Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About emiller42
emiller42
Motivator
Member since:
08-11-2011
06-05-2020
Community Statistics
| Posts | 275 |
| Solutions | 58 |
| Karma Given | 102 |
| Karma Received | 328 |
| Member Since | 08-11-2011 |
Activity Feed
- Got Karma for Re: Find last value of multivalue field (Split and mvindex). 3 weeks ago
- Got Karma for Re: Dedup within a MV field. 3 weeks ago
- Got Karma for Re: Find last value of multivalue field (Split and mvindex). 01-11-2023 12:10 AM
- Got Karma for Re: Find last value of multivalue field (Split and mvindex). 09-30-2022 04:07 PM
- Got Karma for Re: How do I create an alert to trigger when a transaction with 2 events is not complete?. 07-08-2022 03:31 PM
- Got Karma for Re: How do I create an alert to trigger when a transaction with 2 events is not complete?. 02-15-2022 02:27 AM
- Got Karma for Re: How to parse JSON log data?. 01-27-2022 11:35 PM
- Got Karma for Re: Find last value of multivalue field (Split and mvindex). 01-27-2022 07:05 PM
- Got Karma for Re: Custom parsing. 02-03-2021 10:11 AM
- Got Karma for Re: Dedup within a MV field. 01-22-2021 09:16 AM
- Got Karma for Re: Dedup within a MV field. 07-08-2020 10:44 PM
- Got Karma for Re: Union in Splunk like in MySQL. 06-24-2020 08:22 AM
- Karma Re: What is the purpose of the file conf.conf found in .../etc/system/default ? for dshpritz. 06-05-2020 12:48 AM
- Karma Re: What is the purpose of the file conf.conf found in .../etc/system/default ? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: Why are AWS ELB Health Checks not working properly after upgrading to Splunk 6.6.0? for vliggio. 06-05-2020 12:48 AM
- Got Karma for Re: What does Splunk do when one index in an indexer has reached maximum capacity?. 06-05-2020 12:48 AM
- Got Karma for Re: What does Splunk do when one index in an indexer has reached maximum capacity?. 06-05-2020 12:48 AM
- Got Karma for Re: Why is the license usage much larger than the file uploaded?. 06-05-2020 12:48 AM
- Got Karma for Re: Why is the license usage much larger than the file uploaded?. 06-05-2020 12:48 AM
- Karma Re: Difference between renaming a field within STATS vs using RENAME command for alacercogitatus. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 10 | |||
| 15 | |||
| 1 | |||
| 0 | |||
| 5 | |||
| 1 | |||
| 0 | |||
| 4 | |||
| 1 | |||
| 2 |
03-12-2018
03:35 PM
I assume you're in a VPC. Do you have security groups set up to allow traffic from the ELB to your instance on port 8000?
... View more
03-12-2018
03:29 PM
When you look at the instances tab of your load balancer, is the instance listed? What is it's Status?
... View more
03-12-2018
03:20 PM
You could change the ELB listener port.
Or you could just use https://ELB/en-US/account/login
If your ELB is listening on 443, send your requests to 443. 🙂
... View more
03-12-2018
03:05 PM
Your ELB is listening on 443.
You are hitting your ELB on 8000.
Consider that carefully. 🙂
... View more
03-12-2018
02:42 PM
Since the previous was edited:
What is the listener configuration on the ELB? a 503 implies that there is either no listener on 8000, or the listener has no accessible backend. Can you verify the listener is set up as HTTPS 8000 -> HTTPS 8000?
... View more
09-15-2017
01:46 PM
Thank you for this!
... View more
07-06-2017
12:13 PM
1 Karma
Was that 500MB file compressed? a gzipped logfile of that size is likely closer to 3-4GB when uncompressed, and that's what Splunk is considering when doing license calculations.
... View more
07-06-2017
12:12 PM
1 Karma
The license usage in Splunk is not only the size of raw data files it monitors but includes all associated files (index files and raw data file) which Splunk has to generate to make it searchable
That is not correct, License usage is solely based on the volume of data ingested.
... View more
09-14-2016
07:31 AM
This is because using single-quotes isn't valid JSON, so it can't parse it as JSON.
{"aaa": 1, "bbb": "some value"}
vs.
{'aaa': 1, 'bbb': 'some value'}
The first is JSON. The second is not.
Since it's a field extracted from a larger JSON, I'm going to assume it's just incorrectly constructed. Something like this would work fine, and not require multiple spath calls:
{"id": 12345, "message": {"level": "INFO", "content": "foo bar baz"}}
But I'm going to guess what you have to work with is:
{"id": 12345, "message": "{'level': 'INFO', 'content': 'foo bar baz'}"}
Which isn't valid JSON at all. (or more specifically, message is just a string, and not a JSON object)
... View more
07-21-2016
09:15 AM
We recently switched from EBS to d2's, and are very happy with the results so far. using d2.4xls with the ephemeral in a RAID0 gives us IOPS in the 7k range, and we can handle indexing throughput spikes of up to 7MB/s without appreciable queue saturation. Yes, EBS can get better IO, but the fact that you're throttled on throughput makes it hard to actually take advantage of it.
It's been about 4 months so far, and we haven't had an indexer fail yet. We have had one go temporarily unavailable for about 20 minutes, but there was no data loss. The cluster handled that without any real end-user impact.
All in all, I would have a hard time recommending EBS backed instances unless the install is small enough that running multiple d2s is overkill. You definitely want to have replication happening if you use them.
... View more
05-27-2016
12:02 PM
2 Karma
So the forwarder load balancing is a little interesting. A forwarder will switch targets on a regular interval. (Default 30 seconds. autoLBFrequency, set in outputs.conf) This means that at any given time, a forwarder is only sending to one indexer. It isn't round robin, instead regularly randomizing the indexer list.
However, it only makes the switch when it's considered 'safe' to do so, to avoid half of an event going to Indexer A, and the other half going to indexer B. This means EOF on a file read, and 10 seconds of inactivity on a TCP connection.
So if your forwarders aren't keeping up with file writes, it's possible for them to get 'stuck' on an indexer, and for that 30 second period to extend quite a bit.
To mitigate, you can set forceTimebasedAutoLB = true (again in Outputs.conf) but then you run into potential problems with events getting split. I wouldn't recommend this.
It's also worth noting that the forwarder doesn't know anything about the state of the indexer besides it being a valid target for data. It doesn't know if a particular index is full or not.
... View more
12-06-2015
01:46 PM
3 Karma
You can optionally add a span= to bucket just like timechart .
... | bucket _time span=1d | ...
... View more
12-06-2015
01:18 PM
5 Karma
You can't visualize this directly, but I use the following when I want time series data on multiple dimensions:
...| bucket _time | stats count by _time field_1 field_2
... View more
12-03-2015
08:15 AM
Just to reinforce this: use SHOULD_LINEMERGE=false and LINE_BREAKER= whenever possible.
... View more
Note: in 6.3 deploying user scoped configs (private) via the deployer keeps them in a state where users can delete them from within the cluster normally. I assume the issue here is with anything in the 'search_migration_app' scope, which would still be merged down to default on bundle push.
... View more
Anything deployed via the cluster deployer has all of its config files moved from 'local' scope to 'default' scope. As such, it cannot be deleted via UI within the cluster itself. If you want to delete anything from your 'search_migration_app', you must remove it from the copy contained on the cluster deployer (in $SPLUNK_HOME/etc/shcluster/apps ) and then execute a bundle push.
... View more
12-01-2015
08:00 AM
Good luck! Depending on how the 3rd-party app is set up, you may still be able to define the logging format. (It may just be defined in a config file which you can update) Worth looking into.
... View more
12-01-2015
07:43 AM
5 Karma
As I mentioned in a comment above, SEDCMD is evaluated after timestamp extraction, so you can't fix this via transform. You can, however, explicitly tell Splunk what the time format is. (Details on How Indexing Works)
props.conf
[your_sourcetype]
TIME_PREFIX=^
TIME_FORMAT=%m/%d/%I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD=17
This tells Splunk that the timestamp comes at the beginning of the event (TIME_PREFIX), it has the above strftime format, and it extends, at most, 17 characters into the event. Everything it needs to know to get the timestamp right.
This may still not work, as without a year it's not a valid timestamp, so Splunk may still do funny things with it. The real fix is to get your developers to log in a non-ridiculous format. (What Java devs have against ISO standard timestamps, I'll never figure out)
I would also set a couple other things:
[your_sourcetype]
TIME_PREFIX=^
TIME_FORMAT=%m/%d/%I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD=17
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?:\d{2}\/\d{2}\/\d{2}:\d{2}:\d{2})
TRUNCATE=999999
This further tells Splunk how to handle the incoming events. Specifically, we're telling Splunk where events begin and end explicitly, so it doesn't have to figure it out. (You'll appreciate this when it stops Splunk from doing bad things with stacktraces)
Ideally, you should be setting all of these for every new sourcetype you ingest whenever possible.
... View more
Regarding #2: I run the detection search on the Cluster Deployer, which is not a part of the cluster, and thus unaffected by the issue.
... View more
11-25-2015
02:55 PM
they're all identically provisioned servers, both in resources and configuration. I'll check for jobs erroring or being reassigned.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
