Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About acalvo
acalvo
Explorer
Member since:
10-28-2010
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 10-28-2010 |
Activity Feed
- Got Karma for forward data to a syslog server. 06-05-2020 12:45 AM
- Got Karma for forward data to a syslog server. 06-05-2020 12:45 AM
- Posted Re: similar alerts have several behaviours on Alerting. 03-24-2011 12:03 PM
- Posted similar alerts have several behaviours on Alerting. 03-22-2011 04:54 PM
- Tagged similar alerts have several behaviours on Alerting. 03-22-2011 04:54 PM
- Tagged similar alerts have several behaviours on Alerting. 03-22-2011 04:54 PM
- Tagged similar alerts have several behaviours on Alerting. 03-22-2011 04:54 PM
- Posted Re: no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-18-2011 08:44 AM
- Posted Re: define custom fixed fields on Splunk Search. 03-18-2011 07:57 AM
- Posted Re: define custom fixed fields on Splunk Search. 03-17-2011 04:36 PM
- Posted define custom fixed fields on Splunk Search. 03-17-2011 03:34 PM
- Tagged define custom fixed fields on Splunk Search. 03-17-2011 03:34 PM
- Posted no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-17-2011 02:29 PM
- Tagged no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-17-2011 02:29 PM
- Tagged no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-17-2011 02:29 PM
- Tagged no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-17-2011 02:29 PM
- Tagged no_appending_timestamp behaviour for splunktcp source on Getting Data In. 03-17-2011 02:29 PM
- Posted Re: forward data to a syslog server on Getting Data In. 10-29-2010 10:45 PM
- Posted forward data to a syslog server on Getting Data In. 10-29-2010 03:49 PM
- Tagged forward data to a syslog server on Getting Data In. 10-29-2010 03:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
03-24-2011
12:03 PM
Nevermind, the error was alert.track = 1 , it should be alert.track = auto
... View more
03-22-2011
04:54 PM
When defining different alerts in the etc/user/admin/search/local/savedsearches.conf, some of them work and some don't.
However, searches work for all of them and list events as expected.
Example that works:
[alert1]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "RCG" OR componentsc = "AS" OR componentsc = "VCS") AND actionsc = "ECPRO"
Example that does not work:
[alert2]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
alert.suppress.period = 20s
alert.track = 1
alert.severity = 4
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "AS" OR componentsc = "VCS" OR componentsc = "RCG") AND actionsc = "RBACA" AND (outcomesc = "001" OR outcomesc = "010")
Thanks!
... View more
03-18-2011
08:44 AM
I'm just monitoring files which are a dump of a syslog message, so they already have the original timestamp.
Can I use the something similar?
Thanks
... View more
03-18-2011
07:57 AM
That's what I was looking for.
However, could you post an example for props.conf?
Will the fields by indexed or just used at search time?
Thanks
... View more
03-17-2011
04:36 PM
yes, you are correct
so in your example, fooba could be field2 with 6 characters (note the starting whitespace)
... View more
03-17-2011
03:34 PM
Is there any way to define custom fields which have a fixed size?
For instance:
We can have field definition as:
field 1: 3 characters
field 2: 5 characters
field 3: 120 characters
total: 128 characters
And we'd like to have it separated and be able to search this fields.
Any suggestion?
Thanks
... View more
- Tags:
- field-extraction
03-17-2011
02:29 PM
Scenario:
I want to forward syslog data using a splunk universal forwarder.
However, when it gets to the central splunk server, it has double timestamp and an incorrect host (the splunk forwarder).
Question:
How can I reproduce the same behaviour that the option no_appending_timestamp does for an UPD source but for a SPLUNKTCP source in etc/apps/search/local/inputs.conf?
Solution?:
So far I'm trying using the TRANSFORMS-stripheaders = syslog-header-stripper-ts-host in etc/system/local/props.conf?
Current inputs.conf:
[splunktcp://9997]
sourcetype = syslog
Current props.conf:
[source::...mytest...]
TRANSFORMS-stripheaders = syslog-header-stripper-ts-host syslog-host
... View more
10-29-2010
10:45 PM
The message should look like a standard syslog message (while I was testing I've used the same log that Splunk produces to send it to the syslog server):
$DATE $HOSTNAME $PROCESS[$PID] $MESSAGE
... View more
10-29-2010
03:49 PM
2 Karma
We're trying to forward data to a syslog server from a splunk server.
However, seems that the hostname and process id tags are missing.
We've set up a central splunk server (10.10.40.9), and another splunk server to forward some data to a syslog server (10.10.40.10).
Configurations used:
outputs.conf:
[tcpout]
defaultGroup = 10.10.40.9_9997
[tcpout:10.10.40.9_9997]
server = 10.10.40.9:9997
[tcpout-server://10.10.40.9:9997]
[syslog:localhost_10514]
server = 127.0.0.1:10514
type = tcp
inputs.conf:
[monitor:///var/log]
disabled = false
props.conf:
[host::*]
TRANSFORMS-routing=SYSLOG_FWD
transforms.conf:
[SYSLOG_FWD]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = localhost_10514
example output messages (forwarded splunk output to syslog):
2010-10-29T17:13:05.557347+02:00 10-29-2010 17: 13:04.924 INFO Metrics - group=per_source_thruput, series="/opt/splunk/var/log/splunk/splunkd.log", kbps=2.094271, eps=20.466667, kb=62.828125
2010-10-29T17:13:05.557347+02:00 10-29-2010 17: 13:04.924 INFO Metrics - group=per_source_thruput, series="/opt/splunk/var/log/splunk/splunkd_stderr.log", kbps=0.000684, eps=0.033333, kb=0.020508
example desired output:
2010-10-23T08:29:08.087021+02:00 VCS02 glassfish-log: [#|2010-10-23T08:29:00.584+0200|INFO|glassfish3.0.1|null|_ThreadID=29;_ThreadName=Thread-1;|Total number of available updates : 0|#]
2010-10-24T01:38:48.570726+02:00 VCS02 ntpd[14162]: synchronized to 77.226.252.14, stratum 2
2010-10-24T04:02:08.609446+02:00 VCS02 rsyslogd: [origin software="rsyslogd" swVersion="5.6.0" x-pid="26020" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
... View more
10-29-2010
06:58 AM
props.conf:
[source::/opt/glassfishv3/glassfish/domains/domain1/logs/]
TRANSFORMS-routing = send_to_syslog
transforms.conf:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = INM01
outputs.conf:
[syslog:INM01]
server = 10.10.40.10:10514
type = tcp
The official documentation does not use the REGEX param in the transforms file, however, it didn't work without specifying it.
I've also used the 3 dots (...) in front of the path, but still no luck.
Replacing the source for hostname:: works.
... View more
10-28-2010
04:06 PM
Following the documentation http://www.splunk.com/base/Documentation/latest/admin/Forwarddatatothird-partysystems I've set up a system to forward data to a syslog server.
However, while using a host::hostname works, seems that using source::/path/file or source::/path/directory is not working.
Does it needs to have a monitor defined also?
... View more
- Tags:
- source
