Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rusty009
rusty009
Path Finder
Member since:
10-05-2015
06-05-2020
Community Statistics
| Posts | 30 |
| Solutions | 2 |
| Karma Given | 6 |
| Karma Received | 4 |
| Member Since | 10-05-2015 |
Activity Feed
- Karma Re: View Indexer config with only access to the cluster master & search head GUI for gcusello. 06-05-2020 12:50 AM
- Karma Re: How to convert computer name to host name? for javiergn. 06-05-2020 12:48 AM
- Karma Re: sourcetype isn't parsing DHCP data correctlyon indexer but does when I manually add on search head for lguinn2. 06-05-2020 12:48 AM
- Karma Re: Why is Splunk not parsing JSON data correctly with my current sourcetype configuration? for Yorokobi. 06-05-2020 12:48 AM
- Got Karma for Re: How to convert computer name to host name?. 06-05-2020 12:48 AM
- Got Karma for Re: How to store a large search result set into a lookup table?. 06-05-2020 12:48 AM
- Got Karma for Re: How to store a large search result set into a lookup table?. 06-05-2020 12:48 AM
- Got Karma for Re: How a different users can get different results for the same query?. 06-05-2020 12:48 AM
- Karma Re: Join Ip with a subnet for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Create a custom web page for the Splunk web server to host for Lowell. 06-05-2020 12:45 AM
- Posted Troubleshoot data not getting to splunk on Security. 09-09-2019 05:51 AM
- Tagged Troubleshoot data not getting to splunk on Security. 09-09-2019 05:51 AM
- Posted Re: View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-05-2019 06:15 AM
- Posted Re: View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-05-2019 06:13 AM
- Posted Re: View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-02-2019 09:05 AM
- Posted Re: View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-02-2019 08:14 AM
- Posted View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-02-2019 04:04 AM
- Tagged View Indexer config with only access to the cluster master & search head GUI on Deployment Architecture. 09-02-2019 04:04 AM
- Posted Re: Set event time as time the file was created on Getting Data In. 11-18-2017 10:54 AM
- Posted Set event time as time the file was created on Getting Data In. 11-18-2017 08:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-09-2019
05:51 AM
I'm sending TCP syslog traffic on a specific port to splunk. The input exists and I am sending it to an index I have access to. I have confirmed that data is being sent to splunk but looking at the flow traffic on my network and running tcpdump on splunk.
The TCP traffic is configured to only accept traffic which is encrypted with a certificate, which I believe is why it is not working, how could iI confirm this using only the _internal logs or through running searches/commands on the search head or cluster ? I do not have console access to the indexers.
Thanks !
... View more
- Tags:
- tls
- troubleshooting
09-05-2019
06:15 AM
yes there is, just add an all at the end, so
| rest /services/data/inputs/all splunk_server=indexer1
... View more
09-05-2019
06:13 AM
fantastic, thank you ! Is there anyway i can pull details of a specific input ?
... View more
09-02-2019
09:05 AM
I know I need to look at the input file on the indexers, that was my original question ! I don't have access to the indexers, I need to look at the inputs file from the gui of either the search head or cluster master.
... View more
09-02-2019
08:14 AM
Data is being sent via syslog to the indexers. No TA is beging used, neither is there a deployment server. We don't have a clustered search head architecture, just a clustered index, so the cluster master is just to cluster the indexers.
... View more
09-02-2019
04:04 AM
I have administrator access to the GUI of the search head cluster master and search head, but not the indexers. I am troubleshooting why data isn't coming into Splunk and need to see the following through the GUI of either the search head or the cluster master,
- indexes configured on each indexer
- inputs configured on each indexer
How can I do this, I can't seem to find an easy way to do so. I am running Splunk 6.6.2. I know this information is held within the configuration bundle on the cluster master , but I can't view this form the GUI, I can only deploy it from the cluster master console.
Thanks!
... View more
11-18-2017
10:54 AM
that sets it to the current time, I want it to set it to the time the file I am indexing was created
... View more
11-18-2017
08:50 AM
I have a number of csv files which don't have a 'time' field in them. I would like to set the time of all the events within the csv file as the date when the file was created. Is this possible ?
... View more
04-08-2017
06:17 AM
that doesn't work unfortunately, is there an issue with my props.conf ?
... View more
04-07-2017
08:05 AM
I have the below file being indexed in spunk,
{
"records":
[
{ <event}}
and I would like to get rid of everything before {
so I'm executing the SEDCMD like below,
SEDCMD-StripHeader = s/{\s+\"records\":\s+\[\s+{/{/1
but it doesn't seem to be working. When I test it using the below splunk command it works a treat,
sourcetype="json:blob" | rex field=_raw mode=sed "s/{\s+\"records\":\s+\[\s+{/{/1"
I have restarted splunk, it's running on a single instance ( so this is my search head and indexer) - any ideas what I'm doing wrong?
... View more
07-27-2016
06:03 AM
as an aside, the delete command doesn't actually delete the logs, it jut makes them unsearchable. So if you're looking to save some disk space this might not be the best method to use.
... View more
07-19-2016
07:36 AM
thank you, this worked. But I don't understand why. The parsing has happened long before I search for it in the search head, why does the sourcetype need to be on the search head ?
... View more
07-19-2016
02:16 AM
Hi,
I have a distributed environment of Splunk running 6.3, I have a search head, cluster master, indexer & heavy forwarder. I have syslog data coming from netscalers on the heavy forwarder where I have the Splunk Add-on for Citrix Netscaler installed and all the data is being indexed correctly. The HF forwards data to my indexer and the data is coming in fine, but it has not been parsed correctly. I initially didn’t have the Splunk Add-on for Citrix Netscaler installed on the indexer so though this was the issue, so I installed it, but there is no change. Does anyone know what’s happening here? I though the HF forwarded the indexed data?
... View more
06-10-2016
10:04 AM
Just for future reference - I had the same issue, none of the above solutions seemed to work but when troubleshooting, I found it was an issue with DNS on my server rather than a splunk related issue. After I fixed my DNS resolution everything worked perfectly.
... View more
04-20-2016
04:22 AM
1 Karma
Are you using a distributed environment? If so, which admin to which component of Splunk cannot return the results? This will make a difference. At first glance, I would say this is a permissions issue if one user can access the data and another can't, it would also be useful to see your full search query and to make sure you are running the searches from the same app in Splunk, just in case you're relying on any app specific commands/lookups.
To see which users have access to which indexes you will need to run the below as an admin on the searchead, I would also run it as the user who can see the data,
| rest /services/authentication/users | rename title AS username roles AS role | mvexpand role | fields realname username role | join type=outer role [ rest /services/authorization/roles | rename title AS role | eval indexes=mvjoin(srchIndexesAllowed," ; ") | fields role indexes] | table username role indexes
This will gives you a list of permissions. let me know how you get on.
... View more
04-20-2016
02:11 AM
1 Karma
Could you provide a bit more detail with examples of what your data looks like currently and how you would like it to look?
... View more
04-19-2016
06:05 AM
2 Karma
also be careful about saving large lookup files on your search head. You may bump into issues with syncing your bundle across indexers if you hit your maximum bundle size. You may need to whitelist the lookup folder within that app > https://answers.splunk.com/answers/3436/how-could-i-optimize-distributed-replication-of-large-lookup-tables.html
... View more
04-16-2016
05:23 AM
so,
it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.
index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri
... View more
04-16-2016
05:21 AM
So,
unfortunately I managed to find the answer. Splunk currently does not support nanoseconds, and the largest timestamp they can handle is microseconds ! So if you see yourself in the same situation, you will need to apply the below config to the search, (assuming your json strings timestamp field is called timestamp),
[cloudflare]
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
TIME_PREFIX=^timestamp:"
MAX_TIMESTAMP_LOOKAHEAD = 10
... View more
04-15-2016
06:29 AM
Thanks, but this didn't work.When I rename edgeRequest.httpMethod to method I get the same issue, which to me means the field name has nothing to do with the issue, I think it's the value itself. Would you know how I could troubleshoot a search?
... View more
