Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yg
yg
Explorer
Member since:
04-24-2012
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 04-24-2012 |
Activity Feed
- Karma Re: Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. for martin_mueller. 06-05-2020 12:49 AM
- Got Karma for If the receiver is down, would the data from the Universal Forwarder be lost?. 06-05-2020 12:46 AM
- Posted Re: Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-17-2018 08:03 AM
- Posted Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Posted We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Tagged We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Tagged We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Posted If the receiver is down, would the data from the Universal Forwarder be lost? on Deployment Architecture. 10-19-2012 09:52 AM
- Tagged If the receiver is down, would the data from the Universal Forwarder be lost? on Deployment Architecture. 10-19-2012 09:52 AM
- Posted Re: Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:38 PM
- Posted Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:31 PM
- Tagged Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:31 PM
- Posted Re: TCP data feed issue on Getting Data In. 10-17-2012 09:20 AM
- Posted Re: TCP data feed issue on Getting Data In. 10-16-2012 12:58 PM
- Posted TCP data feed issue on Getting Data In. 10-16-2012 11:31 AM
- Tagged TCP data feed issue on Getting Data In. 10-16-2012 11:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
07-17-2018
08:03 AM
Thank you! It did work. This configuration removed the time from the beginning of the Splunk events but there are system timestamps (_time).
... View more
07-10-2018
05:09 PM
Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype.
To split the events I used in props.conf
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
Although all the regular info-level log records have the timestamps, without this configuration some log records would be merged together into the same Splunk event probably because of the very high data density coming from this log.
Here is the issue:
Sometimes the log would have an "exception" record spanned across multiple lines with the lines number 2 and after not having the timestamp in them but they mostly would start with "\sat\s" pattern. It would look like this:
<info-level record>
<the start of the exception record>
<tab>at ...
<tab>at ...
<tab>at ...
<tab>at ...
<info-level record>
<info-level record>
I added
MUST_NOT_BREAK_BEFORE = \sat\s
to the sourcetype stanza but it didn't help and the exception was broken into multiple Splunk events after the indexing.
Is there a way to keep the exception as one Splunk event without affecting the regular info-level log records?
Thank you.
... View more
05-18-2018
03:59 PM
We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min.
The app version is 1.4.0.
Thank you.
... View more
10-19-2012
09:52 AM
1 Karma
If the receiving Splunk is down for some time, would Universal Forwarder keep sending and the data would be lost or it wouldn't be?
Thank you.
... View more
- Tags:
- the
10-18-2012
01:38 PM
🙂
Somehow I misunderstood it in the manual for inputs.conf.
Thanks again!
... View more
10-18-2012
01:31 PM
By default in this situation Splunk adds a suffix to the sourcetype in the main Splunk (the receiver) such as
some_sourcetype
some_sourcetype-2
some_sourcetype-3
...
But it would be really helpful either to create a label for the forwarded log or get the log name itself with a full path (same thing that goes into [monitor://...] in inputs.conf).
Please let me know if there is a way.
I am using Universal Forwarder on Linux.
Thanks a lot!
... View more
- Tags:
- sourcetype
10-17-2012
09:20 AM
I just installed Splunk Universal Forwarder to the remote machine and added forwarding to my Splunk primary server through the opened port for the TCP data feed with
splunk add forward-server :
How do I start forwarding the log info from the remote server? What is the syntax? For some reason I was unable to find.
I am running it on 64-bit Linux.
Thank you.
... View more
10-16-2012
12:58 PM
I am sending the data with
tail -F | nc -v
By record being broken I mean a partial record. As far as I see, they're chopped off from the beginning in various places. I don't see the missing parts of the records so I am not sure if they're lost or appear on some other pages.
... View more
10-16-2012
11:31 AM
1 out of 20 records is broken with TCP connection from geographically distant locations such as Japan. No problem when connecting from the US servers. From London: about 1 out of 40.
Does it have anything to do with buffering the complete record before writing it to the Splunk database when the packets of the TCP/IP connection are being resent?
Thank you.
... View more
- Tags:
- tcp
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
