Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sudosplunk
sudosplunk
Motivator
Member since:
10-16-2018
06-05-2020
Community Statistics
| Posts | 333 |
| Solutions | 33 |
| Karma Given | 4 |
| Karma Received | 74 |
| Member Since | 10-16-2018 |
Activity Feed
- Got Karma for Re: Is there a way to periodically restart Splunk?. 11-10-2024 02:58 PM
- Got Karma for Re: Replication Factor with N+1 indexer. 05-21-2024 02:59 PM
- Got Karma for Re: How to use blacklist in inputs.conf?. 01-21-2023 07:02 PM
- Got Karma for Re: Replication Factor with N+1 indexer. 07-04-2022 05:43 AM
- Got Karma for Re: How to extract fields using regex in transforms.conf?. 02-02-2022 02:09 AM
- Got Karma for Re: How to export to csv the search results which used base search?. 01-05-2022 01:29 AM
- Got Karma for Re: How to escape double backslash in rex/regex command?. 09-17-2021 06:21 AM
- Got Karma for Re: How can I override sourcetype and redirect to another index?. 09-13-2021 07:18 AM
- Got Karma for Re: Can you help me extract fields from apache:access logs?. 07-01-2021 12:25 PM
- Got Karma for Splunk DB Connect App: How to troubleshoot why db input fails to fetch results sometimes?. 02-01-2021 11:05 AM
- Got Karma for Re: What is the difference between Splunk Enterprise and Splunk Enterprise Security ?. 11-13-2020 11:28 AM
- Got Karma for Re: How to extract fields using regex in transforms.conf?. 09-11-2020 01:33 AM
- Got Karma for Re: After editing monitoring console in a distributed system, why does the search head(SH) server shows both as an indexer and SH?. 08-11-2020 10:13 AM
- Karma Re: _TCP_ROUTING for Heavy Forwarder for ddrillic. 06-05-2020 12:50 AM
- Got Karma for Re: Is a dead SHC member expected to cause a batch of missed scheduled searches?. 06-05-2020 12:50 AM
- Got Karma for Re: What is the best way to see all the role permissions assigned to each index?. 06-05-2020 12:50 AM
- Got Karma for Re: How do you count the number of unique values in a field to return in a new table?. 06-05-2020 12:50 AM
- Got Karma for Re: How do I combine multiple rex commands into a single one?. 06-05-2020 12:50 AM
- Karma Re: Problem with tokens and earliest/latest for svendby90. 06-05-2020 12:49 AM
- Got Karma for Re: How can I override sourcetype and redirect to another index?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 |
07-31-2018
09:54 AM
That's right.
Please note: If you have more than one groups as below, then splunk will send events to defaultGroup (indexers_group1) if _TCP_ROUTING is not specified for data inputs in inputs.conf
[tcpout]
defaultGroup = indexers_group1
[tcpout:indexers_group1]
server = <indexer1>:9997
[tcpout:indexers_group2]
server = <indexer2>:9997
### inputs.conf ###
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
The tcpout group names are defined in outputs.conf with
[tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
outputs.conf.
* To forward data to all tcpout group names that have been defined in
outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
set to either "*" or a specific splunktcp target group.
... View more
07-31-2018
09:22 AM
Agreed! That's why I started my answer with "If you know the value of the field beforehand". But I wanted to see if there are any other possible solutions before giving up. Thank you.
... View more
07-31-2018
09:19 AM
Hello,
You can try including the text you want into the Email footer under settings -> Server settings (in 'SYSTEM' section) -> Email settings which would look like this.
... View more
07-31-2018
09:08 AM
Give this a try |spath output=_raw | table *
If you want to extract multiple values, have a look here.
... View more
07-31-2018
08:25 AM
[tcpout-server://x.x.x.x] is just a more specific way of defining destination host(indexer). Both definitions will work fine but [tcpout-server://x.x.x.x] will take precedence.
Per docs,
############
TCP Output stanzas
############
# There are three levels of TCP Output stanzas:
# * Global: [tcpout]
# * Target group: [tcpout:<target_group>]
# * Single server: [tcpout-server://<ip address>:<port>]
#
# Settings at more specific levels override settings at higher levels. For
# example, an attribute set for a single server overrides the value of that
# attribute, if any, set at that server's target group stanza. See the
# online documentation on configuring forwarders for details.
#
# This spec file first describes the three levels of stanzas (and any
# attributes unique to a particular level). It then describes the optional
# attributes, which can be set at any of the three levels.
#----TCP Output Global Configuration -----
# The global configurations specified here in the [tcpout] stanza can be
# overwritten in stanzas for specific target groups, as described later.
# Note that the defaultGroup and indexAndForward attributes can only be set
# here, at the global level.
#
# Starting with 4.2, the [tcpout] stanza is no longer required.
... View more
07-31-2018
08:21 AM
Did you define TRUNCATE=0 under same stanza as your sourcetype or source? The reason I am asking this is to see if there are any precedence issues.
... View more
07-31-2018
08:09 AM
2 Karma
In linux/unix, you can do this by running scripts with cron schedule. Please be sure to modify per your needs.
Below are the two scripts which I use:
This script should be invoked from deployment server.
reload_deploy_server.sh
#!bin/bash
## Variables
date=`date +%Y-%m-%d:%H:%M:%S`
user=`whoami`
hostname=`hostname`
info='INFO'
error='ERROR'
success='SUCCESS'
fail='FAIL'
reload_deploy='reload'
workdir='/opt/splunk/scripts/'
logfile='/opt/splunk/logs/log_for_scripts.log'
userpass='your_admin_password'
## writes event in log file.
echo -e "$(date +%Y-%m-%d:%H:%M:%S) $info $user $hostname $reload_deploy msg=\"Initiated reload deploy-server\"" >> $logfile
/opt/splunk/bin/splunk reload deploy-server -auth admin:$userpass --answer-yes
if [ $? -eq 0 ];
then
echo -e "$(date +%Y-%m-%d:%H:%M:%S) $info $success $user $hostname STATUS msg=\"Reloading server classes\"" >> $logfile
else
echo -e "$(date +%Y-%m-%d:%H:%M:%S) $error $fail $user $hostname STATUS msg=\"Encountered some errors while reloading server classes\"" >> $logfile
fi
This script should be invoked from UFs.
restart_splunk.sh
## Variables
date=`date +%Y-%m-%d:%H:%M:%S`
user=`whoami`
hostname=`hostname`
info='INFO'
error='ERROR'
success='SUCCESS'
fail='FAIL'
restart='restart'
workdir='/opt/splunk/scripts/'
logfile='/opt/splunk/logs/log_for_scripts.log'
/opt/splunk/bin/splunk restart --answer-yes
/opt/splunk/bin/splunk status
if [ $? -eq 0 ];
then
echo -e "$(date +%Y-%m-%d:%H:%M:%S) $info $success $user $hostname STATUS msg=\"Splunk is running\"" >> $logfile
else
echo -e "$(date +%Y-%m-%d:%H:%M:%S) $error $fail $user $hostname STATUS msg=\"Splunk is not running\"" >> $logfile
fi
Once scripts are in place, configure the crontab as below:
## Deployment server
0 7 * * 1 /opt/splunk/scripts/reload_deploy_server.sh
## Universal forwarders
0 7 * * 1 /opt/splunk/scripts/restart_splunk.sh
... View more
07-31-2018
07:28 AM
Actually, the value in the 2nd ($2) capturing group in REGEX is assigned as index value because, DEST_KEY specifies where Splunk stores the expanded FORMAT results in accordance with the REGEX match. Be sure to push these changes to UF, HF (if any) and indexers.
... View more
07-31-2018
07:03 AM
Give this a try. I did not test it.
[routing_based_on_field_values]
REGEX = \{\s?\"(name)\"\:\"(\w+)\"\}
DEST_KEY = _MetaData:Index
FORMAT = $2
... View more
07-31-2018
06:35 AM
I think we can try modifying transforms.conf a little and see if it works. Can you provide some sample events and tell me what value should be extracted.
... View more
07-31-2018
06:25 AM
I think the default values of [kv] (Key-value) are the reason for truncation. According the limits.conf, below are the default values. Check if any of these apply to "richiesta".
avg_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that the average (over search
results) execution time of a key-value pair extractor will be allowed to take
before warning. Once the average becomes larger than this amount of time a
warning will be issued
* Default: 500 (.5 seconds)
limit = <integer>
* The maximum number of fields that an automatic key-value field extraction
(auto kv) can generate at search time.
* If search-time field extractions are disabled (KV_MODE=none in props.conf)
then this setting determines the number of index-time fields that will be
returned.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
'linecount', 'splunk_server', and 'splunk_server_group' do not count against
this limit and will always be returned.
* Increase this setting if, for example, you have indexed data with a large
number of columns and want to ensure that searches display all fields from
the data.
* Default: 100
maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Default: 10240 characters
maxcols = <integer>
* When non-zero, the point at which kv should stop creating new fields.
* Default: 512
max_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that a key-value pair extractor
will be allowed to take before warning. If the extractor exceeds this
execution time on any event a warning will b
Just a note...The longer and more complicated your events, the more you would get out of hand coding the field extractions. The auto extractor, while "correct", does not necessarily produce the most efficient regular expressions for the data.
... View more
07-31-2018
05:40 AM
What do you mean by "a part of xml". Like, only richiesta field has xml data and the raw event is just text?
... View more
07-31-2018
05:34 AM
For the .log.date files, file type is not Text document . Can you open and read the files with date extension. If yes, then above monitor stanza should work as it is using *.log* which matches all files under dd directory.
... View more
07-31-2018
05:24 AM
If you want to extract values at search-time, you use spath command like this: search xxxx | spath input=richiesta . This strips all xml fields automatically. More info here.
If this is not what you're looking, then please provide some sample events and I can help you with regular expressions to extract fields using props.conf.
... View more
07-30-2018
02:37 PM
Hello, below is described in docs, and it is working for me. I would say, please go through this documentation and look for if's and but's to figure out why you can't access macros and lookups from "Reassign Knowledge Objects" page.
The Reassign Knowledge Objects page in Settings is the only orphaned knowledge object detection method that detects all knowledge objects (not just searches, reports, and alerts). However, it can only find knowledge objects that have been shared to the app or global levels.
... View more
07-30-2018
01:07 PM
There is probably a better way of answering this but here are my two cents.
The short answer to your question is yes, splunk ES contains all features of splunk enterprise and additional advanced security features. We can't do proper comparison between ES and splunk enterprise because ES is a fully fledged premium application designed around event correlation, management, and response while splunk enterprise is a software where you will install ES.
You can find more description about ES features here.
... View more
07-30-2018
12:03 PM
Hello,
This could be your main index. Search index=main to see if it has any data.
The main index, by default, holds all your events. It also serves as the default index for any inputs or search commands that don't specify an index name. Meaning, if you do not specify index name either by inputs.conf or transforms.conf, then splunk will make use of default (main) index to store the events. I came across below setting in indexes.conf which explains why it displays as default instead of main.
defaultDatabase = <index name>
* If no index is specified during search, Splunk searches the default index.
* The specified index displays as the default in Splunk Manager settings.
* Defaults to "main".
Run index=main | stats values(source) by host sourcetype search and note the list of the all the sources and hosts. Track the monitor stanzas which are configured for these sources and define desired index name to avoid landing of events into the main index.
... View more
07-30-2018
11:36 AM
2 Karma
Hello,
I did not realize that I am posting the same answer until I refreshed the browser. But anyway,
Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
extractor from running or "CURRENT" to assign the current system time to
each event.
* "CURRENT" will set the time of the event to the time that the event was
merged from lines, or worded differently, the time it passed through the
aggregator processor.
* "NONE" will leave the event time set to whatever time was selected by
the input layer
* For data sent by splunk forwarders over the splunk protocol, the input
layer will be the time that was selected on the forwarder by its input
behavior (as below).
* For file-based inputs (monitor, batch) the time chosen will be the
modification timestamp on the file being read.
* For other inputs, the time chosen will be the current system time when
the event is read from the pipe/socket/etc.
* Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
identification, so the default event boundary detection
(BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When
using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* ,
MUST_BREAK_* settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).
... View more
07-30-2018
10:42 AM
If you're looking for free education, you can refer to splunk docs for definitions of commands and practice them yourself.
Or there is an amazing Advanced Search and Reporting with Splunk course offered by splunk. Coursework is really good and you will get to do labs. More info here: https://www.splunk.com/view/SP-CAAAH3M
PS: I think others may have more good resources.
... View more
07-30-2018
10:27 AM
If you know the value of the field beforehand, using props.conf and transforms.conf , you can achieve this. Please provide some sample data to perform regex matching and your use case with examples. Otherwise, below is the basic structure of configuration settings for routing events.
Props.conf:
[your_custom_sourcetype]
TRANSFORMS-routing = routing_based_on_field_values
Transforms.conf:
[routing_based_on_field_values]
REGEX = <your_custom_regex>
DEST_KEY = _MetaData:Index
FORMAT = <field_value_for_index_name>
You can find more information in below links, let me know if this helps.
http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index
https://answers.splunk.com/answers/566448/route-specific-events-to-a-relative-index.html
... View more
07-30-2018
09:57 AM
Hello,
Short answer is no. Please have a look at my other answer for workaround.
https://answers.splunk.com/answers/673824/index-exported-evt-evtx-files.html
... View more
07-30-2018
08:31 AM
1 Karma
Hello,
Please run below search to first check fields are extracted from all events (both short and long).
your_search...
| rex field=_raw "(?m).*dump\sto\sfile\:\s(?<AVL_DUMP>.+)[\r\n]App"
| rex field=_raw "(?m).*App\:\s(?<AVL_Prog>.+)P"
| rex field=_raw "(?m).*exception\shandler\:\s(?<AVL_Exec_handle>.+)[\r\n]?When"
| rex field=_raw "(?m).*Reason\:\s(?<AVL_Reason>.+)[\r\n]?Register"
If it is working, then use below extractions in your props.conf
EXTRACT-AVL_Dump = (?m).*dump\sto\sfile\:\s(?<AVL_Dump>.+)[\r\n]App
EXTRACT-AVL_Prog = (?m).*App\:\s(?<AVL_Prog>.+)P
EXTRACT-AVL_Exc_handle = (?m).*exception\shandler\:\s(?<AVL_Exec_handle>.+)[\r\n]?When
EXTRACT-AVL_Reason = (?m).*Reason\:\s(?<AVL_Reason>.+)[\r\n]?Register
Also for pasting special text into questions/comments, please use "Code Sample" option (101010 icon OR ctrl+k shortcut)
... View more
07-30-2018
07:44 AM
Hello,
Not sure if you were able to fix this but are you using "Alert Manager" app from splunkbase? If yes, what is the version of the app?
Looks like the new version 2.2.2 has enhanced support for search head cluster.
... View more
07-30-2018
06:48 AM
As @jplumsdaine22 suggested, please provide more information for more accurate answers. Meanwhile, try something like this:
index=your_index sourcetype=first_sourcetype OR sourcetype=second_sourcetype fieldname=common_field_value
... View more
07-30-2018
06:24 AM
Splunk blog has really amazing information about how much license you should buy and the factors to estimate data ingestion. Have a look..,
https://www.splunk.com/blog/2016/05/06/what-size-should-my-splunk-license-be.html
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
