Activity Feed
- Posted Splunk Cloud - props.conf setting for changing TZ to AEST for my events data in UTC format on Getting Data In. 08-12-2021 11:57 PM
- Posted Re: Unable to update email address in my Splunk Account profile on Security. 05-09-2021 10:39 PM
- Karma Re: SPLUNK License master down - what is the impact ?? for esix_splunk. 06-05-2020 12:48 AM
- Karma Internet Explorer 9: Why panels only display "Loading Events" when drilling down in reports? for garryclarke. 06-05-2020 12:47 AM
- Karma How to reuse the count from a previous search to calculate a percentage in a second search or combine the two searches? for otman01. 06-05-2020 12:47 AM
- Got Karma for Splunk Field values are visible in URL. How can we hide them?. 06-05-2020 12:47 AM
- Got Karma for Is there any way to fill my summary index with only the newer portion data every day from the raw index?. 06-05-2020 12:47 AM
- Got Karma for Why is my custom sendemail script not working in Splunk 6.1.2 and not showing any errors?. 06-05-2020 12:47 AM
- Got Karma for What path do I use to add new files, images, and fonts to load on a dashboard?. 06-05-2020 12:47 AM
- Got Karma for How to give time modifiers to run the search query from yesterday morning 5 am to today morning 5 am ?. 06-05-2020 12:47 AM
- Karma Re: can i dynamically change the label in the form ?? for sideview. 06-05-2020 12:46 AM
- Karma Re: rex word extraction? for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: How do i get Unique events for my search keyword for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: regex help for timestamp extraction from event log for MuS. 06-05-2020 12:46 AM
- Karma Re: stats usage to display output as follows for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: can i have a trend line graph on a bar graph ?? for Gilberto_Castil. 06-05-2020 12:46 AM
- Karma Re: Can we disable the inspect link from the search results ?? for yoho. 06-05-2020 12:46 AM
- Karma Re: eventtypes combination for jerrad. 06-05-2020 12:46 AM
- Karma Re: Module Hiddensearch help for sideview. 06-05-2020 12:46 AM
- Karma Re: Need Solution for stats command for ziegfried. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-12-2021
11:57 PM
Hi All, I have the below sample events in my log data i.e. in UTC format , i want Splunk to change the event time to AEST time. I Assume Splunk would definitely convert in to AEST format since the cloud we use for Australian project/region. My Sample Data looks like below in UTC format - 2021-08-11T01:16:25.373937Z I-6083-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000298 | X 8 NRRS202108111116250196534269 N ack_nak_response=ack 2021-08-11T01:16:25.381943Z I-6016-EP R> : icexsTrace-icexs5-20210811-1116-037.trc64:0000314 | 8 MH18000000000000000731127354 P AMQ LUXP112 , ` * MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787 2021-08-11T01:16:25.381991Z E-6016-EP S> : icexsTrace-icexs5-20210811-1116-037.trc64:0000323 | _ *SAMPL1* SW051001 MHS18P1 SWLP1 ZP11SIV HXU4P73A MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 CANONICAL CODE 736062787787 2021-08-11T01:16:25.422824Z E-6016-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000392 | ' MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 *CSMOKY* 2021-08-11T01:16:25.423000Z I-6016-EP S< : icexsTrace-icexs5-20210811-1116-037.trc64:0000399 | 8 MH18000000000000000731127354 MHS18P1 020420210811111624901010P1-001SW10.15.35.81 516fc0b3f6cd49abac2247601381e9c8 EPAG CTBA00 00CANONICAL CODE 736062787787 001000000000879575CR000000000879575CRAUD00000000000000000000000000000013d46777ec304eadb673f30ed0487f99 2021-08-11T01:16:25.428780Z E-6053-EP R< : icexsTrace-icexs5-20210811-1116-037.trc64:0000419 | <BusMsg> <AppHdr xmlns="urn:iso:std:iso:20022:tech:xsd:head.001.001.01"> <Fr> <FIId> <FinInstnId> <BICFI>RSBKAUFSXXX</BICFI> </FinInstnId> </FIId> </Fr> <To> <FIId> <FinInstnId> <BICFI>WPACAU2SXXX</BICFI> </FinInstnId> </FIId> </To> <BizMsgIdr>RSBKAUFSXXX20210811000116253109041</BizMsgIdr> <MsgDefIdr>pacs.002.001.06</MsgDefIdr> <BizSvc>npp.stlmnt.01-sct.04</BizSvc> <CreDt>2021-08-11T01:16:25.310Z</CreDt> <Prty>NORM</Prty> </AppHdr> <Document xmlns="urn:iso:std:iso:20022:tech:xsd:pacs.002.001.06"> <FIToFIPmtStsRpt> <GrpHdr> <MsgId>RSBKAUFSXXX20210811000116253109041</MsgId> <CreDtTm>2021-08-11T01:16:25.310Z</CreDtTm> <InstgAgt> <FinInstnId> <BICFI>RSBKAUFSXXX</ And Each line represents a event in my log , So i have defined the below sourcetype settings - [ <SOURCETYPE NAME> ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=AUTO disabled=false But Still i could see events timestamp as UTC format only in Splunk , How would i change it have to AEST Timezone for events.. Could you please help with the settings ??
... View more
- Tags:
- props.conf settings
Labels
- Labels:
-
props.conf
05-09-2021
10:39 PM
Hi i am also facing issues updating my work email id in Splunk account - can anyone please help. thanks,
... View more
- Tags:
09-04-2019
10:19 PM
Hi All,
After upgrading my splunk forwarder to version 7.3.0 from 6.6.x. my splunk forwarder didnt start. it is shwoing the below error.
A Splunk installation already exists. This will upgrade the current installation.
Do you still wish to continue ?: [y|n]
y
Continuing with update
Check for processes...
Extracting 'splunkforwarder-7.3.0-657388c7a488-Linux-x86_64.gz' ...
Updating config files...
Starting the forwarder...
install_nix_forwarder.sh: line 199: /opt/splunkforwarder/bin/splunk: Operation not permitted
Splunk did not start. Please check any error messages
when checked in error logs i couldnt find much information -
09-04-2019 19:34:54.397 +1000 INFO TcpOutputProc - Connected to idx=10.16.193.244:9997, pset=0, reuse=0. using ACK.
09-04-2019 19:35:27.370 +1000 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.16.195.198_8089_10.16.195.198_lnxau2106st0273.wsdc.nsw.westpac.com.au_Splunk_Forwarder_payments_lnxau2106st0273
09-04-2019 19:35:30.813 +1000 WARN TcpOutputProc - Cooked connection to ip=10.16.193.247:9997 timed out
09-04-2019 19:35:50.653 +1000 WARN TcpOutputProc - Cooked connection to ip=10.17.193.39:9997 timed out
09-04-2019 19:35:50.759 +1000 INFO TcpOutputProc - Connected to idx=10.17.193.38:9997, pset=0, reuse=0. using ACK.
09-04-2019 19:36:05.484 +1000 INFO PipelineComponent - Performing early shutdown tasks
09-04-2019 19:36:05.503 +1000 INFO loader - Shutdown HTTPDispatchThread
09-04-2019 19:36:05.514 +1000 INFO ShutdownHandler - Shutting down splunkd
09-04-2019 19:36:05.514 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin"
09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_FileIntegrityChecker"
09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_JustBeforeKVStore"
09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_KVStore"
09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_Thruput"
09-04-2019 19:36:05.531 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput1"
09-04-2019 19:36:05.540 +1000 INFO TcpInputProc - Running shutdown level 1. Closing listening ports.
09-04-2019 19:36:05.541 +1000 INFO TcpInputProc - Shutting down listening ports
09-04-2019 19:36:05.542 +1000 INFO TcpInputProc - Setting up input quiesce timeout for : 90.000 secs
09-04-2019 19:36:06.335 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_ExecSendInitialSigterm"
09-04-2019 19:36:06.335 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpOutput"
09-04-2019 19:36:06.335 +1000 INFO TcpOutputProc - begin to shut down auto load balanced connection strategy
09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_UdpInput"
09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_FifoInput"
09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_WinEventLogInput"
09-04-2019 19:36:06.336 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpInput"
09-04-2019 19:36:06.338 +1000 INFO TcpInputProc - Cleaning up TCP connections
09-04-2019 19:36:06.338 +1000 INFO TcpInputProc - Shutting down existing connections.
09-04-2019 19:36:06.339 +1000 INFO TcpInputProc - TCP connection cleanup complete
09-04-2019 19:36:06.349 +1000 INFO ShutdownHandler - shutting down level "ShutdownLevel_CacheManager"
Could someone please help to diagnose the problem and fix it.
... View more
- Tags:
- splunk-enterprise
06-13-2019
12:10 AM
Can anyone help on the above requirement please??
... View more
06-10-2019
09:39 AM
yeah...i have used something like this -
<< my search query >> | timechart span=1s count |eval Day=strftime(_time,"%d-%b-%y") | stats first(_time) as first_occurence last(_time) as last_occurence by Day,Error_Code| eval window = first_occurence + "-" + last_occurence | table Day,ErrorCode,Window
But still above one is giving me first and last occurence of error code in a day , which is similar to use earliest(_time) and latest(_time) ...
fingers crossed !!! no more thoughts to crack my requirement getting over my head 😞
... View more
06-10-2019
06:50 AM
Hi Vastal ...thanks for the effforts..basically I was trying to prepare a query or dashboard to give a tabular view of data the format shown...I would like the occurrences of error code and their time windows for each day .:( using earliest and latest gives me only one window for that day.
... View more
06-08-2019
09:15 AM
Hi All,
I was in need of a requirement to find the error codes and its occurences windows for a given day to be printed in a table format. For Eg: i was looking for a error code "Z901" in my splunk logs for given day , i would like how many data occurences of these errors i.e. Z901 has seen in that day.
// sample output which i am looking is.
Day Error_Code Occurence's Duration
08-06-2019 Z901 3 00:02:00 - 01:04:05
07:00:00 - 07:24:45
23:45:00 - 23:55:00
I need the output in the above format - can anyone help me please in getting the above format. So from the above format i can clearly i am seeing Z901 errors on the Day i.e. "08-06-2019" for 3 occurences i.e. between the time windows 00:02:00-01:04:05,07:00:00-07:24:45 and 23:45:00-23:55:00.
I tried using earliest and latest times but getting the output as 00:02:00 - 23:55:00 for the whole day. Need help to print in the above format.
... View more
03-21-2018
07:35 PM
Hi Payal..
You can use the below regex for extracting the New value tag for International Roaming call...
(?<=VfNetworkSettings).International\sRoaming\sBar.?NewValue>(?[^<]+)<
In Case of this field is null , you may need to check the isnull function of splunk to create a appropriate field.
i.e like below
<< Your base query " | rex "(?<=VfNetworkSettings).International\sRoaming\sBar.?NewValue>(?[^<]+)<"| eval ActualField = if(isnull(MyField),"NA",MyField) | stats count by ActualField
This will give u the count based on NewValue msg types,if its null we are creating "NA" msg.
Hope this helps !!
Happy Splunking 🙂
... View more
03-10-2017
12:43 AM
Hi Cusello,
Currently i am planning to move the license to other servers , So in this process i was trying to best possible way to move it and accordingly add the same to the Job servers as well.
My thought process of moving is here -
Install the new license in the new server.
remove the search peers from the current license pool one by one and make them to point to the new license server.
Add jobservers as well to the new license server.
Now remove old license from the existing pool and add it to the new the license server.
thanks,
Rakesh.
... View more
03-09-2017
10:11 PM
Hi All,
I have a multi site indexer clustering configuration and has a separate license master, Now all indexer cluster servers are point to the license master as slaves to it.
I also have the Job servers to run the search jobs from this indexer cluster servers , do i need to use license configuration on these servers as well ? or its not required ?? . i was trying to find the documentation for the same but couldnt find till now..if anyone could help me..tht would be great.. !!
thanks
rakesh.
... View more
- Tags:
- splunk-enterprise
03-09-2017
09:03 PM
hi team,
if the indexer master goes down , will it stilll able to index the data and do the replication in a multisite indexer clustering configuration.
can someone help me with the info.
thanks
rakesh
... View more
02-15-2017
10:40 AM
No john , I am just seeing the error code 2 but not the msg..
If I call the default echo.sh script it's working fine but when I try to call the another script in echo.sh file it's throwing this error.
It's works fine in single search head environment but here I am having the issue. Am I missing something
... View more
02-15-2017
07:27 AM
yes koshyk. i have deployed the apps using the deployer only.
... View more
02-15-2017
12:24 AM
Hi All,
I am using Splunk version 6.2.2 with 4 Search heads and formed a Search Head Cluster enviourment with those 4 servers. I have a scheduled search running on this cluster to call the external shellscript to email the search results "results.gz" content to different customers based on the logic in the shell script.
This script is working fine in a Single Non Clustered Searchhead but when comes to clustered enviourment , I am seeing the following error and the scripts seems to be not working as expected.
02-15-2017 03:04:19.516 +0000 ERROR
script -
sid:scheduler_nobody_eGJ0X3NwaHVyX2FsZXJ0cw_RMD58550cea47a8bcd3a_at_1487127660_19_4EFB41A7-977F-4746-9C8F-5BE724662CDD
command="runshellscript", Script:
/appl1/splunk/etc/apps/xbt_sphur_alerts/bin/scripts/echo.sh
exited with status code: 2
Could you please help what could be the issue here ??
thanks,
Rakesh.
... View more
- Tags:
- splunk-enterprise
01-05-2017
12:11 AM
Hi PiUek,
Can we refer to all the the rows in the search results instead of only a first row ??
is this is possible in Splunk ??
thanks,
Rakesh.
... View more
01-05-2017
12:05 AM
Hi Niketnilay,
thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??
Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.
Is there any way to refer to the second row and so on...
many thanks,
Rakesh.
... View more
01-05-2017
12:05 AM
Hi Niketnilay,
thanks for your reply. from the above code its show to refer to the first row of the results , how can we refer to the second row of the results ??
Search Results (first result only)
$result.[fieldName]$ - Results are referenced directly by their field name.
Is there any way to refer to the second row and so on...
many thanks,
Rakesh.
... View more
01-04-2017
03:26 AM
Hi All,
In Splunk older versions, there is a concept of distributing the Splunk search results in HTML modules, or HTML tags using the results token. i.e. results[0].fieldname etc.
In Splunk 6.x version do we have any examples of getting the same functionality?
My older sample code in Splunk 5.x version:
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" autoRun="True">
<param name="search">index=_internal | stats count </param>
<module name="HTML" layoutPanel="panel_row5_col1_grp1">
<param name="html">
<div> Search Results : $results.count$ </div>
</param>
</module>
</module>
Can we have something similar for Splunk 6.x version ??
thanks,
Rakesh,.
... View more
12-28-2016
03:34 AM
1 Karma
hi luthfi49,
for fields name with space , you can use in eval statement using single quote notation.
i.e. for example :
1) eval 'Product Details' = 'Product Details' + " Field "
2) eval 'user count' = 'user count' * 20
where "user count" is the field name.
thanks,
Rakesh.
... View more
11-14-2016
11:41 PM
Hi Pyro_wood..
Thanks for the update . I Have used the same setting previously but it didn't work as expected and could see data being there in my index more than 90 days. So only introduced these 2 attributes maxHotSpanSecs and rotatePeriodInSecs. Is this something you tested and working for u ??
thanks.
rakesh.
... View more
11-14-2016
10:58 PM
Hi Team,
I have created an index called "mysummary" for my Splunk app, and I want this index to store 90 days worth of data, so I have used the following configuration. i.e. at any time, I need to store only 90 days worth of data in this index.
I have seen the attribute "rotatePeriodInSecs" added to do the regular checks and roll the data after 90 days from the index and make it preserve only 90 days worth of data, but it's still not working as expected.
Can someone pls help here..
// Settings used now to store 91 days of logs.
[mysummary]
coldPath = volume:cold/mysummary/colddb
homePath = volume:hotwarm/mysummary/db
thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb
maxHotSpanSecs = 7862400
frozenTimePeriodInSecs = 7862400
rotatePeriodInSecs = 60
repFactor = auto
thanks,
rakesh.
... View more
10-12-2016
05:19 AM
Hi Team.
I have a file name called /var/log/messages which I need to send to two different indexes (say index="A" and index="B") on 2 set of indexer servers.
i.e index="A" sourcetype="A" on the indexers set 1 - and index="B" sourcetype="B" on the indexers set 2 -- should give me the same source list i.e /var/log/messages/
please help
thanks.
rakesh.
... View more
- Tags:
- forward
08-01-2016
03:44 AM
Hi Team.
I have my indexers present in 2 sites , site1 and site2. In site1 i have 5 indexers servers and in site2 i have 5 indexers servers. Now all i needed for my multi site indexer clustering configuration is "For each data available in site1 , i need a copy of it in site 2 and viceversa".
I have defined the following config but it seems not working as expected , am i missing something ??
// Master Config
[general]
site=site1
[clustering]
mode=master
multisite=true
available_sites=site1,site2
site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2
restart_timeout = 900
// Site 1 Memeber Config
[general]
site=site1
[clustering]
master_uri = https://masterserver:52400
mode = slave
pass4SymmKey=splunk
[replication_port://52403]
// SIte 2 Member Config.
[general]
site=site2
[clustering]
master_uri = https://masterserver:52400
mode = slave
pass4SymmKey=splunk
[replication_port://52403]
Can you please help.
Thanks,
Rakesh.
... View more
- Tags:
- splunk-enterprise
07-05-2016
07:27 AM
Hi All,
I am using the following code snippnet in my HTML dashboard to re-direct the page to the defined URL on clicking on my dashboard.
Here i am able to navigate to different URL but loosing the control on the Parent Page i.e the new URL to open in a new blank document rather then on the same page. Is there any means to change /update the redirect function.
my code snippnet.
e.preventDefault();
var url = TokenUtils.replaceTokenNames("http://localhost:8080/en-US/app/custom_app/dashboard?form.Operator=$row.Operator$&form.CarrierCode=$row.CarrierCode$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'));
utils.redirect(url);
Many thanks.
Rakesh.
... View more
