Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bcavagnolo
bcavagnolo
Explorer
Member since:
06-28-2013
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 06-28-2013 |
Activity Feed
- Karma Re: when is it safe to delete oneshot input file? for lukejadamec. 06-05-2020 12:46 AM
- Karma Fields not extracted automatically, for shangshin. 06-05-2020 12:46 AM
- Got Karma for Re: EXTRACTing a field from a src_field defined in a transform using "in". 06-05-2020 12:46 AM
- Got Karma for when is it safe to delete oneshot input file?. 06-05-2020 12:46 AM
- Got Karma for Re: CPU-bound search. seems related to KV processing.. 06-05-2020 12:46 AM
- Posted when is it safe to delete oneshot input file? on Knowledge Management. 09-18-2013 11:10 AM
- Tagged when is it safe to delete oneshot input file? on Knowledge Management. 09-18-2013 11:10 AM
- Posted Re: concatenating fields at search time in props.conf and/or transforms.conf on Splunk Search. 08-27-2013 10:22 AM
- Posted Re: concatenating fields at search time in props.conf and/or transforms.conf on Splunk Search. 08-27-2013 09:48 AM
- Posted concatenating fields at search time in props.conf and/or transforms.conf on Splunk Search. 08-26-2013 05:48 PM
- Tagged concatenating fields at search time in props.conf and/or transforms.conf on Splunk Search. 08-26-2013 05:48 PM
- Posted Re: CPU-bound search. seems related to KV processing. on Splunk ITSI. 08-23-2013 04:05 PM
- Posted Re: EXTRACTing a field from a src_field defined in a transform using "in" on Splunk Search. 08-23-2013 10:43 AM
- Posted EXTRACTing a field from a src_field defined in a transform using "in" on Splunk Search. 08-23-2013 10:19 AM
- Tagged EXTRACTing a field from a src_field defined in a transform using "in" on Splunk Search. 08-23-2013 10:19 AM
- Tagged EXTRACTing a field from a src_field defined in a transform using "in" on Splunk Search. 08-23-2013 10:19 AM
- Posted Re: Fields not extracted automatically, on Splunk Search. 08-01-2013 11:57 AM
- Posted Re: Fields not extracted automatically, on Splunk Search. 07-31-2013 06:53 AM
- Posted Re: CPU-bound search. seems related to KV processing. on Splunk ITSI. 06-28-2013 03:20 PM
- Posted CPU-bound search. seems related to KV processing. on Splunk ITSI. 06-28-2013 11:54 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
09-18-2013
11:10 AM
1 Karma
Hello. I have a script that invokes the command line splunk tool on an single index/search head to oneshot index log files. Is it safe to delete the input log file after splunk oneshot returns with status 0? The reason I ask is the search status webpage shows the number of indexed events ticking upward for a while after that the command returns. It seems to work, but I don't want to do it this way if it is not safe.
... View more
- Tags:
- oneshot
08-27-2013
10:22 AM
@Wilcooley: Yeah that's right.
... View more
08-27-2013
09:48 AM
The problem is that I need the concatenated field to be available for REPORT-xyz statements that invoke transforms from transforms.conf. The EVAL documentation suggests that only lookups can use the results of EVALs. So I'm afraid this won't work. Please advise if I am missing something or if there is another way. I think I may have to use an index-time field.
... View more
08-26-2013
05:48 PM
I have a bunch of existing regexs that operate on an HTTP URI (E.g., "/foobar?x=1&y=2"). I have logs of two different source types, one in which the URI is reported as a single field, and another in which the query portion of the URI is elswhere in the event (E.g., "/foobar HTTP/1.1 200 x=1&y=2"). I see that I can define an index-time field that concatenates the base URI and its query string. But is there a search-time way to do this?
Edit: Okay. It's starting to sound like this cannot be achieved at searchtime. But because these URLs represent most of my data, I'm really not excited about the bloating this will cause by indexing this field. What's worse, my interpretation of the documentation on how to do this is that I would have to index the field for both of my sourcetypes. That is, I could not maintain an index-time field for one sourcetype and a search-time field for the other sourcetype with the same name.
But Before I give up, let me (re)suggest these three ideas in case anyone in splunkland can see a way to make one of them work:
Idea #1: Is there is a succinct way to apply a transform.conf stanza to multiple SOURCE_KEYs without duplicating the REGEX?
Idea #2: Can two transform.conf stanzas refer to a single REGEX somehow?
Idea #3: Can I define a search-time field in transforms.conf using something like SEDCMD to replace the text intervening between the two field components with an empty string?
... View more
- Tags:
- concatenating
08-23-2013
04:05 PM
1 Karma
For the record, I think we figured out the root cause of this issue. We ended up having a crazy number of sourcetypes defined. We ended up rebuilding the index on a fresh splunk install. All is well now.
... View more
08-23-2013
10:43 AM
1 Karma
Okay. I found the solution. You have to list the dependent field extractions. So elaborating on my second configuration attempt, the REPORT-from in props.conf should be like this:
REPORT-from = mytransform-fromlist, mytransform-from
I have lots of other extractions that depend on mytransform-fromlist, so hopefully splunk is smart enough to only run mytransform-fromlist once!
... View more
08-23-2013
10:19 AM
In transforms.conf, I have a transform defined like this:
[mytransform-fromlist]
REGEX = from=(?<fromlist>\w+)
I want to extract an additional field from the fromlist. I'm trying to do this in props.conf with something like this:
REPORT-fromlist = mytransform-fromlist
EXTRACT-from = (?<from>.*) in fromlist
Note that the trivial from regex is just for testing so that I can assure that the from field will show up in the search results.
When I run this search, I do see the fromlist field, but not the from field. I figure that somehow the fromlist is not available to EXTRACT-from at search time. But I can't find any documentation on this.
I also tried using a transform to extract the from field by adding this to transforms.conf:
[mytransform-from]
REGEX = (?<from>.*)
SOURCE_KEY = fromlist
...and a corresponding REPORT in props.conf like this:
REPORT-from = mytransform-from
Help!
... View more
08-01-2013
11:57 AM
Hey Gilberto. This problem still persists for me (see my comment under the question with props.conf and transforms.conf snippets). I am able to see the field when I query for it explicitly in splunk web with rex, but not otherwise. Note that the log data was all imported with command-line oneshot calls like this:
splunk add oneshot logfile -index main -sourcetype mysrctype -host myhost
...so there is not inputs.conf segment. Can you spot a problem with my configuration that might explain this?
... View more
07-31-2013
06:53 AM
I am having this same issue. In transforms.conf I have:
[myfield-mv]
REGEX = (?P blahblahregex)
MV_ADD = true
SOURCE_KEY = myinputfield
...and in props.conf I have:
REPORT-myfield = myfield-mv
...but myfield does not appear among the "interesting fields" in searches from the we interface. However, if I search like this:
* | rex field=myinputfield "(?P blahblahregex)"
...i do see myfield in the "interesting fields". Help!
... View more
06-28-2013
03:20 PM
Yes. Practically all of the events in splunk are of of the sourcetype that I specify. And the results do eventually appear. It just takes 10 minutes.
... View more
06-28-2013
11:54 AM
Ahoy. We've been experiencing a search performance problem and I'm having trouble figuring out what to do about it. I've been following the advice and techniques outlined here:
http://wiki.splunk.com/Community:PerformanceTroubleshooting
The very simple search I am performing is this:
splunk> sourcetype="mysource"
...for the last 60 minutes. The search trudges away revealing "0 matching events" for about 10 minutes before revealing anything. During this period, the CPU performing the search shoots to 100% usage. iostat reports low tps (like ~10). vmstat shows no swap activity. So I'm pretty sure this is CPU bound. The search log shows AMPLE time consumption by "SearchOperator:kv", and all of the default kv searches are being performed. The "access-extractions" system default extraction seems to take about 5 whole minutes. The job inspector reports practically all of the time in "dispatch.evaluate.search". (I found it odd that the job inspector didn't identify command.search.kv considering the contents of the search log.) Note that according to the high-level summary on the search page, "mysource" has about 276 million events. Not sure if this is a lot or not. Any ideas?
UPDATE:
So many of the time-consuming "SearchOperator:kv" lines in the search.log file seem to be coming from specs in the config files that are not related to my custom sourcetype. For example, the access-extractions transform is referenced by a bunch of default sourcetype specs, but not by my custom sourcetype spec. The following search:
| metadata type=sourcetypes index="main"
...shows a single result that is my custom sourcetype.
... View more
