Activity Feed
- Got Karma for Splunk Hosts metadata correlation with index. 06-05-2020 12:47 AM
- Got Karma for Splunk web not showing login fields JAVAscript enabled. 06-05-2020 12:46 AM
- Got Karma for Re: Deployment server to deploy specific serverclass to a client excluding whitelist *. 06-05-2020 12:46 AM
- Posted Re: Are there any ways to increase the performance of our forwarder's current file monitor reading syslog files at 10MB/sec? on Getting Data In. 11-05-2014 08:34 PM
- Posted Are there any ways to increase the performance of our forwarder's current file monitor reading syslog files at 10MB/sec? on Getting Data In. 11-05-2014 12:42 AM
- Tagged Are there any ways to increase the performance of our forwarder's current file monitor reading syslog files at 10MB/sec? on Getting Data In. 11-05-2014 12:42 AM
- Tagged Are there any ways to increase the performance of our forwarder's current file monitor reading syslog files at 10MB/sec? on Getting Data In. 11-05-2014 12:42 AM
- Tagged Are there any ways to increase the performance of our forwarder's current file monitor reading syslog files at 10MB/sec? on Getting Data In. 11-05-2014 12:42 AM
- Posted Re: Splunk Hosts metadata correlation with index on Splunk Search. 07-06-2014 10:16 PM
- Posted Re: fast query to output hosts not logging to index on Splunk Search. 07-06-2014 10:11 PM
- Posted Re: fast query to output hosts not logging to index on Splunk Search. 07-06-2014 10:08 PM
- Posted fast query to output hosts not logging to index on Splunk Search. 07-05-2014 04:58 AM
- Tagged fast query to output hosts not logging to index on Splunk Search. 07-05-2014 04:58 AM
- Posted Re: Splunk Hosts metadata correlation with index on Splunk Search. 07-05-2014 04:49 AM
- Posted Re: Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 06:58 AM
- Posted Re: Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 04:15 AM
- Posted Re: Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 02:36 AM
- Posted Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 01:45 AM
- Tagged Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 01:45 AM
- Tagged Splunk Hosts metadata correlation with index on Splunk Search. 07-03-2014 01:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-05-2014
08:34 PM
To clarify this is a HWF? any suggestions for HWF
Other than performance
and any attributes for availability also appreciate ...for ex if both receivers go down ...does HWF block ?
... View more
11-05-2014
12:42 AM
We have a forwarder file monitor reading syslog files being churned out 10MB/sec...are there any tweaks to increase performance of the file monitor
Also this forwarder outputs to 2 indexers in LB mode ... do these block when both receivers go down ?
Appreciate inputs
... View more
07-06-2014
10:16 PM
unless i misunderstand when i run metadata type=hosts...index name is not a key value pair returned
is a metadata search not a metasearch ..sorry if i got that wrong
... View more
07-06-2014
10:11 PM
Apologies ...I guess the other was specific on query to correlate...and im still stuck with the question of a fast query for above as we TB of data .i need both index names and hosts not logging to be output in same query result and a fast query at that ... as we have gobs of data ...i do not want the query to be stuck with a high cost
... View more
07-06-2014
10:08 PM
I have tried that before Above query does not output index names in search result...so its not helpful
Thanks
... View more
07-05-2014
04:58 AM
On 5.0.4 ...appreciate suggestions on performance conducive query to output hosts not logging to index with index names also being output in the search results
We have huge amounts of data and would need the query to be as fast as possible ..possibly run ove r a 1 hour interval
Appreciate!
... View more
- Tags:
- search
07-05-2014
04:49 AM
Thanks ... unless i misundertood something recenttime is indextine for metaseach on hosts ...but metasearch do not output the index names on which they run...i need to be able to read the results to act on it and it needs to have the index name...
... View more
07-03-2014
06:58 AM
Its so much on slower side does not look feasible for us...any inputs /modifications to enhance performance appreciated
... View more
07-03-2014
04:15 AM
yes on splunk 5.0.4 unfortunately...is there some way we can do the same ? i just need to find the latest time each host has logged using metadata but also output what index it belongs to ...
... View more
07-03-2014
02:36 AM
Hmmm...this throws error expecting a namespace ...tsidxstats error...missing "FROM" keyword to specify namespace
does this work against indexes ? above error suggests it runs only against tsidxstats of tscollect
... View more
07-03-2014
01:45 AM
1 Karma
Im using a metadata type=hosts query to output hosts that have not logged data using recenttime
However i dont see the index name being output by this..is there anyway to correlate the host to its index in a query that starts with |metadata type=hosts ?
thanks!
... View more
05-18-2014
09:34 AM
..i have searched the search.log Lispy query search parser of this search for these _indextime "AND" all _time cannot seem to find it ...is the final query dispatched available to see in any logs..i keep seeing only indextime..
... View more
05-16-2014
08:41 PM
On a concept level if we have inline search time range of past 5 minutes of indextime and outside timerange of past 10 min..so will it AND and always give both last 5 indextime and last 10 _time..making our key purpose ineffective
I did not get the precedence or how do 2 time ranges operate ?
... View more
05-16-2014
02:45 AM
Is there anyway we can just search using _indextime and not use _time
... View more
05-16-2014
02:44 AM
Ok the idea is we dont know all device timezone and timestamps...how can we be sure of +2d ...it can be a year head ..irrespective we use indextime in seach query
... View more
05-15-2014
05:35 AM
Also note i use scheduled search and timerange is blank excepting for inline search timerange based on _index_time
... View more
05-15-2014
01:56 AM
Hmm... inline search timerange is supposed to override Timerange specified outside ...i saw that documented somewhere ..also in our case the timerange outside our search is blank...ie we have no _time
... View more
05-14-2014
06:55 PM
I believe you can do _index_earliest and latest based search instead of _time and thats what was used
... View more
05-13-2014
11:23 PM
I guess im trying to say the search query is based on _indextime and not _time...so that should not be the case although _time is +5 hrs ahead
... View more
05-12-2014
08:29 PM
Distributed search from SH which looks at _index time earliest and latest 10 minutes..as in above ...thanks
... View more
05-12-2014
01:49 AM
We have an indexer indexing events with _time 5 hours head and we have Distributed search from SH which looks at _index time earliest and latest 10 minutes...although events with _time + 5 hours and matching index time exist ..they dont show up in Splunk SH scheduled searches ? why ?
Does the scheduler (SH) introduce some filter when they run to prevent them from searching events that have timestamps later than the local runtimes of the queries
Kindly clarify
... View more
- Tags:
- search
05-10-2014
08:03 PM
Thanks !
1 when you say " it creates a field (_time) that contains the UTC time of the event."
Does it normalize or convert to UTC equivalent of time it sees in event
2 if my device is sending utc-5 and there is no prop setting ...indexer in UTC what would be time at index time be ?i ask because the above setting shows up events as utc +5
... View more
05-10-2014
01:32 AM
In absence of device time zone and props setting ...and indexer in UTC ...what time zone is applied to events timestamps as seen in the device logs as it is indexed ?
Does Splunk do any time zone conversion normalization to UTC irrespective of indexer time zone at index time ?
What is the scheduler timezone and time when run from a SH with events collected from indexer ?
... View more
05-09-2014
07:50 AM
Can we use the backfill summary index script without summary action and modify for alerts ?
... View more
05-09-2014
07:49 AM
$6 just hits the jobs results endpoint ..which does not indicate any error neither $8 ...
... View more
