Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About fredclown
fredclown
Path Finder
Member since:
07-17-2013
Online
Community Statistics
| Posts | 22 |
| Solutions | 1 |
| Karma Given | 29 |
| Karma Received | 7 |
| Member Since | 07-17-2013 |
Activity Feed
- Posted Is there a way to dynamically set latest in tstats? on Splunk Search. 8 hours ago
- Karma Re: How to index .ini file? for isoutamo. 8 hours ago
- Karma Re: How to index .ini file? for yeahnah. 8 hours ago
- Karma Re: What's the difference between where and search in the pipeline? for ziegfried. 2 weeks ago
- Posted How to index .ini file? on Getting Data In. 2 weeks ago
- Karma Best way to handle indexes in a clustered environment for dstuder. 2 weeks ago
- Karma Issues With DB Connect identities.conf on Search Head Cluster for dstuder. 2 weeks ago
- Karma How to get the bytes of an indexed event for dstuder. 2 weeks ago
- Karma Can the Cluster Master Also Do Indexer Discovery in the outputs.conf for dstuder. 2 weeks ago
- Karma Can you use the search head deployer as a deployment server for dstuder. 2 weeks ago
- Karma Best Practice for Using Splunk_TA_windows on Workstations and Servers for dstuder. 2 weeks ago
- Karma Dynamically pass SPL to events panel on dashboard for dstuder. 2 weeks ago
- Karma Best Practice for Alert Time Range and Cron Expression for dstuder. 2 weeks ago
- Karma Retain SPL format in a drill down for dstuder. 2 weeks ago
- Karma Can you help me with some questions I have about the metrics.log and _internal index? for dstuder. 2 weeks ago
- Karma Latest set to most recent increment of 5 minutes for dstuder. 2 weeks ago
- Karma Two different earliest values on one dashboard for dstuder. 2 weeks ago
- Karma Compare today vs average of past with a sliding percentage scale for dstuder. 2 weeks ago
- Karma Best Practice For Managing Alerts/Reports/Dashboards/etc. on a Clustered Search for dstuder. 2 weeks ago
- Karma How to configure props.conf TIME_FORMAT to recognize 2 variations of a timestamp? for dstuder. 2 weeks ago
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 3 | |||
| 0 |
8 hours ago
I've done this in the past and it works to get data for today up to the latest 5 minute span, but I'm hoping to speed it up with tstats. index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| stats sum(b) as bytes .... I tried this but it doesn't work. | tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d latest=[|makeresults | eval snap=floor(now()/300)*300 | return $snap]
| .... I could do this potentially but it doesn't seem to be much better and quite frankly is a bit more confusing. | tstats sum(stuff.b)as bytes from datamodel="mymodel.stuff" where index="foo" sourcetype="foo" earliest=-0d@d by _time span=1min
| where _time < floor(now()/300)*300
| rename stuff.* as *
| stats sum(bytes) as bytes .... If there is anyway to do it in the tstats command that would be great ... thoughts?
... View more
2 weeks ago
I have a Windows .ini file that I am wanting to index on every update of the file. Right now when the file is updated it is not being re-indexed. The file doesn't have much data in it ... just about 1K worth of data. Whenever the file is updated not much of the file is changed ... mostly just a couple values referencing the build # for the application it goes with. Ideally, I would like the whole file to be re-indexed every time any change is made to the file. Anyone tried this or have thoughts on it. I guess if all else fails I could do a scripted input on a schedule and do it that way, but that would mean I would not get the updates right away and I would also get lots of useless data since most of the scheduled polls would have no change.
... View more
Labels
- Labels:
-
index
-
inputs.conf
-
monitor
-
universal forwarder
08-12-2015
11:32 AM
Yep, this was the answer.
... View more
08-12-2015
09:40 AM
Ok, after thinking about my question again and trying different search terms I think I found the answer. I think I'm looking for a scripted input. I could set up a shell script and use curl to pull in the data.
... View more
08-12-2015
09:35 AM
I have a JSON feed that I would like to get into Splunk. It is not in a file, however. It is on a web server. Is it possible to set up Splunk to read a JSON feed from a URL, say every minute?
... View more
07-29-2015
02:50 PM
I found where the input is stored ... local/inputs.conf. If I manually change the max_rows value, restart the server, and then don't edit it through the interface would that work?
... View more
07-29-2015
01:19 PM
2 Karma
I am trying to do a db connect input bu the max rows that it will take is 1000000. My query is going to return more than that. Is there a way to up the max rows, or to just tell it to take whatever is returned by the query?
... View more
- Tags:
- Splunk DB Connect
11-26-2014
03:30 PM
I tried mkv and it didn't work.The line break in the returned data was still messing up the field extraction.
... View more
11-13-2014
04:01 PM
I've got a table that I am pulling data into Splunk with DB Connect. I've got the database input and database connection created. I figured I would use Key-Value format for the output format as I have some columns that have multiline data in them and it appears that it is smart enough to figure that out and it quotes the column data and changing literal quotes in the data to escaped quotes. However, when I do searches on the data the multiline fields are being broken at the first line break or escaped quote. I've tried every output format that there is. I'm sure there is a way to fix this, but my hunch is I'm going to have to edit a props.conf file for it as I can't find anything in the interface to tell it how to behave the way I want. Am I correct in this?
... View more
02-27-2014
11:21 AM
I'm trying to write an efficient search to find out the distinct days of events that I have in an index. Basically, I want to be able to see if I am missing data for any days. I could pipe the date in mm/dd/yyyy format to a table and then use dedup, but that is SLOW and my hunch is there is a better and faster way to do it.
... View more
02-12-2014
04:00 PM
By the way I am referring to the dbquery command in the DB Connect App.
... View more
02-12-2014
03:56 PM
1 Karma
So, the title says it all. I was looking in the db connect documentation and didn't see anything that answered this question. My hunch would be no as the data is not indexed, but I just thought I would ask those a bit wiser than me in Splunk.
... View more
01-09-2014
12:18 PM
What happens during indexing if my data were to have key value pairs where the key is the same as one of the default Splunk fields? For instance, say my data looked like this...
_time="2014-01-09 12:15:15" host="myhost" source="mysource" sourcetype="mysourcetype" etc...
... View more
- Tags:
- fieldextraction
12-02-2013
08:30 AM
3 Karma
My data is already coming into splunk lat/lon encoded. I don't need to do any ip geo lookup or anything like that. Each event has a latitude and longitude field. I want to plot each event onto a map. I don't want to group them or do any fancy aggregation. I just pwant oints plottted to a map or maybe possibly a heat map. Is this possible?
... View more
- Tags:
- search
11-14-2013
09:24 AM
We currently have a scripted input into Splunk that is a CSV and we are doing field extractions via regex. This is not super flexible as we want to add fields to the input, but if we change the regex it will work for the new data, but not the historical data. So, instead we want to change our input to be key/value pairs (key="value"). CSV is lean, but inflexible. The key value pairs are more robust, but obviously not very lean. Honestly, we don't care about disk space ... space is cheap. The question is will this affect our daily index license if the keys have the same names as the previous field extractions. Basically, is it file size, or the amount of data that is actually indexed (are these the same thing) that goes toward the daily license? Thanks.
... View more
07-29-2013
09:22 AM
This is exactly what I was looking for and very succinct. Thanks a ton!
... View more
07-26-2013
01:35 PM
I'm trying to write a report that will show me the 1 minute time spans from the last two days where a specific machine had a average CPU utilization (the field is called Value) of 75 or higher. This is what I have so far, but I'm having trouble finishing it. Thanks in advance for any help.
index="perfmon" host="mymachine" collection="CPU Load" counter="% Processor Time" earliest="-2d@d"
... View more
