Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About willsy
willsy
Communicator
Member since:
12-06-2018
10-25-2023
Community Statistics
| Posts | 52 |
| Solutions | 4 |
| Karma Given | 9 |
| Karma Received | 2 |
| Member Since | 12-06-2018 |
Activity Feed
- Posted Re: How to colour an eval single value. on Dashboards & Visualizations. 10-25-2023 07:56 AM
- Posted How to colour an eval single value. on Dashboards & Visualizations. 10-25-2023 07:52 AM
- Posted Re: How to Automatically open next dashboard? on Dashboards & Visualizations. 09-03-2023 12:48 AM
- Karma Re: How to Automatically open next dashboard? for bowesmana. 09-03-2023 12:48 AM
- Posted How to Automatically open next dashboard? on Dashboards & Visualizations. 08-30-2023 05:43 AM
- Posted Re: How to search for values greater than 90 days on Splunk Search. 04-19-2023 03:18 AM
- Karma Re: How to search for values greater than 90 days for gcusello. 04-19-2023 03:17 AM
- Posted Re: How to search for values greater than 90 days on Splunk Search. 04-19-2023 02:59 AM
- Posted Re: How to search for values greater than 90 days on Splunk Search. 04-19-2023 02:25 AM
- Posted Re: How to search for values greater than 90 days on Splunk Search. 04-19-2023 02:22 AM
- Posted How to search for values greater than 90 days? on Splunk Search. 04-19-2023 01:05 AM
- Posted Re: How to colour individual bar on a bar chart? on Dashboards & Visualizations. 04-18-2023 11:49 PM
- Posted How to colour individual bar on a bar chart? on Dashboards & Visualizations. 04-18-2023 12:11 PM
- Posted Re: How search for metrics for items not on within last 90 days? on Splunk Search. 04-15-2023 01:58 PM
- Karma Re: How search for metrics for items not on within last 90 days? for woodcock. 04-15-2023 01:57 PM
- Posted How search for metrics for items not on within last 90 days? on Splunk Search. 04-14-2023 02:25 AM
- Posted Re: Incorrect Instance name after change hostname on Splunk Dev. 09-15-2022 01:58 PM
- Posted Re: Is there a shortcut to configuring a multi site cluster without having to configure a single site cluster first? on Installation. 09-06-2022 06:48 AM
- Karma Re: Is there a shortcut to configuring a multi site cluster without having to configure a single site cluster first? for chaker. 09-06-2022 06:47 AM
- Posted Is there a shortcut to configuring a multi site cluster without having to configure a single site cluster first? on Installation. 09-05-2022 11:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-25-2023
07:56 AM
Completed this, I added | table status, range got rid of any colour on the dashboard and the colour of the range took over.
... View more
- Tags:
- Completed this
09-20-2023
10:07 AM
Hi @dc17! Kara here, Splunk Community Manager. Thanks for following up on this question from 2020, but I recommend posting it as a brand new question so that it can get more visibility. Cheers!
... View more
09-03-2023
12:48 AM
Hey thanks for your reply, I ended up scripting it and just getting it to turn over every 2 minutes. works for me. Thank you for the idea
... View more
05-19-2023
08:41 AM
https://conf.splunk.com/files/2019/slides/FN1190.pdfFN1190.pdf (splunk.com)
... View more
04-19-2023
01:20 PM
Try this... index=test host=ABC source=table.csv sourcetype=csv Group=Snow*
| eval Group=if(Group="Snow Day Here we come 12345","Snow",Group)
| eval Status=if(Status="Down (Acknowledged)", "Down", Status)
| dedup _raw
| chart max(Count) OVER Count BY Status
| filldown
| tail 1
| eval Status=""
| table Status Down Up
... View more
04-19-2023
03:18 AM
Absolute scholar and a gent. thank you so very much. i used the | eval downtime_days=Downtime/86400 seems super simle now i can see it but i couldnt get my head round it, thanks you so very much.
... View more
04-15-2023
01:58 PM
Absolute champion or as your tag says esteemed legend. I needed the append=true and the logic of how to do it. thank you so much
... View more
09-15-2022
01:58 PM
There will be four places in linux that this could be. These are; /etc/hostname /SPLUNK_HOME/etc/system/local/server.conf /SPLUNK_HOME/etc/system/local/inputs.conf /SPLUNK_HOME/etc/system/local/deploymentclient.conf server.conf [general] serverName = whatever inputs.conf host = whatever deploymentclient.conf [deployment-client] clientName = whatever
... View more
09-06-2022
06:48 AM
Cheers thank you for the link. For some reason I couldn't find it. Much appreciated this is what I'm after.
... View more
01-19-2022
06:39 PM
were you able to fix this issue? if yes, please share solution. Thanks.
... View more
01-11-2022
09:55 AM
How to resolve the issue if logs are rotated or compressed. How to blacklist them? Splunk is ingesting duplicate events in my org. Help me how to fix issue if logs are rotated or compressed. Highly appreciate your help.
... View more
10-12-2021
09:41 AM
@anil19 This thread is over a year old with an accepted solution. Please post a new question describing your problem. You can refer to this thread and tell how the solution doesn't help in your case.
... View more
08-21-2021
06:14 AM
@milesbrennan - Thanks for the post, very helpful. Have a question around parsing/formatting logs so that they are ingested in splunk with appropriate fields. Is it common practice to do this in rsyslog before being sent to Splunk? In my test setup, I have a Rsyslog server with the universal forwarder and then sending them to my splunk instance. I am new to splunk and logging, so hope the question makes sense.
... View more
08-12-2021
02:23 AM
Splunk 8.x.x here. Profiling settings did block my apply bundle command. /opt/splunk/bin/splunk apply cluster-bundle
Encountered some errors while applying the bundle.
Cannot apply (or) validate configuration settings. Bundle validation is in progress.
/opt/splunk/bin/splunk show cluster-bundle
...
<bundle_validation_errors on master>
... This command did the trick: curl -k -u admin https://CLUSTER_MASTER_IP:8089/services/cluster/master/control/default/cancel_bundle_push -X POST And I could edit and apply the bundle afterwards.
... View more
05-26-2021
02:38 AM
hello, thank you so much, this sorted it however the network ramifications was not expected, the data that is usually 200 events an hour went up to 45000 and saturated out license, but its fine. thank you
... View more
10-29-2020
10:15 AM
One thing what you could try is adding that HF as indexer on you MC. Then it could shows some information what it has done e.g. what logs it has managed? This is nice way to see e.g. HEC statistic on HF. There is already item for thi (add HF as own type to MC or something similar) on https://ideas.splunk.com r. Ismo
... View more
06-22-2020
10:01 AM
Hello, I have an index cluster and would like to send ALL data to a non splunk third party end point. is this possible? this is the props.conf however for an index cluster where should i configure these files? the second configuration is the transforms.conf the final configuration is the outputs.conf [syslog]
TRANSFORMS-routing = routeAl [routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything [tcpout]
defaultGroup=nothing
[tcpout:Everything]
disabled=false sendCookedData=false server=10.1.12.1:10514 my concern is that i actually just want to forward all of my data. is there a particular configuration needed for this? or any ideas? many thanks Willsy
... View more
Labels
06-22-2020
09:39 AM
Hey mate, just wondering how you got along with this? im having the same issue at the moment, i have multiple sites and multiple clustered indexers needing to send to one specific indexer.
... View more
05-09-2020
09:57 AM
Fast mode means fields are not extracted automatically at search time so you'll only see index-time fields and those explicitly extracted by the search.
... View more
02-10-2020
04:38 AM
Hello,
Just to confirm I have sold the problem.
So after I upgraded my search heads to 8.01 I noticed I could not see the web GUI. I looked at my splunkd.log and said my application server was at fault. I don't have an application server but this I took for my deployment server but that it was an application that was the issue.
i looked at the web_service.log and noticed down the bottom that there was a particular application stopping my whole search head environment from working. For me this was the splunk for nix application and TA.
steps i did to rectify the issue.
1) looked into splunkd.log and saw the application server fault
2) looked into web_services.log and it literally told me which application was at fault
3) i stopped my search heads and deployment server
4) on the deployment server i moved the unix application into disabled applications
5) on the unix application app.conf i also set it to disable to make sure.
6) restarted my deployment server
7) restarted my search heads
8) logged into my search head web GUI
if anyone is having a similar issue i can go into detail of files etc. but yea, all sorted.
... View more
11-01-2019
04:10 AM
Hi willsy,
If I correctly undestood: you want to map values extracted from your data (temperatures) with cabinets of your datacenter and display values on a dashboard with the cabinets, not a geographical location, is it correct?
You could do this, you could use a bitmat of your datacenter as background and put the value of each server as a Single Value Panel over the image.
You can see the way to do this in Splunk Dashboard Examples ( https://splunkbase.splunk.com/app/1603/ ) - Image Overlay with Single Values.
If instead your problem is to locate servers in cabinets and display temperature values saying server name and cabinet, you can create a lookup containing these information and use it when displaying.
Ciao.
Giuseppe
... View more
05-03-2019
09:39 AM
Here is another alternative to ingest SNMP data into Splunk.
Our product, NetFlow Optimizer (NFO), in addition to processing *flow data, is capable of performing SNMP polling. It converts SNMP data to syslog format which could be sent directly to Splunk indexer or rsyslog or syslog-ng, and then to Splunk indexers.
Cisco devices CPU and memory usage are visualized in NetFlow Analytics for Splunk App https://splunkbase.splunk.com/app/489/ which comes together with Technology Add-on for NetFlow https://splunkbase.splunk.com/app/1838/ (or you can build your own dashboards).
Here the link to download NFO, as well as information on how to install and configure it, and get free evaluation license https://www.netflowlogic.com/downloads/.
If you’d like to try it or have any questions, please don’t hesitate to reach out (trials@netflowlogic.com) and we’ll be happy to help you.
... View more
01-26-2019
09:25 PM
Firstly, moving data location by altering indexes.conf while the server is stopped is fine and should be transparent.
Secondly, I am not sure how your storage array is being presented to the operating system, but if its through an Windows share, then I am pretty sure that is not supported. Technically it may work, but you need to make sure its very quick storage. The most component for Splunk (IMHO) is having fast storage above all else.
... View more
12-11-2018
07:28 AM
@willsy: so, you don't see any output when you run Splunk cmd btool check..??
It looks like the output you posted is from splunk cmd btool indexes list --debug.
what version of splunk are you on..??
Check your SPLUNK_DB environment variable, look at this splunk answer if it helps...
https://answers.splunk.com/answers/94428/error-warning-cannot-create-new-path-for-index-when-starting-splunk.html
... View more
12-10-2018
01:15 AM
Hello, thank you for getting back to me,
Thats working as follows;
Machine Backedup Event Code
DCAOVSG001 22
DCAOVSG002 21
DCAOVSG003 21
Which is the basis of what i am after, i just need to change the 21 to pass, 22 to fail message and then add a date.
So what ive done is added
| eval Outcome=if(EventCode=21,"Success","Fail")
| fields - EventCode
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"
onto the bottom of your search so that it looks like this:
index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22)
| where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}")
| stats latest(EventCode) as EventCode by Machine_BackedUp
| eval Outcome=if(EventCode=21,"Success","Fail")
| fields - EventCode
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"
i need to sort the time out by you my good sir are both a scholar and a gent. Thank you ever so much.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-25-2023
11:17 AM
|
