Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About peterweinstein
peterweinstein
Explorer
Member since:
04-02-2012
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 04-02-2012 |
Activity Feed
- Got Karma for best approach to define transforms with regular expressions?. 06-05-2020 12:46 AM
- Got Karma for best approach to define transforms with regular expressions?. 06-05-2020 12:46 AM
- Got Karma for best approach to define transforms with regular expressions?. 06-05-2020 12:46 AM
- Posted is there a rising column equivalent for DB Connect V2 Output? on All Apps and Add-ons. 06-02-2015 11:33 AM
- Tagged is there a rising column equivalent for DB Connect V2 Output? on All Apps and Add-ons. 06-02-2015 11:33 AM
- Posted Do Splunk DB Connect 2 outputs restart automatically after a Splunk restart? on All Apps and Add-ons. 06-02-2015 11:27 AM
- Tagged Do Splunk DB Connect 2 outputs restart automatically after a Splunk restart? on All Apps and Add-ons. 06-02-2015 11:27 AM
- Tagged Do Splunk DB Connect 2 outputs restart automatically after a Splunk restart? on All Apps and Add-ons. 06-02-2015 11:27 AM
- Tagged Do Splunk DB Connect 2 outputs restart automatically after a Splunk restart? on All Apps and Add-ons. 06-02-2015 11:27 AM
- Posted has the Genevents.jar in the Java SDK been replaced? on Splunk Dev. 04-05-2012 11:26 AM
- Tagged has the Genevents.jar in the Java SDK been replaced? on Splunk Dev. 04-05-2012 11:26 AM
- Posted Re: best approach to define transforms with regular expressions? on Splunk Search. 04-04-2012 02:40 PM
- Posted best approach to define transforms with regular expressions? on Splunk Search. 04-04-2012 10:31 AM
- Tagged best approach to define transforms with regular expressions? on Splunk Search. 04-04-2012 10:31 AM
- Tagged best approach to define transforms with regular expressions? on Splunk Search. 04-04-2012 10:31 AM
- Posted how to load an edited props.conf? on Splunk Search. 04-02-2012 02:01 PM
- Tagged how to load an edited props.conf? on Splunk Search. 04-02-2012 02:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 |
06-02-2015
11:33 AM
Hi,
I need to transfer Splunk extracts to Sql Server such that every record is written to Sql Server exactly one time. It doesn't need to be real time, for example, an hourly periodicity would be fine.
Currently, I am repeating the output every hour, and searching for the previous hour. This works but it is fragile and, given that Splunk may be down at times, the data saved to the database is incomplete.
We need the equivalent of a "rising column" -- Splunk should output all new records.
In SQL, I would select all records with a timestamp greater than the MAX of the previously written data.
What is the recommended approach using DB Connect V2?
Thanks,
Peter
... View more
- Tags:
- Splunk DB Connect
06-02-2015
11:27 AM
Hi,
Yesterday I configured a DB Connect 2 output to write to a SQL Server hourly.
It worked for several hours, then stopped.
I am guessing that Splunk was restarted. Do outputs automatically resume when Splunk restarts?
Thanks,
Peter
... View more
04-05-2012
11:26 AM
Hi,
The online documentation for the Splunk Java SDK decribes an event generator that is useful for testing. It was called Genevents.jar, as described at the bottom of http://dev.splunk.com/view/splunk-java-sdk-examples/SP-CAAAEFF.
The Splunk Java SDK I installed today does not include Genevents.jar. This seems like it would have been useful ... I'm wondering if it is still available or if there is a replacement?
Thanks for your help!
Peter
... View more
- Tags:
- javasdk
04-04-2012
02:40 PM
This answer was helpful, thanks; but didn't really answer my question which I will do here:
A precise but long description of PCRE regex is at http://www.pcre.org/pcre.txt.
To understand regular expressions as transformation functions, the output of a regular expression is:
- the input string
- minus substrings matched by the regex
- substituted with output from a FORMAT argument, and substrings 'captured' in the regex referenced either with $n or the names of capture subgroups.
The tool at http://gskinner.com/RegExr/ and the doc above helped me figure this out. I hope I'm right!
... View more
04-04-2012
10:31 AM
3 Karma
Hi,
I would appreciate some orientation on the best way to use regular expressions to define transforms. I guess my basic confusion is that regular expressions are usually defined as recognizers, thus F(str)->(true, false) if there is a match or not. However, to define transforms we are using regular expressions as transformational functions, e.g. F(str)->(another string).
I have come across several possible approaches as to how to use regexes as transformational functions:
-- in the Search manual, the rex command has a "sed" mode that uses special Perl syntax to transform strings.
-- regular-expressions.info describes features such as "backreferences" and "lookarounds" which seem to optionally "capture" or "keep" values ... the language suggests functional uses but unfortunately the writing is not precise.
-- the Splunk web interface and examples in the manuals seem to use features from Perl Compatible Regular Expressions (e.g. (?[FIELDNAME>) to extract substrings.
What approach do you prefer? I am happy to learn another grammar, but would prefer to learn one in particular!
Thanks for your help!
Peter
... View more
- Tags:
- regex
- transforms
04-02-2012
02:01 PM
Hi,
I'm just starting to work with Splunk. I am trying to change the definition of events in an input file by editing the props.conf file in the etc/local directory. Unfortunately my edits are having no effect. I have tried:
-- Adding "| extract reload=true" to the end of the active search operating on the input file
-- Restarting Splunk with Manager/Restart from the web interface.
One odd thing worth mentioning: when I first tried to save a modified props.conf file, I had to manually alter the Windows permissions to let myself write the file.
So my question is, what is the normal development procedure for testing and updating changes to event definitions? Is there a setting somewhere else that I need to modify so manually edited changes take effect?
To learn Splunk I installed it on my Windows laptop. I'm running the free version almost fresh out of the box at this point.
Thanks for your help,
Peter
... View more
- Tags:
- configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
