cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
alexislh
Explorer
Member since: ‎05-25-2016
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-25-2016
Activity Feed
View All

Re: How to set the timestamp for events with TIME_...

by in Getting Data In
‎07-01-2016 07:55 AM
‎07-01-2016 07:55 AM
Hi neilrc, Yeah, actually the source is obtained via db connect so yes indeed, could be more simple to have an action there by adjusting the SQL query and split the input in two with respective sourcetype set. Thanks for the idea 🙂 ! Alexis ... View more

How to set the timestamp for events with TIME_PREF...

by in Getting Data In
‎06-30-2016 10:23 AM
‎06-30-2016 10:23 AM
Hi all, I have this kind of log from 1 source : DateLog=1459870479.000 ... TypeLog=Syslog ... Apr 5 17:34:37.618 ... DateLog=1459870479.000 ... TypeLog=Trap ... For some reason the DateLog timestamp is slightly off, and I would like to use the other one in Syslog messages instead: Apr 5 17:34:37.618 I succeed doing that by setting a TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD. Problem is, as you can see, this timestamp does not appear in the Trap messages, so its timestamp is not recognized (no fallback or the like). So I have tried to rename the source type in transforms & props: TypeLog=Syslog > sourcetype = sourctetype:syslog TypeLog=Trap > sourcetype = sourctetype:trap Then I am trying to apply the TIME_PREFIX to this new sourcetype in props : [sourctetype:syslog] TIME_PREFIX = ... But it does not work. I don't remember the exact order in which Splunk indexes the events ,but I guess the timestamp is applied before the sourcetype is transformed, and then it's kinda too late for what I want to do. Anyone gone through this before? Thanks in advance for the ideas. Alexis ... View more

Re: Where do I find System Activity information in...

by in Monitoring Splunk
‎05-27-2016 08:04 AM
‎05-27-2016 08:04 AM
Well, I am looking for the views that were in old System Activity view like last splunkd errors, users activity etc And yes, this is just a standalone Splunk in lab! ... View more

Re: Where do I find System Activity information in...

by in Monitoring Splunk
‎05-27-2016 12:41 AM
‎05-27-2016 12:41 AM
Hi MuS, Thanks but damn, in 6.4.1 I don't even have that : ... View more

Where do I find System Activity information in a 6...

by in Monitoring Splunk
‎05-25-2016 04:17 AM
‎05-25-2016 04:17 AM
Hi there, The Activity > System Activity was very useful in the previous Splunk versions, letting you quickly access to last Errors and the like. It has been removed in 6.4. The documentation says it is now included in the Distributed Management Console: The information shown in the System Activity view in earlier versions of Splunk Enterprise is now included in Distributed Management Console views. The System Activity view is removed from this version of Splunk Enterprise. For more information, see the Distributed Management Console Manual. I cannot manage to find the equivalent in the DMC. Anyone with better eyes than mine find it? Thanks in advance ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All