Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About dl-it-serveradm
dl-it-serveradm
Engager
Member since:
01-27-2016
09-09-2024
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-27-2016 |
Activity Feed
- Posted Re: How to find time between similar events? on Splunk Search. 04-28-2022 07:52 AM
- Posted Re: How to find time between similar events? on Splunk Search. 04-28-2022 07:37 AM
- Posted How to find time between similar events? on Splunk Search. 04-27-2022 12:31 PM
- Posted How can we programatically disable/enable a data input? on Getting Data In. 11-29-2017 10:39 AM
- Tagged How can we programatically disable/enable a data input? on Getting Data In. 11-29-2017 10:39 AM
- Tagged How can we programatically disable/enable a data input? on Getting Data In. 11-29-2017 10:39 AM
- Posted Re: Can we configure Splunk to not look inside archive files? on Getting Data In. 06-09-2016 12:23 PM
- Posted Re: Can we configure Splunk to not look inside archive files? on Getting Data In. 06-09-2016 06:27 AM
- Posted Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Tagged Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Tagged Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Tagged Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Tagged Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Tagged Can we configure Splunk to not look inside archive files? on Getting Data In. 06-08-2016 11:45 AM
- Posted How to edit my timechart search to show the individual count of 2 strings in one chart? on Splunk Search. 01-27-2016 07:14 AM
- Tagged How to edit my timechart search to show the individual count of 2 strings in one chart? on Splunk Search. 01-27-2016 07:14 AM
- Tagged How to edit my timechart search to show the individual count of 2 strings in one chart? on Splunk Search. 01-27-2016 07:14 AM
- Tagged How to edit my timechart search to show the individual count of 2 strings in one chart? on Splunk Search. 01-27-2016 07:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-28-2022
07:52 AM
Ignore prior post. Was able to use this syntax: <query> | streamstats window=1 current=f values(_time) as prevtime | eval "TimeDiff" = prevtime - _time | where TimeDiff<1 Thanks for your help!
... View more
04-28-2022
07:37 AM
Hi, this is very close. I'm having trouble calculating the "_time - prevtime". The prevtime is calculating the following values: <query> | streamstats window=1 current=f values(_time) as prevtime | table _raw prevtime 2022-04-19 18:39:31,142 INFO [stdout] (default task-43) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650408159.210 2022-04-19 18:35:38,403 INFO [stdout] (default task-41) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650407971.142 2022-04-19 18:35:38,371 INFO [stdout] (default task-42) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650407738.403 2022-04-19 18:34:01,696 INFO [stdout] (default task-40) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650407738.371 2022-04-19 18:30:36,450 INFO [stdout] (default task-39) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650407641.696 2022-04-19 16:57:39,144 INFO [stdout] (default task-36) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650407436.450 2022-04-19 14:01:42,904 INFO [stdout] (default task-153) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650401859.144 2022-04-19 13:46:00,629 INFO [stdout] (default task-153) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650391302.904 2022-04-19 13:42:39,944 INFO [stdout] (default task-153) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650390360.629 2022-04-19 13:32:59,488 INFO [stdout] (default task-145) [core.service.OpsManagerRestService] ==============POST Send Family============= 1650390159.944 When running this query, it still returns all events: <query> | streamstats window=1 current=f values(_time) as prevtime | where _time-prevtime <1 Thanks again.
... View more
04-27-2022
12:31 PM
Hello,
We are looking to create a search that will return when two similar events occur within 1 second of each other.
Sample log search results:
2022-04-19 18:42:39,210 INFO [stdout] (default task-43) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:39:31,142 INFO [stdout] (default task-43) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,403 INFO [stdout] (default task-41) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,371 INFO [stdout] (default task-42) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:34:01,696 INFO [stdout] (default task-40) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:30:36,450 INFO [stdout] (default task-39) [core.service.RestService] ==============POST Send Family============= 2022-04-19 16:57:39,144 INFO [stdout] (default task-36) [core.service.RestService] ==============POST Send Family============= 2022-04-19 14:01:42,904 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:46:00,629 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:42:39,944 INFO [stdout] (default task-153) [core.service.RestService] ==============POST Send Family============= 2022-04-19 13:32:59,488 INFO [stdout] (default task-145) [core.service.RestService] ==============POST Send Family=============
We would like a query to be able to return results when events occur, like the following times, since they are so close together:
2022-04-19 18:35:38,403 INFO [stdout] (default task-41) [core.service.RestService] ==============POST Send Family============= 2022-04-19 18:35:38,371 INFO [stdout] (default task-42) [core.service.RestService] ==============POST Send Family=============
Is there a way we can generate a query that would find something like that?
Thanks!
... View more
11-29-2017
10:39 AM
We have an issue where for some reason, Splunk stops reading a log file in a particular Data Input folder. The log is set to roll hourly.
If we disable the Data Input, and then Re-Enable it, it starts reading the log again (which is probably the next log).
We have a scheduled task that runs every hour to determine if it has captured any data in the past hour. If it has not, we receive an email letting us know it is hung up and we have to Disable/Enable again.
Is there a way to do so via a script?
We are working to figure out what is wrong and have a case open, but are looking for an intermediary solution.
Thanks.
... View more
06-09-2016
12:23 PM
Thank you both for your help.
Using the whitelist does look like it works. We were getting confused by the number of files that appear in the Files and Directory input for that folder. That number seems to represent the number of files found (plus the root folder), not necessarily the ones it has indexed.
... View more
06-09-2016
06:27 AM
Masa ; ddrillic,
Thanks for your replies, however, this does not seem to work. Splunk is still looking within the zip file and finding the .log files within it.
It seems as if it is decompressing the archive and finding the .log files within it. I believe it is the decompression that we need to avoid.
... View more
06-08-2016
11:45 AM
Hello,
By default:
Splunk Enterprise decompresses archive files before it indexes them. It can handle these common archive file types: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z.
(http://docs.splunk.com/Documentation/Splunk/6.1.6/Data/Monitorfilesanddirectories)
Is it possible to configure Splunk to not do this? Or another way to handle our scenario?
We have a Windows directory input path that we are indexing *.log files. The problem is, there are .zip files in that folder that also contain *.log files, but we want to ignore those.
Thanks in advance.
... View more
01-27-2016
07:14 AM
We are trying to create a Timechart showing the number of occurrences of 2 strings. Here is the search:
index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval("socket write error")) AS SWE, count(eval("java.sql.SQLException")) AS JSE
The results are inaccurate.
For example, on 1/27/2016, there are 6 events that match java.sql.SQLException, with 0 matching "socket write error".
On 1/26/2016 there are 31 events that match java.sql.SQLException, with 4 matching "socket write error".
The results we are getting for each _time appears to be the total occurences for that day, not the individual totals:
_time SWE JSE
2016-01-24 0 0
2016-01-25 35 35
2016-01-26 35 35
2016-01-27 6 6
Also, in the visualization, it is showing 2 charts, not 1.
What are we doing wrong?
Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-09-2024
01:26 PM
|
