file I only see 2 lines [Default] and Host name. Nothing there about the directory I'm supposed to monitor in the server. As I've said, data IS getting into the server, but I get the "no source type for this job" error when trying to extract fields. So I was wondering if should I trust the GUI to add a Data Input for a Directory in the managed forwarders (they also show OK in the Server's console), or just tweak the inputs.conf file locally in each forwarder to add the source type field there.
If I add a data input in the server GUI, is that configuration written anywhere in the remote universal forwarder ?
Thanks!
... View more
07-11-2018
10:19 PM
Each log file has the name of the corresponding generating computer, as "ComputerA.log" so I think I can use the source field to identify each one. By the way, the SPL works perfect! Thanks a lot!
... View more
07-11-2018
12:53 PM
Forget about the hosts question, I think I can use the autogenerated source field. Do you think so?
... View more
07-11-2018
12:10 PM
Hi @renjith.nair
I understand the idea and will try it ASAP. Is there any way of assigning the host value to each log file based on the name of the file? The PC name is within the log in a scattered row, maybe I can get it and dedup or do something to grab that PC name from the events log file?
Thanks a lot!
... View more
07-11-2018
01:59 AM
sorry about this but I'm new to Splunk:
I have a folder where log files coming from several computers are stored. All of them have event data that I have to process. Each log file has the name of the host computer in its file name, and also has some event within, with that computer name like "Desktop_A". What I'm trying to summarise is the total of a given event like "Notepad.exe is open" from a log that writes the message once per minute (if the application I'm searching for is really open) in each of these log files doing a summary by the hour. If I find "Notepad.exe is open" 60 times in an hour I calculate 100% usage for that hour, etc.
My main problem is that I can do it with one log file, but gets more complicated than that because the directory receives new log files each day from hundreds of computers.
My goal is to represent application usage per hour (as percentage of time) for each one of the computers that I have log files for (and remember, the directory can have multiple log files for the same computer).
The places where I can get the computer name are the log file itself (the name has a string identifying the PC) or an event in some of the rows of the log itself.
The things I've managed to do is to monitor the directory, extract the field I look for and do some aggregation but for a single computer with a single log file in tests.
I need some general help about how to tackle de problem.
Thanks a lot and sorry. I've searched the forum but I find lots of technical SPL questions but I need something more basic...
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
