×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dbras
New Member
Member since: ‎05-02-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-02-2016
Activity Feed
View All

Re: Can you help me correlate to an event in a dif...

by in Getting Data In
‎01-28-2019 05:02 AM
‎01-28-2019 05:02 AM
Hi Giuseppe, Thank you for your fast answer. In fact, I don't have any common field in the 2 queries except the time approximately. So I would like to add, on the query to find the error, the field I could find in the query to find the access around the time of the event found in the first one. Is it possible to do that ? ... View more

Can you help me correlate to an event in a differe...

by in Getting Data In
‎01-28-2019 02:50 AM
‎01-28-2019 02:50 AM
Hi, I am trying to correlate two different source types (haproxy and apache). I would like to find the access on haproxy for the error I have on apache. Here are the 2 queries I want to correlate: Query 1 on apache: index=* host=hostB sourcetype=apache_error "interesting error" earliest=@d-3d latest=now Query 2 on haproxy: index=* host=hostA sourcetype=haproxy "interesting access" So, I am looking to find the access on the haproxy when the interesting error happened on the apache. I tried something like that but without success: index=* host=hostA sourcetype=haproxy "interessting access" | search [search index=* host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1 | return field1 field2 field3 ] | table _time host _raw field1 field2 field3 I can't find any solutions to correlate those source types without any correlation field. Could you help me on that ? ... View more

How to handle very fast logging application log fi...

by in Knowledge Management
‎04-09-2018 01:53 AM
‎04-09-2018 01:53 AM
Hi, We are actually monitoring our application log file with a forwarder configured like that: [monitor:///var/log/application/application.*] sourcetype = log4j index = application This application manage the log with log4j to put in a file like that: <RollingFile name="LOG_FILE" fileName="/var/log/application/application.log" filePattern="/var/log/application/application.log.%i" append="true"> <Policies> <SizeBasedTriggeringPolicy size="20MB" /> </Policies> <DefaultRolloverStrategy max="10" /> </RollingFile> But our application is really verbose, for example, today we have those files: -rw-r-----. 1 weblogic weblogics 19223378 Apr 9 10:43 application.log -rw-r-----. 1 weblogic weblogics 20976777 Apr 9 03:06 application.log.1 -rw-r-----. 1 weblogic weblogics 20971660 Apr 9 04:00 application.log.2 -rw-r-----. 1 weblogic weblogics 20972962 Apr 9 04:50 application.log.3 -rw-r-----. 1 weblogic weblogics 20971633 Apr 9 05:40 application.log.4 -rw-r-----. 1 weblogic weblogics 20971950 Apr 9 06:29 application.log.5 -rw-r-----. 1 weblogic weblogics 20971611 Apr 9 07:17 application.log.6 -rw-r-----. 1 weblogic weblogics 20971535 Apr 9 08:03 application.log.7 -rw-r-----. 1 weblogic weblogics 20972289 Apr 9 08:53 application.log.8 -rw-r-----. 1 weblogic weblogics 20971526 Apr 9 09:37 application.log.9 -rw-r-----. 1 weblogic weblogics 20971784 Apr 9 10:14 application.log.10 And this introduces a delay on when the log are available on Splunk after the rotation, you can see below a grph with the count of event in the sourcetype base on the indextime: Do you know a solution to handle that without this delay ? I don't think that configure log4j to log in bigger file will fix that. Thank you for your help ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM