Activity Feed
- Karma Why do standard navigation menu items disappear on custom dashboards? for greg. 06-05-2020 12:47 AM
- Karma Re: Splunking bash_history for echalex. 06-05-2020 12:46 AM
- Karma Re: Execute a script on the node itself for yannK. 06-05-2020 12:46 AM
- Got Karma for Make Splunk stop learning sourcetypes!. 06-05-2020 12:46 AM
- Got Karma for Make Splunk stop learning sourcetypes!. 06-05-2020 12:46 AM
- Got Karma for Make Splunk stop learning sourcetypes!. 06-05-2020 12:46 AM
- Got Karma for Splunking bash_history. 06-05-2020 12:46 AM
- Got Karma for Splunking bash_history. 06-05-2020 12:46 AM
- Got Karma for Splunking bash_history. 06-05-2020 12:46 AM
- Got Karma for Splunking bash_history. 06-05-2020 12:46 AM
- Posted Re: Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-18-2015 12:42 AM
- Posted Re: Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 06:11 AM
- Posted Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Tagged Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Tagged Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Tagged Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Tagged Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Tagged Why is the default y-axis chart height setting itself to 100 in Splunk 6.3.1? on Splunk Search. 12-17-2015 02:39 AM
- Posted Re: Why do standard navigation menu items disappear on custom dashboards? on Splunk Search. 08-09-2015 11:48 PM
- Posted Re: Why do standard navigation menu items disappear on custom dashboards? on Splunk Search. 08-04-2015 01:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 0 | |||
| 4 |
12-18-2015
12:42 AM
A temporary solution would be to manually put in "auto" as text when you need it to be auto. Leaving it blank won't do the trick.
Basically, it now defaults to 100 if blank, not auto.
... View more
12-17-2015
06:11 AM
This might be a problem with the python version running on RHEL6
... View more
12-17-2015
02:39 AM
Both myself and other people using the same Splunk search head as I see this. The default charting.axisY2.maximumNumber set itself to 100 in the view for charts.
If I remove it manually, it works, it will start to use auto . But only till I refresh the chart, create another chart, or just browse around.
If I have a chart in a dashboard, there is no way for me to make it be auto when I view the dashboard. It sets itself to 100 , and a minimum value of 0 . If I look at the xml for the dashboard, I can see that charting.axisY2.maximumNumber is set to auto .
I have looked around for settings defining this, and tried to find an answer online, but I can't find anyone that have had the same problem.
Splunkversion: 6.3.1
Build: f3e41e4b37b2
I have tried to reproduce this on another Splunk I have access to, and it doesn't behave this way. The one I tried was version 6.3.0
... View more
08-09-2015
11:48 PM
Did you find anything out @ludoz13?
... View more
08-04-2015
01:43 AM
Did you figure out what did this? I have the same problem now, and it annoy the hell out of me! Peeking around, I found another app that does the same, the ... looks about the same, and the navigations default.xml looks the same; but it's menu works.
... View more
02-26-2013
04:36 AM
3 Karma
Hi
In this setup, we have servers for each universal-forwarder -> forwarder -> indexer -> searchhead.
I am testing adding Linux logs (/var/log) to Splunk, but I wont pollute the splunk indexer with -any- learned sourcetypes. If Splunk can't figure out the sourcetype based on its rules, the sourcetype should be set to 'linux_logs_unknown'.
We have managed to get rid of all the XXX-too_small entries by putting this in the props.conf on the universal forwarders:
[too_small]
PREFIX_SOURCETYPE = False
But I am still getting sourcetypes of eg, smbd-5 for source=/var/log/samba/smbd.log.
And sourcetype=wb-DOMAIN.log for source=/var/log/samba/wb-DOMAIN.log.
Note that this problem is not only for samba, its for everything under /var/log.
I am still somewhat new to Splunk, so please give examples 🙂
... View more
10-09-2012
12:19 AM
Thanks for the suggestions! I think I am ending up with a solution that stores the alerts on a central location, with cron-jobs running on the nodes themself to pick them up once a minute.. Feels really hackish, unstable and ugly tough.. 😞
... View more
10-09-2012
12:12 AM
I want to implement this in a very strict environment, so there is no API I can easiely reach.. Having the files on the searchhead will break the other planned scripts populating this log.
... View more
10-08-2012
05:31 AM
We have a splitted environment where we are using another tool to take care of typical monitoring like cpu, disk, memory usage and so on. This other tool are also used to generate stats, create incidents, decide if someone has to be woken up at the middle of the night and so on.
This wonderful tool can also watch logs, so my plan is that Splunk (and maybe some other custom scripts running in cron), logs alerts to this tool to a single logfile. In other words, if "TIMESTAMP Critical A custom message here" is logged to the file /var/log/something.alerts someone will/should be called.
My problem is that creating an alert using savedsearches and action.script will only run on the searchhead itself.
Is it possible, to:
Create a splunk alert that populate a log on the universal forwarders themself.
Do parsing (savedsearches logic) based on rules in my inputs.conf on the uf?
insert more elegant solution here
... View more
- Tags:
- script
09-28-2012
05:17 AM
Thanks, I was able to create my own regex, but yours was more elegant.
Added this to props.conf
[bash_history]
EXTRACT-command = #\d+\n(?P<command>.*)$
... View more
09-28-2012
02:57 AM
I thought it was an easier more elegant way.. We are using puppet, so I think I am ending up with a custom fact generated on the server every hour or so, and then puppet can generate the inputs.conf based on that.
Thanks anyway 🙂
... View more
09-28-2012
02:48 AM
Thanks! That worked just like advertised! I am using monitor, so I ended up using props.conf.
As a bonus-question, is there an easy way to create a field for the 2nd line in the event? I want a field named command, but I am not that familiar on how regex works with multiline in Splunk. How can I use re.MULTILINE?
... View more
09-27-2012
03:11 AM
4 Karma
Hi
I am trying to add the bash_history file but have runned into some problems.
The bash_history is timestamped (but not my very oldest entries)
The timestamp is placed above the command, in the format #12345678 (unix-time)
Old entries gets pushed out (after eg. 2000 entries).
Example entries:
cd /root/backup
ls -la
nano /root/.bashrc
exit
#1348736649
ls
#1348736654
cd /etc
#1348737978
ps aux
How can I make splunk index this nicely? And is there a way I can include both /root/.bash_history, and /home/.../.bash_history in the same stanza? Or even better, populate the files included from /etc/passwd (or a script).
... View more
