Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About peter_gianusso
peter_gianusso
Communicator
Member since:
05-01-2012
06-05-2020
Community Statistics
| Posts | 66 |
| Solutions | 6 |
| Karma Given | 5 |
| Karma Received | 8 |
| Member Since | 05-01-2012 |
Activity Feed
- Karma Re: timechart only business hours for somesoni2. 06-05-2020 12:48 AM
- Karma Re: timechart only business hours for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to properly parse timestamps in Splunk for some text log files in a directory that have dates without a year? for cpetterborg. 06-05-2020 12:47 AM
- Karma Re: Searching splunkd.log for adylent. 06-05-2020 12:46 AM
- Karma Re: Moving the _audit index for jtrucks. 06-05-2020 12:46 AM
- Got Karma for Comments in inputs.conf. 06-05-2020 12:46 AM
- Got Karma for Re: UNC Path with $ sign. 06-05-2020 12:46 AM
- Got Karma for Re: Renaming Host Dynamically. 06-05-2020 12:46 AM
- Got Karma for Re: Network latency. 06-05-2020 12:46 AM
- Got Karma for PROCESS Search error message. 06-05-2020 12:46 AM
- Got Karma for Max Bucket Size warning. 06-05-2020 12:46 AM
- Got Karma for Max Bucket Size warning. 06-05-2020 12:46 AM
- Got Karma for Searching splunkd.log. 06-05-2020 12:46 AM
- Posted Re: timechart only business hours on Splunk Search. 03-14-2016 11:50 AM
- Posted Re: timechart only business hours on Splunk Search. 03-14-2016 11:50 AM
- Posted timechart only business hours on Splunk Search. 03-14-2016 11:21 AM
- Posted Re: How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs? on Getting Data In. 07-21-2015 01:20 PM
- Posted How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs? on Getting Data In. 07-21-2015 12:08 PM
- Tagged How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs? on Getting Data In. 07-21-2015 12:08 PM
- Tagged How to troubleshoot why my Windows universal forwarder stopped forwarding Windows application event logs? on Getting Data In. 07-21-2015 12:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 0 |
07-21-2015
01:20 PM
Seems to have something to do with the use of current_only = 1. I removed that and everything started working again.
... View more
11-13-2014
12:20 PM
i just want newly indexed data to be correctly timestamped.
I figured out that props.conf can be configured to look at only certain sourcetypes. So I added a section for the specific file's source type and added TIME_FORMAT = %m/%d %h:%m:%s
It looks like that doesn't hurt anything.
Bizarrely, it looks like Splunk was processing the date time correctly until 10/31. After 10/31 it did not processing any events correctly until today.
It started processing the date/time stamp correctly today so I can't tell if what I did works or your suggestion will work!!!
Thanks for your help!!
... View more
02-20-2014
08:28 AM
1 Karma
something like this should work. If you get any result means forwarders are sending data.
index=IndexWhereForwSendingData host=yourhost1 OR host=yourhost2
... View more
11-11-2013
10:59 AM
1 Karma
create $SPLUNK_HOME/etc/system/local/indexes.conf and add these lines:
[_audit]
homePath = $SPLUNK_DB/audit/db
coldPath = $SPLUNK_DB/audit/colddb
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary
Change the paths as you wish. Stop splunk, copy/move the files to the new location, start splunk.
... View more
10-31-2013
09:59 AM
2 Karma
Try this:
index=_internal sourcetype=splunkd |
stats count by log_level
... View more
10-31-2013
09:01 AM
Simple (but inefficient) solution:
index=ili_imaging_index earliest=-1d@d latest=@d | stats count
Somewhat more complex but much faster solution: run this scheduled search at midnight every day:
| metadata type=hosts index=ili_imaging_index | stats sum(totalCount) as totalCount
Enable summary indexing for this search, then use the difference between the totalCount values for two consecutive days to calculate how many events were indexed.
... View more
10-25-2013
02:59 PM
yes - it says that is in the main index (this is the default index).
you should probably look in either of these places
/opt/splunk/etc/apps/ /local/indexes.conf
/opt/splunk/etc/slave-apps/ /local/indexes.conf
/opt/splunk/etc/system/local/indexes.conf
note that for , you'll need to look in all apps in these directories.
The problem seems to be that you have configured a maximum size for the entire index to be 1GB, whereas the maximum size for any bucket within the index is at 10 GB. Thus - as soon as a hot bucket is rolled to warm, it will be frozen (most likely deleted).
/K
... View more
12-05-2013
07:33 AM
Make sure that the permissions of var/run and var/spool (and all their children) are correct. We found that ours had no permissions and adding these permissions fixed this issue, but not for all new search logs, they are created with no permissions and I think this is the issue. No knowing what causes this.
We found this to be an issue with our anti-virus locking files as they were created in the directories:
If this solves your problem, feel free to vote up sciurus post.
http://answers.splunk.com/answers/113539/error-spamming-splunkdlog-error-process_search
... View more
08-07-2013
04:38 PM
If there's a way for you to export that data out to a flat file, Splunk could pull that in and monitor that way.
Unfortunately, that data does not go into the Windows event log to be pulled via WMI, so Splunk is unable to get it remotely.
... View more
08-02-2013
06:37 AM
I was going to suggest using followTail, but the docs state that:
"* DO NOT leave followTail enabled in an ongoing fashion."
I wasn't sure how much of a negative effect it would have to leave it enabled for 8 hours a day.
Thoughts?
... View more
08-17-2015
11:19 AM
Agreed. It would be great to be able to have an option for time range of "automatic". If you then set the search to run every 10 minutes, it should set the time earliest time to -10m + max latency over the last period for the sourcetypes that will be used in the search. Splunk, can you make this a feature??
... View more
04-22-2016
05:37 AM
index=WhatYouChoose "OmniKrnlService.main" earliest=-0d@d latest=-0d@d+510m | stats count | eval Flag=if(count>0,1,0) | search Flag=1
This would have you searching between midnight and 8:30am each day, but there isn't a solid way to decimal point it
(510 minutes from midnight is 8:30am)
| search Flag=1 would mean you found results
| search Flag=0 would mean you did not find results
... View more
03-21-2013
12:55 PM
As in most cases, the answer is "It Depends". Particularly on what type of props.conf parameters you are talking about.
Perhaps a look here can help;
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/Kristian
... View more
03-21-2013
10:39 AM
this answers the question
http://splunk-base.splunk.com/answers/4661/why-is-my-sourcetype-auto-classified-as-too_small
... View more
03-19-2013
12:23 PM
1 Karma
A much quicker and more efficient approach would be to use the metadata command instead (if these sourcetypes you define have gotten events at least at some point).
| metadata type=sourcetypes | search sourcetype="PROD_FIC_NJ_OMNI_LOG" OR sourcetype="PROD_HODA_MN_OMNI_LOG" OR sourcetype="PROD_HODA_PA_OMNI_LOG" OR sourcetype="PROD_NBCAP_OMNI_LOG" | where lastTime<now()-14400
... View more
03-11-2013
01:37 PM
2 Karma
Events indexed in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*
Top 5 sourcetypes in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series
Top 5 alerts emailed in last 7 days
index=_audit action=alert_fired | top limit=5 ss_name
Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search
Choose a visualization you like from the samples, replace the search with the ones above and away you go ..
Because my simplexml-fu is weak
Example :
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Throughput Summary</label>
<row>
<chart>
<searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Indexed Events</title>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</row>
<row>
<table>
<searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Sourcetype by Volume</title>
</table>
</row>
<row>
<table>
<searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Alert Generating Searches</title>
</table>
</row>
</dashboard>
And because advanced XML is better
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>Throughput Summary</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="JSChart"/>
</module>
<module name="HiddenPostProcess">
<param name="search">addtotals | fields _time Total </param>
<module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</view>
... View more
12-11-2012
06:35 AM
1 Karma
I'm not suggesting you aren't, but when you schedule a savedsearch are you allowing a few minutes for each search? e.g. each one runs -13m@m to -3m@m, instead of -10m to now?
... View more
12-07-2012
02:03 PM
this works
index = ili_imaging_index| eval latency =_time - _indextime| stats sum(latency) by host
... View more
11-01-2012
04:20 PM
There is another answer on this:
http://splunk-base.splunk.com/answers/517/how-to-search-recent-alerts-fired-by-splunk
index=_audit action=alert_fired | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity
... View more
10-16-2012
09:07 AM
actually the timechart by host will return a table like :
timestamp host1 host2 host3
therefore there is not count columns to filter on.
try to replace by
| bucket _time span=20m | stats count by _time host
that will return a table like
timestamp count host
... View more
11-08-2012
02:03 PM
eper Splunk support, not possible
... View more
09-17-2012
12:40 PM
Sorry...Should have stated I wanted to append the source type from the props.conf to the actual host name. The appending of the 2 would be the source name I wanted.
I don't think doing that in inputs.conf will do that because props.conf has not been executed.
... View more
