Activity Feed
- Got Karma for Re: Divide by quarter. 10-18-2021 08:23 AM
- Karma Re: Help on Transaction command!! for sideview. 06-05-2020 12:46 AM
- Karma Re: help with sum time between event from other sourcetypes for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Bucket rotation and warm, cold... for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Custom heatmap logic in advanced XML for sideview. 06-05-2020 12:46 AM
- Karma Custom heatmap logic in advanced XML for sideview. 06-05-2020 12:46 AM
- Karma Re: Regex not finding what I'm looking for??? for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: Reducing rentention costs, archiving frozen buckets, running multpiple instances for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: All DB rows get input as one event for ziegfried. 06-05-2020 12:46 AM
- Karma Re: How many field extract in splunk? for cucuro. 06-05-2020 12:46 AM
- Karma Why does custom python script execute twice? for phoenixdigital. 06-05-2020 12:46 AM
- Karma Re: Need Help With Deployment-Server and Deployment-Client configurations for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: Struggling to correlate 2 sourcetypes for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: summary indexing - search with a 2-hour transaction every 5 minutes ? for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Query to analyze if the log size has been decreased over time from hosts for lguinn2. 06-05-2020 12:46 AM
- Karma Re: splunk-sdk-python analytics sample not working for rroberts. 06-05-2020 12:46 AM
- Got Karma for Re: Regex to select string from raw data. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
- Got Karma for Issue with deploying Splunk App for MS SQL. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 |
04-03-2014
01:10 AM
Hello AELLIOTT it is working now for me, I don't know why it did not work yesterday 😞 ... Confused
... View more
04-02-2014
10:57 PM
Hey i did it first, for some reason it did not work. It was unusual, so i was trying a couple of other ways to achieve the same
... View more
04-02-2014
01:31 PM
1 Karma
Hello Bro,
It was fun to find a solution to your question. I made the below query to check it out. Modify this to your requirement.
Run the below query in your splunk search
index=main | head 1 | eval custom_test="This . is . Eashwar . Raghunathan . and . i . am . playing . with . 10 . dots" | rex mode=sed field=custom_test "s/[^.]/X/g s/X//g" | eval NumberOfDots=len(custom_test) | table custom_test NumberOfDots
Hope in your case you will pass the string domain instead of custom_test
Happy splunking bro, thanks for asking tough questions 🙂
... View more
04-02-2014
12:37 PM
1 Karma
Hello Brother,
Its very simple and straight forward
| timechart span=qtr count by enrolled_type
If you need to view a report for exactly last 6 quarters
in the advance time range set the below
earliest=-6qtr@qtr latest=-qtr@qtr
Thanks, and Happy splunking bro !!
Vote for the answer if it really helps you, thanks again
... View more
03-12-2014
12:49 PM
3 Karma
For the past few days I am trying to deploy the sql app. I found not all the powershell scripts returns results. Below are the 4 sourcetypes in the mssql index.
MSSQL:Instance:Service
Powershell:ScriptExecutionSummary
Powershell:ScriptExecutionErrorRecord
MSSQL:Host:Memory
Host:Memory and Instance:Service tells me that that there is no problem with the execution of the PS script.
When I was doing some research about why the Lookup generators are showing no-results I found a lot of other sourcetypes missing.
Below is the result of this search eventtype=mssql sourcetype="Powershell:ScriptExecutionErrorRecord" | dedup ErrorMessage | table ErrorMessage Exception
ErrorMessage
Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBUsers\DBUsers.xml'.
Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBInstances\DBInstances.xml'.
Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\Databases\Databases.xml'.
Exception
System.IO.FileNotFoundException: Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBUsers\DBUsers.xml'. File name: 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBUsers\DBUsers.xml' at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) at System.Management.Automation.PathUtils.OpenFileStream(String filePath, PSCmdlet command, Boolean isLiteralPath)
System.IO.FileNotFoundException: Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBInstances\DBInstances.xml'. File name: 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\DBInstances\DBInstances.xml' at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) at System.Management.Automation.PathUtils.OpenFileStream(String filePath, PSCmdlet command, Boolean isLiteralPath)
System.IO.FileNotFoundException: Could not find file 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\Databases\Databases.xml'. File name: 'C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\powershell\Databases\Databases.xml' at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) at System.Management.Automation.PathUtils.OpenFileStream(String filePath, PSCmdlet command, Boolean isLiteralPath)
... View more
07-05-2013
02:43 AM
hello, can you please explain me what (?m) is. thanks in advance
... View more
07-05-2013
02:38 AM
hello, i was just going through the answer try below
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | eventstats sum(errorCount) as totalErrors by source
... View more
07-05-2013
02:24 AM
Hello bro,
try the below search.
sourcetype="syslog-stats" | streamstats window=1 global=false sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
... View more
hello brother,
create a limits.conf in
$SPLUNK_HOME/etc/system/local/
or
$SPLUNK_HOME/etc/apps/ /local/
create a limits.conf with the below stanza. max is 50000
[searchresults]
maxresultrows = 50000
yours,
eashwar raghunathan
... View more
05-10-2013
01:43 AM
hey brother i got some same issue now for the past 2 days. the whole app i developed is not working. please let me know if you know the answer
... View more
04-12-2013
11:52 PM
hello in the above answer clean all is only mentioned for forwarders. i hope forwarder will not have index data, users.
if i am wrong please let me know.
... View more
04-07-2013
01:44 AM
You use inputs.conf and outputs.conf to route data to specific indexers, based on the data's input.
Here's an example that shows how this works.
In outputs.conf, you create stanzas for each receiving indexer:
[tcpout:systemGroup]
server=server1:9997
[tcpout:applicationGroup]
server=server2:9997
In inputs.conf, you use _TCP_ROUTING to specify the stanza in outputs.conf that each input should use for routing:
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup
The forwarder will route data from file1.log to server1 and data from file2.log to server2.
EDIT: What if I want to send one of those feeds to two seperate systems?
inputs.conf
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup
outputs.conf
[tcpout:systemGroup]
server=server1:9997, server2:9997
[tcpout:applicationGroup]
server=server1:9997, server2:9997
Yours,
eashwar raghunathan
happy splunking
if this helps you dont forget to vote!! thanks in advance!!
read more @ http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad
... View more
04-05-2013
04:17 AM
wow man!!! i am really waiting to see the answer for this question!!! 1500+ fields how do you analyse ?
... View more
04-03-2013
03:39 AM
1 Karma
Hello Bro,
the below configs will work for sure. i tested it in my splunk instance.
transforms.conf
[setnull]
REGEX = .+ancestry\.co\.uk.+
DEST_KEY = queue
FORMAT = nullQueue
dont forget to stop, clean, and start splunk after adding the configs. make sure the props.conf and transforms.conf are in the same local directory.
if this helped you, dont forget to vote!!
yours,
eashwar raghunathan
... View more
04-02-2013
11:01 AM
still not working, send me a sample log to eashwar@splunkconsultant.com. i will get back to you with the configs
... View more
04-02-2013
10:57 AM
Hi bro try this,
[setnull]
REGEX = (?i)ancestry.co.uk
DEST_KEY = queue
FORMAT = nullQueue
... View more
04-02-2013
10:30 AM
Hello brother,
you have to correct the way you are asking the question, you have mentioned extract events with the specific word.
it is clear form your comments that the concept you are trying to perform is FILTERING of data at INDEX TIME.
your regex looks good, just omit the (?m) it is not necessary. you feel your regex is not working is because your have added this configurations after you have indexed the data. you have to clean the index and reindex the logs.
Remove the (?m) from your regex, it is not necessary. actually i dont know what is (?m) i have never used it. you can explain to me in the comment why you have used it.
Procedure to clean your index and reindex
./splunk stop
./splunk clean eventdata IndexName
./splunk start
now splunk will clean all the data indexed in the specified indexname, and when you start splunk the data will get reindexed and the transforms.conf will apply to the newly indexed data.
Extraction are done in index time and search time. FILTERING is done in INDEX TIME not in Search time
i am also a new to splunk.
if you call a transform.conf variable using REPORT form props.conf it will do the extraction in search time.
if you call a transforms.conf variable using TRANSFORMS from props.conf it will do the extraction or routing or filtering in index time. you are performing filtering in indextime it is not extraction
try to clean the index and reindex again, dont forget to remove (?m). if you have some specific reason you dant have to remove it, and let me know the reason.
yours,
eashwar raghunathan
happy splunking
... View more
04-02-2013
12:07 AM
please give us one sample event so that we can generate you a regular expression to extract the specific site name!!
... View more
04-02-2013
12:05 AM
2 Karma
you want to extract fields in search time or filter data in index time.
the above example of props and transforms are not for extracting it is will do the filtering at index time.
... View more
04-02-2013
12:01 AM
index=main sourcetype="tcp-raw" | rex "(?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)"
try this bro!!
consider voting if the answers helped you!!
thanks in advance!!
happy splunking,
... View more
04-01-2013
06:08 AM
thanks brother!!! i will reply back if i got any problem after getting things done above!!
... View more
