cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
slipinski
Explorer
Member since: ‎07-10-2018
Thursday
Community Statistics
Posts 56
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎07-10-2018
Activity Feed
Topics I've Started
View All

Splunk Add-on for Unix and Linux netstat.sh data t...

by in All Apps and Add-ons
Thursday
Thursday
Hi there,  I have an environment like: UF->HF->Splunk cloud. Output from netstat script is truncated to approx.. 250 from 3000 events in the GUI. When run the script on a node, the output is ok.  Have a similar another system UF->Cloud and this one displays everything correctly, so in all likelihood it's HF that cuts this data somehow.  Do you know whether there is a fixed limitation of size of this script output on HF?    regards, Sz ... View more
Labels

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-25-2023 05:55 AM
‎07-25-2023 05:55 AM
I finally managed to make it work by manually assigning TZ to sourcetype in props.conf on HF.  Thank you @isoutamo ! ... View more

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-23-2023 11:24 PM
‎07-23-2023 11:24 PM
My app always uses UTC to put a timestamp. However, I always managed to use index time to display events correctly (ignoring app timestamp), but not in this case. As I said before, the logs are being displayed correctly from my lab system (the same app, the same timestamp set).  Weird.   ... View more

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-23-2023 10:40 PM
‎07-23-2023 10:40 PM
Do you mean "search and reporting" app? The only thing I can do is the restart Splunk cloud instance. Is it right?  ... View more

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-21-2023 08:21 AM
‎07-21-2023 08:21 AM
[root@xxx ~]# clock Fri 21 Jul 2023 16:15:09 BST -0.286435 seconds [root@xxx ~]# tail -n 10 /opt/videoipath/logs/backend/main.log 2023-07-21 15:15:12,326 backend_2023.2.5: INFO content 2023-07-21 15:16:48,011 backend_2023.2.5: INFO content  And below is how logs are being visible in GUI   ... View more

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-21-2023 06:28 AM
‎07-21-2023 06:28 AM
Would this be enough?  [SSL] _rcvbuf = 1572864 allowSslRenegotiation = true certLogMaxCacheEntries = 10000 certLogRepeatFrequency = 1d cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 host = $decideOnStartup index = default logCertificateData = true sslQuietShutdown = false sslVersions = tls1.2 [batch:///opt/splunkforwarder/var/run/splunk/search_telemetry/*search_telemetry.json] _rcvbuf = 1572864 crcSalt = <SOURCE> host = $decideOnStartup index = _introspection log_on_completion = 0 move_policy = sinkhole sourcetype = search_telemetry [batch:///opt/splunkforwarder/var/spool/splunk] _rcvbuf = 1572864 crcSalt = <SOURCE> host = $decideOnStartup index = default move_policy = sinkhole [batch:///opt/splunkforwarder/var/spool/splunk/...stash_hec] _rcvbuf = 1572864 crcSalt = <SOURCE> host = $decideOnStartup index = default move_policy = sinkhole sourcetype = stash_hec [batch:///opt/splunkforwarder/var/spool/splunk/...stash_new] _rcvbuf = 1572864 crcSalt = <SOURCE> host = $decideOnStartup index = default move_policy = sinkhole queue = stashparsing sourcetype = stash_new time_before_close = 0 [batch:///opt/splunkforwarder/var/spool/splunk/tracker.log*] _rcvbuf = 1572864 host = $decideOnStartup index = _internal move_policy = sinkhole sourcetype = splunkd_latency_tracker [blacklist:/opt/splunkforwarder/etc/auth] _rcvbuf = 1572864 host = $decideOnStartup index = default [blacklist:/opt/splunkforwarder/etc/passwd] _rcvbuf = 1572864 host = $decideOnStartup index = default [fschange:/opt/splunkforwarder/etc] _rcvbuf = 1572864 delayInMills = 100 disabled = false filesPerDelay = 10 followLinks = false fullEvent = false hashMaxSize = -1 host = $decideOnStartup index = default pollPeriod = 600 recurse = true sendEventMaxSize = -1 signedaudit = true [http] _rcvbuf = 1572864 ackIdleCleanup = true allowSslCompression = true allowSslRenegotiation = true dedicatedIoThreads = 2 disabled = 1 enableSSL = 1 host = $decideOnStartup index = default maxSockets = 0 maxThreads = 0 port = 8088 sslVersions = *,-ssl2 useDeploymentServer = 0 [monitor:///opt/splunkforwarder/etc/splunk.version] _TCP_ROUTING = * _rcvbuf = 1572864 host = $decideOnStartup index = _internal sourcetype = splunk_version [monitor:///opt/splunkforwarder/var/log/splunk] _rcvbuf = 1572864 host = $decideOnStartup index = _internal [monitor:///opt/splunkforwarder/var/log/splunk/configuration_change.log] _rcvbuf = 1572864 host = $decideOnStartup index = _configtracker [monitor:///opt/splunkforwarder/var/log/splunk/license_usage_summary.log] _rcvbuf = 1572864 host = $decideOnStartup index = _telemetry [monitor:///opt/splunkforwarder/var/log/splunk/metrics.log] _TCP_ROUTING = * _rcvbuf = 1572864 host = $decideOnStartup index = _internal [monitor:///opt/splunkforwarder/var/log/splunk/splunk_instrumentation_cloud.log*] _rcvbuf = 1572864 host = $decideOnStartup index = _telemetry sourcetype = splunk_cloud_telemetry [monitor:///opt/splunkforwarder/var/log/splunk/splunkd.log] _TCP_ROUTING = * _rcvbuf = 1572864 host = $decideOnStartup index = _internal [monitor:///opt/splunkforwarder/var/log/watchdog/watchdog.log*] _rcvbuf = 1572864 host = $decideOnStartup index = _internal [monitor:///opt/videoipath/logs/backend/main.log] _rcvbuf = 1572864 disabled = false host = $decideOnStartup index = discol2 sourcetype = main_demo [script] _rcvbuf = 1572864 host = $decideOnStartup index = default interval = 60.0 start_by_shell = true [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip host = $decideOnStartup index = default route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue [tcp] _rcvbuf = 1572864 acceptFrom = * connection_host = dns host = $decideOnStartup index = default [udp] _rcvbuf = 1572864 connection_host = ip host = $decideOnStartup index = default ... View more

Re: Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-21-2023 05:52 AM
‎07-21-2023 05:52 AM
Hi Ismo,  Below is TZ set on UF server. Interestingly I set the same time zone on my local test server and after changing timestamp settings to "current time" the logs are displaying in time. However, it's a simple UF->Cloud setup as opposed to productional one (through HF). timedatectl Local time: Fri 2023-07-21 13:27:32 BST Universal time: Fri 2023-07-21 12:27:32 UTC RTC time: Fri 2023-07-21 12:27:32 Time zone: Europe/London (BST, +0100) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: yes Last DST change: DST began at Sun 2023-03-26 00:59:59 GMT Sun 2023-03-26 02:00:00 BST Next DST change: DST ends (the clock jumps one hour backwards) at Sun 2023-10-29 01:59:59 BST Sun 2023-10-29 01:00:00 GMT Not sure how to grab log event on UF (this sounds like from Windows world). regards, Sz ... View more

Splunk Cloud align index time with _time

by in Splunk Cloud Platform
‎07-20-2023 04:39 AM
‎07-20-2023 04:39 AM
Hi,  I'm having an issue with timestamping on one unstructured sourcetype (others json and access_log are fine).  My deployment looks like UF->HF->Splunk cloud.  For some reason data from the mentioned sourcetype is delayed by 1 hour. I mean, I have to increase seachrtime to >60m to see the latest data. Below is the output of a query to compare index time and _time.  I tried to change timestamp extraction is sourcetype configuration in the cloud, but it didn't help. I come up with idea to transform INGEST_EVAL expression in a transforms stanza in transforms.conf to update the _time field at ingest time after it has been parsed out from the actual event (+3600s)  #transforms.conf  [time-offset] INGEST_EAVL = _time:=_time+3600 #props.conf  [main_demo] TRANSFORMS=time-offset   I suppose there is no transforms.conf equivalent in Splunk GUI (props.conf can be configured in source type GUI section). Do I need to contact Splunk support to perform this kind of change in cloud indexer?  Or maybe there is any other way to align _time to reflect real time? All help would be appreciated, regards, Szymon       ... View more

Splunk App for Unix and Linux doesn't display resu...

by in All Apps and Add-ons
‎02-24-2023 04:22 AM
‎02-24-2023 04:22 AM
Hi Splunkers,  I'm using Splunk App for Unix and Linux for monitoring some CentOS parameters.  All scripts work fine when I run them locally on UF. However, some of them (e.g. vmstat, who) don't display results - just the headers(parameter descriptions).  This is script output from UF (who) below is the screenshot from Splunk's GUI I tried to play with soructypes' linebreaker, but it didn't help.  Have anyone encountered similar issue?  I would be grateful for your help. regards, Sz ... View more
Labels

Re: How to get sum of GC time spend in last 4 hour...

by in Splunk Search
‎02-23-2023 11:53 PM
‎02-23-2023 11:53 PM
@bowesmana You nail it! I had to play with regex a little bit, but I managed to achieve what I wanted.  Thanks a lot.  ... View more

Re: How to get sum of GC time spend in last 4 hour...

by in Splunk Search
‎02-22-2023 03:13 AM
‎02-22-2023 03:13 AM
Dear @bowesmana  Apologies for not being entirely clear in previous messages. No wonder you got confused. Let me clarify this again. I got logs: Splunk_timestamp EventA time_used [249.34ms] Splunk_timestamp EventB time_used [246.23ms] Splunk_timestamp EventC time_used [323.11ms] Splunk_timestamp EventA time_used [1445.12ms]  I managed to extract time_used value per event.  I would like to have a total sum of time_used from all events per hour.  The next step would be having percentage of time_used total number/number of ms in day i.e. (3 600 000 ms - 1000ms*60*60).  My query was a crap, so I'm not attaching it here.  ... View more

Re: How to get sum of GC time spend in last 4 hour...

by in Splunk Search
‎02-22-2023 01:49 AM
‎02-22-2023 01:49 AM
Hi,   I don't take into account the timestamp at the beginning of every line. Relying on Splunk-added timestamp is okay.  716906.314 - 716920.165  I'm struggling with an accumulation of time  in ms at the end of every log line like: 24.051   3124.593   and divide it into hours (Splunk timestampt)  ... View more

How to get sum of GC time spend in last 4 hours?

by in Splunk Search
‎02-21-2023 02:50 PM
‎02-21-2023 02:50 PM
Hi Splunkers, I have a GC log like below:     [716920.165s][info][gc] GC(27612) Concurrent reset 24.051ms [716909.883s][info][gc] GC(27611) Concurrent update references 3124.593ms [716909.885s][info][gc] GC(27611) Pause Final Update Refs 1.336ms [716909.885s][info][gc] GC(27611) Concurrent cleanup 79178M->58868M(153600M) 0.143ms [716906.314s][info][gc] GC(27611) Pause Final Mark 2121.376ms [716906.315s][info][gc] GC(27611) Concurrent cleanup 71900M->71709M(153600M) 0.240ms [716906.757s][info][gc] GC(27611) Concurrent evacuation 441.920ms [716906.758s][info][gc] GC(27611) Pause Init Update Refs 0.126ms     I'm trying to get statistic related to total time spend by all these fields (the values in ms at the end of line).  I mean calculated all events in ms and drew a chart or table with total value from last 4 hours. For instance  19.00 - 245000ms 20.00 - 344000ms  21.00 - 345500ms 22.00 - 452000ms  I did manage to extract time needed in ms from all fields, but when I use query like: timechart span=1h sum(eval(Concurrent_reset+Concurrent_Update+ Pause_Final_Mark+Concurrent_cleanup+Concurrant_evacuation+Pause_Init_Update)) as total i just receive results from 19.00-20.00 timespan. What I doing wrong here?    regards, Sz   ... View more
Labels

Re: Event-breaking policy

by in Getting Data In
‎02-17-2023 05:26 AM
‎02-17-2023 05:26 AM
I've already given it a go (not in props.conf, but in the sourcetype edit tab in GUI - I'm using cloud premise).  It doesn't break lines correctly.    ... View more

How to set up an appropriate line breaker for data...

by in Getting Data In
‎02-17-2023 04:53 AM
‎02-17-2023 04:53 AM
Hi Splunkers, I'm struggling with setting up an appropriate line breaker for data from log file.  The example is below. I tried to use Event-breaking policy set to "every line", but it doesn't work fine as the last line consists of 3 events. I would like to break lines based on [abcdef.abcs][info][gc], but I'm not entirely sure whether it's possible.  Could you please take a look?  [883722.688s][info][gc] GC(40135) Pause Init Mark (process weakrefs) 1653.109ms [883734.774s][info][gc] GC(40135) Concurrent marking (process weakrefs) 12086.056ms [883736.181s][info][gc] GC(40135) Concurrent precleaning 1406.445ms [883738.907s][info][gc] GC(40135) Pause Final Mark (process weakrefs) 2724.588ms [883738.908s][info][gc] GC(40135) Concurrent cleanup 72424M->72273M(153600M) 0.229ms [883739.217s][info][gc] GC(40135) Concurrent evacuation 308.624ms [883739.217s][info][gc] GC(40135) Pause Init Update Refs 0.137ms [883742.192s][info][gc] GC(40135) Concurrent update references 2975.050ms [883742.195s][info][gc] GC(40135) Pause Final Update Refs 1.175ms [883742.196s][info][gc] GC(40135) Concurrent cleanup 80318M->62137M(153600M) 0.204ms [883742.197s][info][gc] Trigger: Allocated since last cycle (15943M) is larger than allocation threshold (15360M) [883742.224s][info][gc] GC(40136) Concurrent reset 26.618ms [883743.575s][info][gc] GC(40136) Pause Init Mark 1349.467ms ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma given to
View All