Activity Feed
- Karma How to encrypt and decrypt values in my conf files for lzhang_soliton. 06-05-2020 12:46 AM
- Got Karma for Re: Data overly - Heat Map. 06-05-2020 12:46 AM
- Got Karma for Re: Field Extraction (Regex) When Column Is Sometimes Absent. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Using now() in real-time. 06-05-2020 12:46 AM
- Got Karma for Re: Benefits to an upgrade from 4.3.2 to 4.3.3. 06-05-2020 12:46 AM
- Got Karma for Re: Benefits to an upgrade from 4.3.2 to 4.3.3. 06-05-2020 12:46 AM
- Got Karma for Re: Alerting on unique field occurrence. 06-05-2020 12:46 AM
- Got Karma for Re: Calculating time difference between two fields of the same name in two sourcetypes. 06-05-2020 12:46 AM
- Got Karma for Re: Event Generator. 06-05-2020 12:46 AM
- Got Karma for Re: Can and cannot overwrite _time. 06-05-2020 12:46 AM
- Got Karma for Re: Fetch data from FTP Server. 06-05-2020 12:46 AM
- Got Karma for Re: pdfserver 'The read operation timed out' on dashboard rendering. 06-05-2020 12:46 AM
- Got Karma for Re: admin password reset did not work. 06-05-2020 12:46 AM
- Got Karma for Re: admin password reset did not work. 06-05-2020 12:46 AM
- Got Karma for Re: Need to find outputcsv subroutine python file. 06-05-2020 12:46 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
3 |
11-26-2013
12:13 PM
1 Karma
Would it work better if you change the end
(?P<status>.+?)\t(?P<data>.+?)\t(?P<test>.+?)
to
(?P<status>.+)\t(?P<data>.*)\t(?P<test>.+)
then you should match to an empty string if there is just 2 tabs in case of "Ok"? It sounds too easy and I didn't test it with Splunk, so maybe I'm missing something?
... View more
04-13-2013
10:13 AM
If you want to extend Splunk with your legacy scripts, maybe this example helps you to get started.
If you just want to anonymize your logs before sending them to some 3rd party, maybe scrub -cmd could do it for you without custom scripts?
None of these actually can hide your data that has been indexed by Splunk. These only manipulate search results. You can still dig out the original data using another search. If it is something really sensitive you should do the masking & hashing at indexing time. Not sure how/if custom code could be used in that case.
... View more
03-31-2013
02:02 PM
1 Karma
Would Outputlookup work better than outputcsv ?
(or you can extend splunk with your own output -cmd that lets you specify directory & filename, and creates a huge security issue too 🙂
... View more
03-25-2013
06:00 AM
Or if you're worried about losing data because of log rotation or have problems starting/stopping all your forwarders, you can also close the receiver (indexer) during business hours. This will make forwarders to buffer data so make sure there is enough space available. Forwarders will resume transfer as soon as receiver is enabled again.
... View more
03-22-2013
08:34 AM
So what is the requirement for failover time and what is your NFS client timeout now?
... View more
01-29-2013
09:50 PM
Don't worry about fail-over. It's taken care by NFS client and server. Splunk doesn't know anything about it. It's just a filesystem like any other filesystem. At worst case there might be a temporary hick-up but once your NFS server is back in business things will continue as normal.
... View more
01-29-2013
01:20 PM
You'll need only 2 hosts for HA NFS, and those can serve any number of search heads. So your number of hosts would double only if you have minimal configuration of 2 searchs + 2 NFS servers (if that makes you feel any better). Running HA NFS (and linux cluster) on your search heads is not a good idea.
... View more
01-28-2013
10:10 AM
Hmmm... I'm not sure if I got your question right, but is there some problem in using e.g. linux cluster to provide HA NFS service for your search heads? Just google for "HA NFS" and you'll find many examples how to configure a pair of linux servers to provide highly available NFS service.
... View more
01-21-2013
11:23 AM
1 Karma
It's all in manuals 🙂
Let's say you have a set of events where the IP address is extracted to either clientip or ipaddress. This example defines a new field called ip, that takes the value of either clientip or ipaddress, depending on which is not NULL (exists in that event):
... | eval ip=coalesce(clientip,ipaddress)
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
... View more
01-04-2013
06:20 AM
How about adding ".log" to the end. Like this
[monitor://D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs/tomcat6-stdout*.log]
This is then exactly like in examples in Splunk docs (=should work)
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards
Ps. I'm not sure if it makes difference but have you tried turning your "/" to "\" if it is Windows?
... View more
01-02-2013
10:41 AM
1 Karma
http://splunk-base.splunk.com/answers/37372/can-you-customize-the-heatmap-colors
... View more
12-18-2012
10:22 AM
Everything works for me now, it must be something personal 🙂
Cleaning your browser cache & cookies usually helps for issues like this.
... View more
11-28-2012
03:40 AM
Just a eager to sell it into my company. Does it make a difference?
... View more
11-28-2012
03:08 AM
Has anyone run into nice samples of logs with debug instructions that could be used for demoing Splunk for those who haven't yet seen how great product it is 🙂
I know I can install forwarders and create myself a free SplunkStorm account but then running applications to generate meaningful logs is more than trivial task. If someone has already done this and is willing to share his/hers logs with documentation what was happning and how it was debugged with Splunk, that would be a great help in selling the idea of using Splunk.
Or maybe Splunk has this already available somewhere, but I've just missed it?
... View more
11-04-2012
09:53 AM
1 Karma
Scripting ftp isn't that difficult. Here is some examples to get you started
http://www.stratigery.com/scripting.ftp.html
... View more
10-17-2012
12:31 PM
Many features are not available through Splunk GUI but to edit dashboard XML you don't need access to conf files. Just go to your new dashboard, click "Edit: on" and then "Edit XML" ...
... View more
10-16-2012
11:23 PM
2 Karma
Is this something like you're looking for?
http://wiki.splunk.com/Community:Search_Report:_How_to_Add_a_Range_Marker_by_Advanced_XML
And some more examples of using chart overlays
http://splunk-base.splunk.com/answers/9053/example-of-chart-overlay
... View more
10-07-2012
04:52 AM
1 Karma
If you just want to setup a Splunk demo, maybe sampledata.zip from Splunk tutorial could do? It's not Windows nor firewall or db logs, but on a plus side you get ready-made use-cases for you demo from tutorial with minimal effort. Link to sampledata.zip is at http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/GetthesampledataintoSplunk
If you really want to generate logs (ie simulate) for network devices then you should take a look at http://www.gns3.net/
... View more
10-06-2012
11:54 AM
1 Karma
Like Ayn said, your life will be much easier if you extract timestamps from CSV.
Something like this in your props.conf should do it.
[web_visitors]
MAX_TIMESTAMP_LOOKAHEAD = 10
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y,%m,%d
TZ=UTC
EXTRACT-web_visitors = (?i)^\d+,\d+,\d+,(?P<source_from>[^,]+),(?P<visitors>.+)$
This should parse both timestamp and "from" & "visitors" -fields from your CSV.
And if CSV header gets annoying, here is some ideas what you can do for it
http://splunk-base.splunk.com/answers/49366/how-to-ignore-first-three-line-of-my-log
... View more
09-27-2012
09:15 AM
Not sure if this is anything similar to your issue;
http://stackoverflow.com/questions/7384502/ie9-loses-cookies-after-redirect
But missing P3P header or cached redirects could have something to do with it.
Adjusting IE privacy settings might help(?)
... View more
09-07-2012
12:55 AM
Then it sounds like it is either still on developers desk or somewhere in Splunk's "approval process" waiting to be published at splunkbase. Be patient ... 🙂
... View more
09-06-2012
12:08 PM
Is it one these http://splunk-base.splunk.com/apps/search/?q=fireeye&Submit=Search
... View more
09-03-2012
10:30 PM
2 Karma
Did you remember to restart Splunk after removing the passwd? At startup Splunk will notice missing passwd and create you a new one with admin/changeme.
... View more
08-29-2012
09:49 PM
It's also worth noticing that pX() is using APPROXIMATION not exact value when you have >1000 data points, see http://splunk-base.splunk.com/answers/44336/percentile-implementation
... View more