Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About hajducko
hajducko
Explorer
Member since:
12-22-2010
06-05-2020
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 3 |
| Member Since | 12-22-2010 |
Activity Feed
- Got Karma for Panels that use basesearch won't display different times. 06-05-2020 12:48 AM
- Karma Re: Fast way to find size of events on disk for a time period for martin_mueller. 06-05-2020 12:46 AM
- Got Karma for Fast way to find size of events on disk for a time period. 06-05-2020 12:46 AM
- Got Karma for Scripted install - changing management port from command line.. 06-05-2020 12:45 AM
- Posted Panels that use basesearch won't display different times on Splunk Search. 07-20-2016 10:19 PM
- Tagged Panels that use basesearch won't display different times on Splunk Search. 07-20-2016 10:19 PM
- Tagged Panels that use basesearch won't display different times on Splunk Search. 07-20-2016 10:19 PM
- Posted Re: bucket retention and frozenTimePeriodInSecs on Getting Data In. 04-10-2014 04:45 PM
- Posted Re: Fast way to find size of events on disk for a time period on Getting Data In. 04-09-2014 07:48 PM
- Posted Re: Fast way to find size of events on disk for a time period on Getting Data In. 04-09-2014 03:42 PM
- Posted Fast way to find size of events on disk for a time period on Getting Data In. 04-09-2014 01:53 PM
- Tagged Fast way to find size of events on disk for a time period on Getting Data In. 04-09-2014 01:53 PM
- Tagged Fast way to find size of events on disk for a time period on Getting Data In. 04-09-2014 01:53 PM
- Posted Re: Figure out when a log entry was sent from a forwarder? on Getting Data In. 02-21-2014 11:24 AM
- Posted Re: Figure out when a log entry was sent from a forwarder? on Getting Data In. 02-18-2014 03:35 PM
- Posted Figure out when a log entry was sent from a forwarder? on Getting Data In. 02-18-2014 02:41 PM
- Tagged Figure out when a log entry was sent from a forwarder? on Getting Data In. 02-18-2014 02:41 PM
- Tagged Figure out when a log entry was sent from a forwarder? on Getting Data In. 02-18-2014 02:41 PM
- Posted Re: Scripting Splunk through automated systems on Getting Data In. 04-06-2011 01:51 AM
- Posted Re: Scripting Splunk through automated systems on Getting Data In. 04-05-2011 10:39 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
07-20-2016
10:19 PM
1 Karma
I tried taking a look at this question: https://answers.splunk.com/answers/395258/how-to-specify-different-time-ranges-for-each-pane.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
However, the solution didn't work. I have a basesearch that I want the whole dashboard to use, and I grab the data over a week period. But I want some panels to only display an hour's worth of data. However, they just reset to showing the whole week's worth of data instead.
Here's part of my dashboard.
<dashboard>
<search id="baseSearch">
<query>index=salt source=/var/log/salt/master Published command details NOT find_job</query>
<earliest>@w0</earliest>
<latest>now</latest>
</search>
<label>Salt Today</label>
<row>
<panel>
<title>Jobs Run Today</title>
<single>
<search base="baseSearch">
<query>stats count</query>
</search>
<earliest>@d</earliest>
<latest>now</latest>
</single>
</panel>
Any ideas?
... View more
04-10-2014
04:45 PM
I think the Splunk 5/4 search is wrong. Wouldn't you want to make endEpoch as the latestTime as every event in the bucket needs to be older than the frozenTimePeriod. If I run that search, I get 'yes' for buckets that have an earliestTime that is older than the frozenTimePeriod, but with a latestTime that is newer. Those buckets wouldn't be deleted.
... View more
04-09-2014
07:48 PM
Well, one of the issues was that these are on Splunk 5. It does appear to work better w/ Splunk 6. I'm guessing I'll shoot the results over to a summary index on each indexer and then search off that.
... View more
04-09-2014
03:42 PM
Hrm, well, not exactly what I wanted but it does give a general sense of how far you need to go back to get a decent size of data, which was the intention of the search. The only issue being that the line items aren't really a 'per day' and there can be quite a bit of overlap for many of the buckets.
The other problem being that dbinspect only works at the indexer level with no way to distribute it to the indexers ( that I'm aware of ) besides an app/add-on.
... View more
04-09-2014
01:53 PM
1 Karma
Often times, we are tasked with deleting data out of an index to trim it down. Generally, we do this by setting the frozenTimePeriodInSecs and allowing Splunk to remove old data.
However, before we do that, we need to figure out where the best bang for the buck is. Many times people just ask us for the oldest event and try to plan it around there, but this is usually a very small bit of the data ( some old remnants of events that somehow got indexed way later ). In order to figure out what the earliest time is that there is a large chunk of data at, we've been doing something
index=myindex | timechart count span=1w
And running that across All Time. The problem is that it's slow, especially for our bigger customers, who are often in the 1 billion event range for a few months of data. Plus, we're just doing event counts, rather than getting real sizes of the data ( or even the compressed on disk size ). I've played with using len(_raw) and summing it up, but it just made things even slower.
Is there a quicker way to do this? I've played with dbinspect but that doesn't give the breakdown we'd need. I've also thought about doing this as an ongoing search with a scripted input that runs daily to get the index sizes on disk, but I realized that this doesn't give us a picture of what Splunk looks right now. The second we delete any data, all that historical data becomes obsolete. Ideally, I'd like to get a current size of index, per index/per day.
Anyone have any ideas?
... View more
02-21-2014
11:24 AM
The timezone and forwarder thruput don't appear to be the issue - the issue appears to be a file descriptor issue. The host in question is generating 124,000+ individual log files per hour.
... View more
02-18-2014
03:35 PM
Yeah, I already used the indexed time to determine that we're experiencing several hours of delay between the timestamp of the event and the time when the event was eventually indexed. I don't have access to the forwarding host, so I'm having the user get the TZ and thruput items, but was hoping for some other way of diagnosing this or pointing to which side of the issue was the problem.
... View more
02-18-2014
02:41 PM
We're having an issue where a log entry isn't being indexed by the indexer until several hours after the log entry was written.
The log entry has a timestamp of 2/17 21:15 and goes all the way back to 2/17 20:33. However, our indexer shows ( via indexed_time ) that it didn't index the events until 2/18 2:16 AM.
I need to able to determine why that it is - is it forwarder lag? Did they misconfigure something? Or is it indexer lag?
As far as indexer lag, we have SoS installed, but according to it, the indexer wasn't experiencing any issues - none of the queues were filled but at this point, I have no data I can give the customer about why this would have happened.
Which brings me to the question - is there someway to determine when the forwarder saw/sent the event or when the indexer received ( not indexed ) the event?
If I could tell that, at least it would help me point at the forwarder or the indexer and narrow the investigation down, but I don't know of anyway to determine that information.
... View more
04-06-2011
01:51 AM
Also just tried the following:
splunk list forward-server -uri https://127.0.0.1:8089 -auth admin:test123
It doesn't even show up in the splunkd_access log as even having attempted to login. Like I said, it's as if the command isn't even being run - no idea why this works on Splunk 3.x but not 4.x
... View more
04-05-2011
10:39 PM
( Sorry for replying in another answer - comment field wasn't big enough )
We do provide the -auth user:password. Also tried setting SPLUNK_USER and SPLUNK_PASS and using the login command with -auth user:password before attempting the command - all of them fail.
The script runs with administrative privileges and we've tested it running with other users - all still fail.
We don't get an error either - we don't receive any output whatsoever.
Ironically enough, we had a few systems work today - the only difference was the ones that work are running Splunk 3.3.1. None of the systems running Splunk 4.x work. So something changed here.
I should also note that all of these systems are simply running the lightweight forwarder. We haven't tried upgrading to the 4.2 universal forwarder yet.
Tried changing the default password for the admin account - same results.
Opsware runs a local agent and executes the script by downloading it and executing the script locally, so every command we're issuing is coming from the localhost.
Is there some debug logging we could enable to see any command issued to splunk via the CLI?
... View more
04-04-2011
09:08 PM
I don't consider it answered. Even if we're not trying to configure splunk, getting output from the command terminal won't work.
For instance, I can't create scripts that will get me a list of the forward-servers via the 'list forward-servers -auth user:pass' because of this issue.
... View more
04-01-2011
11:46 PM
Agreed - in fact, I do that for adding the win event logs to the inputs.conf.
I was a little nervous about doing it in terms of the outputs.conf, as we often have other items in there.
We'll eventually be making it so that all the config files are simply deployed and managed through Opsware - this was more of a one-time run that we were doing and this issue became an itch I needed to scratch to figure out why this was happening.
... View more
04-01-2011
11:04 PM
Running into a strange issue here.
We're attempting to run through scripts through our config management system - Opsware (HP BSA) to configure splunk agents from the command line on our Windows systems.
The script, when placed manually on the system and run there - works fine.
However, when running the script through the tool - certain commands fail to work or produce any output at all.
For instance, the following don't work:
splunk add forward-server server.example.com:9997
splunk help add monitor
splunk list forward-server
splunk help
The following do work:
splunk restart
splunk stop
splunk start
And it's not just an issue of capturing the output from the commands - the commands simply do not run. For instance, when adding a forward-server, no outputs.conf is being created or written to.
The commands all return with -1073741819, which translates to 0xc0000005 - STATUS_ACCESS_VIOLATION.
We've tried several different ways of authenticating too - environment variables, doing a 'login' command before, using '-auth user:pass'. Nothing seems to help.
The scripts also seem to work fine on our Linux boxes - just not Windows. I realize it's an issue of our config management tool interfacing with splunk, but I'm curious as to why some commands would work and others wouldn't. I'm assuming something with how the config management tool's executing environment is setup, but I'm up for ideas on how to solve this.
... View more
02-01-2011
02:59 AM
1 Karma
I am in the process of creating some install scripts to install Splunk through our configuration management tool. Everything is working, except for this.
On certain systems, we use port 8089 for another application. I can detect that we're using it - but on Linux systems, there doesn't seem to be a way to tell Splunk to start the first time using a different management port other than 8089.
The Windows .msi has this feature, allowing you to set SPLUNKD_PORT during the install - is there anything available for the *nix versions that will allow the splunkd port to be set before the start?
The --answer-yes option also doesn't seem to do anything.
[root@falcon1h.web.prod:~]# /opt/splunk/bin/splunk start --answer-yes
Splunk> CSI: Logfiles.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: already bound
ERROR: The mgmt port [8089] is already bound. Splunk needs to use this port.
Would you like to change ports? [y/n]:
I need to be able to automate it without being asked for input, but splunk doesn't seem to have a way to do this. Am I missing something?
... View more
- Tags:
- installation
12-22-2010
04:33 PM
It was more of a 'Hey, I tried this and it didn't work and now I'm curious as to why'.
Stupid me, however, read that whole doc before posting and didn't even put two and two together.
Thanks much!
... View more
12-22-2010
12:51 AM
Can't seem to get this to work using whitelists in inputs.conf
I have a location I need to monitor for several log files across several directories, all of the same type:
This works:
[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs/*.log]
disabled = false
sourcetype = cbs2
However, this doesn't:
[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs]
whitelist = \.log$
disabled = false
sourcetype = cbs2
Am I doing something wrong here? The white list seems rather simple and it seems like it should work just fine - however, none of the logs are getting sent.
... View more
- Tags:
- whitelist
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
