Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About yg
yg
Explorer
Member since:
04-24-2012
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 04-24-2012 |
Activity Feed
- Karma Re: Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. for martin_mueller. 06-05-2020 12:49 AM
- Got Karma for If the receiver is down, would the data from the Universal Forwarder be lost?. 06-05-2020 12:46 AM
- Posted Re: Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-17-2018 08:03 AM
- Posted Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Tagged Can the "exception" log record that looks different from the regular log records and is spanned across a bunch of lines be indexed as one Splunk event? The whole log goes to the same sourcetype. on Getting Data In. 07-10-2018 05:09 PM
- Posted We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Tagged We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Tagged We set interval = 0 * * * * (cron style) for a new input of Website Monitoring app, but the url is checked every 8 min. on All Apps and Add-ons. 05-18-2018 03:59 PM
- Posted If the receiver is down, would the data from the Universal Forwarder be lost? on Deployment Architecture. 10-19-2012 09:52 AM
- Tagged If the receiver is down, would the data from the Universal Forwarder be lost? on Deployment Architecture. 10-19-2012 09:52 AM
- Posted Re: Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:38 PM
- Posted Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:31 PM
- Tagged Is it possible to label somehow the log being forwarded? We use the same sourcetype for a bunch of logs on the same machine. on Getting Data In. 10-18-2012 01:31 PM
- Posted Re: TCP data feed issue on Getting Data In. 10-17-2012 09:20 AM
- Posted Re: TCP data feed issue on Getting Data In. 10-16-2012 12:58 PM
- Posted TCP data feed issue on Getting Data In. 10-16-2012 11:31 AM
- Tagged TCP data feed issue on Getting Data In. 10-16-2012 11:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
07-17-2018
08:03 AM
Thank you! It did work. This configuration removed the time from the beginning of the Splunk events but there are system timestamps (_time).
... View more
05-18-2018
10:29 PM
The interval doesn't accept a cron schedule for the Website Monitoring app. Instead, set the cron schedule to the amount of time that corresponds to how often you want the input to run. For example, enter 60s or 1m to get it to run every minute.
... View more
10-19-2012
10:14 AM
1 Karma
What do you mean by Splunk? I believe are you referring to the Splunk Indexers, the answer is maybe. This all depends on your input.
If you are monitoring files the answer is no since the UF will pick up where it left off last. Though that does not protect against in-flight data loss. You can protect against in-flight data lost by using indexer acknowledgment.
If you data is streamed such as raw TCP data or Syslog data, yes you could lose data. There are ways to help protect against that. By using indexer acknowledgement and increasing queueSize on both your input.conf and output.conf files.
If you have multiple indexer you can use the UFs built in Auto Load Balancing feature.
Here is a good post on HA: splunk-disaster-recovery
... View more
10-18-2012
01:38 PM
🙂
Somehow I misunderstood it in the manual for inputs.conf.
Thanks again!
... View more
10-17-2012
09:50 AM
you will need to configure an inputs.conf file on the forwarder to monitor the file location of your log and send it to your splunk server.
in your inputs.conf file on the universal forwarder you would have a stanza something like this:
[monitor:///var/log/logfilename]
sourcetype = logfile
disabled = 0
In this stanza, you basically want to specify the file location of the log file you are monitoring and give it a source type. You can name the sourcetype anything you want, just name it something that makes sense for your environment.
You can deploy this inputs.conf file in a couple of different ways. If you are manually configuring everything, you could locate this file in the /etc/system/local area under the universal forwarder file path. If you wan't more granular control you could deploy this configuration as its own app to the universal forwarder in which case it would live under the /etc/apps/app-name/ area under the universal forwarder file path. You can name the app anything you like, it is good to have a functional naming scheme so you know what your apps do just by looking at them. This gets into a whole other area of splunk configurations. A good guide to look through is the splunk "Getting Data in Correctly" guide.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
