×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- About rene847
rene847
Path Finder
Member since:
01-05-2015
06-05-2020
Community Statistics
| Posts | 25 |
| Solutions | 4 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 01-05-2015 |
Activity Feed
- Got Karma for How to get all configuration files in my deployment in a file?. 06-05-2020 12:47 AM
- Posted How to search all protocols used in our network every 24 hours? on All Apps and Add-ons. 12-04-2015 11:28 AM
- Tagged How to search all protocols used in our network every 24 hours? on All Apps and Add-ons. 12-04-2015 11:28 AM
- Posted Re: Why am I getting "memPartAlloc: block too big" sending my SIP phone syslog to universal forwarders? on Getting Data In. 09-16-2015 12:10 PM
- Posted Why am I getting "memPartAlloc: block too big" sending my SIP phone syslog to universal forwarders? on Getting Data In. 09-01-2015 08:16 AM
- Tagged Why am I getting "memPartAlloc: block too big" sending my SIP phone syslog to universal forwarders? on Getting Data In. 09-01-2015 08:16 AM
- Tagged Why am I getting "memPartAlloc: block too big" sending my SIP phone syslog to universal forwarders? on Getting Data In. 09-01-2015 08:16 AM
- Posted Re: Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 01:09 PM
- Posted Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 12:45 PM
- Tagged Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 12:45 PM
- Tagged Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 12:45 PM
- Tagged Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 12:45 PM
- Tagged Why are my UDP inputs not showing up in my metrics.log? on Getting Data In. 08-20-2015 12:45 PM
- Posted Re: Query HDD space, index and data on Splunk Search. 06-19-2015 11:22 AM
- Posted Re: Query HDD space, index and data on Splunk Search. 06-18-2015 11:32 AM
- Posted Re: Directory / Source on Getting Data In. 06-17-2015 11:51 AM
- Posted Re: Syslog logs sent but not the last on Getting Data In. 06-17-2015 11:46 AM
- Posted Query HDD space, index and data on Splunk Search. 06-17-2015 11:39 AM
- Tagged Query HDD space, index and data on Splunk Search. 06-17-2015 11:39 AM
- Tagged Query HDD space, index and data on Splunk Search. 06-17-2015 11:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
12-04-2015
11:28 AM
Hi All,
I would like some help about a search in Splunk. I want to pull out all the protocols used in our network.
For example, yesterday, we had millions of ping requests from a user. And, we noticed from another user, that the DNS 8.8.8.8 was used instead of our own DNS. In summary, we would like to have a search that will allow us to see all the protocols used in our network every 24 hours (or top ten).
I did not find this information on the Splunk web site, or or ask via .conf2015.
This will greatly assist me in my work.
Do you have an idea of how to do this search?
Thank you for your help again.
René R.
... View more
09-16-2015
12:10 PM
Finally, it's the phones problem. The master configuration was wrong.
... View more
09-01-2015
08:16 AM
Hi all,
This morning, after some verification, I found some errors in my search headwith my SIP phones.
I have 150 polycom phone. They send their syslog to Universal Forwarders. Config file is:
[udp://172.16.72.70:514]
source = sip_syslog
sourcetype = polycom:siplab
connection_host = none
acceptFrom = 172.16.72.70
disabled = false
index = ti-telephone
I think it is correc,t but I found lots of errors like:
Sep 1 14:47:13 172.16.86.70 Sep 1 10:47:21 172.16.86.70 0901104721|sys |*|03|0x9581bea0 (tPktProSys): memPartAlloc: block too big - 21848 in partition 0x94b6feec.
date_hour = 14 date_mday = 1 date_minute = 47 date_month = september date_second = 13 date_wday = tuesday date_year = 2015 date_zone = local host = UniversalFowarders index = ti-telephone linecount = 1 punct = ___::_...____::_..._|__|*||_():_:____-____. source = sip_syslog sourcetype = polycom:sip splunk_server = IndexServer splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default
All other equipment (257) is working fine except the new phones recently added.
Do you have an idea of this error?
Thank you a lot
Best regards
Rene R.
... View more
08-20-2015
01:09 PM
No, its correct.... it's a bad exemple
I corrected my post.
but my problem is still present !!!!!
... View more
08-20-2015
12:45 PM
Hi all,
I would like to know....
I have a functional index named "phone"
I have 120 IP (with no host) defined in inputs.conf on Universal Forwarders with index=phone.
Example:
[udp://aaa.bbb.ccc.ddd:514]
source = sip_syslog
sourcetype = phone:siplab
connection_host = none
acceptFrom = aaa.bbb.ccc.ddd
disabled = false
index = phone
I find data with search on the search head with index=phone and my index on the server grows (so it's functional), but when I run this command (Highest-usage indexes), I don't have my Phone index. Why?
See my query:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse
However, with this query, I see my index:
index=_internal source=license_usage.log type=Usage | stats sum(b) by idx | sort sum(b) |reverse
I don't know why I don't have my index with the first query (made by Splunk)?
I would like just 1 report with ALL index for one day (first query). Do you have an idea?
Thanks in advance
Best Regards
Rene R.
... View more
06-19-2015
11:22 AM
Thank you Martin_Mueller and MuS for your answer, I appreciate your support.
... View more
06-18-2015
11:32 AM
Yes, that way as possible and I tried.
However, I can not take a value greater than 30 days otherwise I have no data?
Do you have an idea?
... View more
06-17-2015
11:51 AM
Finally,
We destroyed the directory, create a new, new query and now functional
weird
... View more
06-17-2015
11:46 AM
Finally, the application logs with French accents are not well managed.
The developers have removed the accents, it was the solution
... View more
06-17-2015
11:39 AM
Hi,
I have not been able to find a good query with all my trying.... I need help please!
Can anyone tell how I can:
I would like to get a query that would give me the disk space since December 1, 2014 for each month until today (to see the progression).
Splunk has sent me alert each day (email) about the status of our indexes (view and control our licenses). I use the same alert with these values "-198d@d to now" and it doesn't work, I only view 1 month of data and I don't know why.
Here is my normal query:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse
I'm looking for the same query (or similar) for:
- all space
- all the indexes
- all data entries
==> number of entry since December 1, 2014 until today for each month.
Is it possible? Do you have an query idea?
Thank you
Regards
... View more
04-20-2015
07:42 AM
I made a Pcap and I visualized with Wireshark:
Syslog message: LOCAL0.INFO: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
1000 0... = Facility: LOCAL0 - reserved for local use (16)
.... .110 = Level: INFO - informational (6)
Message: Apr 15 19:45:53 SERVERx root: Test logger 16 accent \350 \351 \340
(backslash before 350, 351 and 340)
Strange
... View more
04-20-2015
07:28 AM
Hi,
(Sorry for my English, I'm French)
I send my logs via syslog on port 514 or 40514 and I have a problem with this new system.
I send 10 tests (logger) and I receive only 9. If I send 5, I receive 4. If I send 19, I receive 18 (always missing the last one on this new system).
When I use TCPDump, to see what is send and I have always 10 if test is 10, 5 is test is 5..... All my log is send but in the Splunk Search engine, I miss the last? I dont know why, its very strange....
I get more than 50 systems and the problem is only on this new system.
It's the same system for another question here: http://answers.splunk.com/answers/230364/french-syslog.html
(I have 2 UF with VIP, 1 indexer, 1 search engine and 1 for management)
What you thought? Are there other tests that I could do?
Do you have a track for help me to try to correct this problem?
Thank you
... View more
04-20-2015
07:12 AM
Hi,
(Sorry for my English, I'm French)
I have new systems that send Syslog to Splunk UniversalFowarder via 40514 port. The UF listen and I receive Syslog (its ok).
When I test (logger) and check configuration of all systems, we have LANG=en_CA.UTF8.
My Charset parameter is set to AUTO and I dont understand why the systems replaces characters by .... see exemple.
Example:
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 61"
root@SERVERX:/etc/rsyslog.d# logger -plocal0.info "Test logger 62 with accent è é à"
Apr 17 16:15:08 10.62.1.140 Apr 17 16:15:08 SERVERX root: Test logger 62 with accent \xE8 \xE9 \xE0
date_hour = 16 date_mday = 17 date_minute = 15 date_month = april date_second = 8 date_wday = friday date_year = 2015 date_zone = local host = 192.168.80.210 index = IndexLav linecount = 1 punct = ::_...:::______\ source = udp:40514 sourcetype = udp:40514 splunk_server = SERVERY splunk_server_group = dmc_group_indexer timeendpos = 16 timestartpos = 0 unix_category = all_hosts unix_group = default
Anyone know how to fix this?
Thank you in advance.
... View more
03-17-2015
07:09 AM
Thank you for your reply, I appreciate.
However, Linux events are one thing (TI-LNXEVENTS). These are specific events to the operating systems only.
The other index (TI-lav) is a specific application, an this application generate connections and events specific to this application, never recorded by Linux events.
That's my problem, 1 ip and 2 index from the same server.
Do you have any ideas?
... View more
03-17-2015
07:09 AM
Thank you for your reply, I appreciate.
However, Linux events are one thing (TI-LNXEVENTS). These are specific events to the operating systems only.
The other index (TI-lav) is a specific application, an this application generate connections and events specific to this application, never recorded by Linux events.
That's my problem, 1 ip and 2 index from the same server.
Do you have any ideas?
... View more
03-16-2015
11:01 AM
Hi,
I have a Linux server and the syslog is functional. Here is UF config (inputs.conf) :
[udp://xx.xx.xx.140:514]
host = MyHostName
acceptFrom = xx.xx.xx.140
index = TI-LNXEVENTS
disabled = false
Today, new project…. They request to add "same server" and the logs from specific software with index "TI-lav". But I already send logs (events) to Splunk with Index "TI-LNXEVENTS"
I make test with this (in inputs.conf):
[udp://xx.xx.xx.140:514]
source = lav_syslog
sourcetype = lav:prod
host = MyHostName
connection_host = none
acceptFrom = xx.xx.xx.140
disabled = false
index = TI-lav
But obviously it sends to index TI-LNXEVENTS.
My question is: I would like to have 2 logs and 2 indexes from this server. What are the good practices?
Best Regards
... View more
02-06-2015
11:49 AM
Real time, I put a new file (with the same content), here the log:
.
.
06/02/15 19:45:51,454
02-06-2015 19:45:51.454 +0000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='D:/SplunkDataInput/TI-WINEVENTS-RNI/BLABLABLA_eventlogs_DNS.csv'.
host = TOTO source = C:/Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
.
.
I put the old file and :
.
06/02/15 19:46:07,569
02-06-2015 19:46:07.569 +0000 INFO WatchedFile - Will begin reading at offset=3717 for file='D:/SplunkDataInput/TI-WINEVENTS-RNI/BLABLABLA_eventlogs_DNS.csv'.
host = TOTO source = C:/Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
... View more
02-06-2015
11:16 AM
This is not because "crc".
I takes the contents, I insert it in another file, I put the same name file in the directory and Hop, Splunk takes.
It's really weird because, as I say, with another file, Splunk takes the file and when I query, I found data !!!!
Sorry, I have 6 files in the folder (not 5):
DcServerX_eventlogs_application.CSV
DcServerXeventlogs_DS.csv
DcServerXeventlogs_FRS.csv
DcerverXeventlogs_security.csv
DcServerXeventlogs_system.csv
And the file DcServerX_eventlogs_DNS.csv
This is the file that causes me problems sometimes and I do not know why.
My Inputs.conf is (fonctional for 5 files??):
[monitor://D:SplunkDataInputTI-WINEVENTS-RNI.csv]
index = TI-WINEVENTS-RNI
host_segment = 3
What do you think for solution?
.
.
.
Here's a search (Newest to oldest) :
.
.
04/02/15 04:17:39,455
02-04-2015 04:17:39.455 +0000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='D:/SplunkDataInput/TI-WINEVENTS-RNI/BLABLABLA_eventlogs_DNS.csv'.
host = TOTO source = C:\Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
.
.
03/02/15 04:15:58,401
02-03-2015 04:15:58.401 +0000 INFO WatchedFile - Will begin reading at offset=0 for file='D:\SplunkDataInput\TI-WINEVENTS-RNI\BLABLABLA_eventlogs_DNS.csv'.
host = TOTO source = C:/Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
.
.
03/02/15 04:15:58,401
02-03-2015 04:15:58.401 +0000 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='D:/SplunkDataInput/TI-WINEVENTS-RNI/BLABLABLAeventlogs_DNS.csv'.
host = TOTO source = C:/Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
.
.
02/02/15 04:15:18,748
02-02-2015 04:15:18.748 +0000 INFO WatchedFile - Will begin reading at offset=0 for file='D:/SplunkDataInput/TI-WINEVENTS-RNI/BLABLABLA_eventlogs_DNS.csv'.
host = TOTO source = C:/Program Files/SplunkUniversalForwarder/var/log/splunk/splunkd.log sourcetype = splunkd
.
.
... View more
02-06-2015
06:33 AM
Hi,
First: I have a directory with five sources. Sometimes a source (always the same) is not loaded into Splunk even if the file has been modified, I dont know why yet the file date is really changed)? Its 5 CSV files.
What I want to do, instead of modifying the file, my script will delete the file and create a new one (instead of changing its content) ... I'm looking for solutions.
Finally, there is there way to monitor whether the five sources were picked up by splunk (If only 4 sources, alert me). I am looking for an query that would make this, do you have an idea?
Thank you
Best regards
... View more
01-07-2015
07:38 AM
Ok, thank you for your answer.
Regards
... View more
01-07-2015
07:21 AM
1 Karma
Hi all,
I would like to know how to get all configuration files in my deployment in a file (for each Splunk instance)?
I have :
- 1 Management Console
- 1 Search head
- 2 Indexers
- 2 Universal forwarder (with vip)
(everything is redundant (doubled configuration))
Tks
Best Regards
... View more
