Activity Feed
- Got Karma for How to delete local changes to knowledge objects in a search head cluster?. 10-12-2021 04:10 PM
- Karma Re: What happens to my multisite indexer cluster when connectivity between sites dies? for davidpaper. 06-05-2020 12:48 AM
- Karma Re: What are best practices for handling data in a Splunk staging environment that needs to go to production? for Lucas_K. 06-05-2020 12:48 AM
- Karma Re: SA-Eventgen doesn't work? for fortiwhall. 06-05-2020 12:47 AM
- Karma Re: LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)? for mbenwell. 06-05-2020 12:47 AM
- Karma Re: what is the difference between "... | timechart count by host" and "... | timechart span=1d count by host" ? for emiller42. 06-05-2020 12:47 AM
- Got Karma for How to delete local changes to knowledge objects in a search head cluster?. 06-05-2020 12:47 AM
- Got Karma for How to delete local changes to knowledge objects in a search head cluster?. 06-05-2020 12:47 AM
- Karma Re: Forwarder shows extreme lag or latency when sending Windows Security Eventlog data for ekost. 06-05-2020 12:46 AM
- Karma Re: How do I show more than 10 field values in a timechart? for Drainy. 06-05-2020 12:46 AM
- Karma Re: Looking for a workaround for Windows UFs not starting up after an improper shutdown (SPL-36597) for MuS. 06-05-2020 12:46 AM
- Karma Re: Looking for a workaround for Windows UFs not starting up after an improper shutdown (SPL-36597) for dshakespeare_sp. 06-05-2020 12:46 AM
- Posted Re: What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-25-2016 09:06 AM
- Posted What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-01-2016 07:49 AM
- Tagged What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-01-2016 07:49 AM
- Tagged What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-01-2016 07:49 AM
- Tagged What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-01-2016 07:49 AM
- Tagged What is your best practice for search slicing by host environment/role? on Knowledge Management. 07-01-2016 07:49 AM
- Posted Re: DB Connect 2 health dashboard shows "no results found" on heavy forwarders in a distributed environment. Why? on All Apps and Add-ons. 06-09-2016 08:51 AM
- Posted How to delete local changes to knowledge objects in a search head cluster? on Deployment Architecture. 01-29-2016 06:45 AM
Topics I've Started
07-25-2016
09:06 AM
Hello sundareshr,
thanks, this works. But depending on the search time range the subsearch can be quite slow. I think I need to find some optimizations for it.
Regards,
Thomas
... View more
07-01-2016
07:49 AM
Hey there!
I did not find an optimal solution for myself yet. But I guess many of you have similar use cases, so maybe you can explain how you handle such situations:
Let's say you have an application consisting of:
load balancers
web servers
application servers
database servers
And you have separate environments for:
production
staging
development
So you probably want to slice your searches different ways:
Either by server role: Show me any errors on web servers (no matter whether prod, staging or dev)
Or by server environment: Show me any errors in production environment (for all: lb, web, app, db)
So I started tagging my hosts like this:
[host=server1]
production = enabled
webserver = enabled
[host=server2]
production = enabled
database = enabled
[host=server3]
staging = enabled
webserver = enabled
...
Now I can quickly perform normal searches like index=perfmon tag=webserver or index=perfmon tag=production .
I know one can also use eventtypes, macros or lookups to achieve almost the same. The reason I prefer tags over the others is I can assign multiple attributes to one host easily. Doing the same with eventtypes or macros gets tedious quickly. If you add a webserver to production, you have to change two macros. And if you have more attributes (pci etc), it doesn't scale well.
So here is my current problem:
I have built a KV Store lookup storing the currently deployed application builds by host: _key=host and value=buildnumber .
If I e.g. want to query the buildnumber for a specific environment I cannot use my tags:
| inputlookup my_buildnumbers where tag=webserver would be great because the filtering would be done directly in KV Store / MongoDB. But obviously this doesn't work because Mongo doesn't know my tags.
| inputlookup my_buildnumbers | eval host=_key | search tag=webserver unfortunately doesn't work either. I guess because tags aren't added for inputlookups. Only for real events.
| inputlookup my_buildnumbers | search `webservers` with the macro expanding to (host=server1 OR host=server2) would probably work. But as mentioned I dislike the macro approach for the reason above.
Does anybody have a good idea? How do you handle such things?
Cheers!
Thomas
... View more
06-09-2016
08:51 AM
Hello saikatr, tomaszwrona,
try configuring distributed search on the HF. Add your indexers (storing the dbx2 health logs) as search peers. Then the Health dashboard will work.
As you already pointed out if you forward your HF's logs to the indexer, they are not available on the HF. The dashboard won't find any result if distributed search is not configured.
Kind regards,
Thomas
... View more
01-29-2016
06:45 AM
3 Karma
Hey there!
I hope someone can give me hints on working with knowledge objects in a distributed environment. At the moment I am struggling with the following situation:
I use the Deployer to deploy a custom app to my Search Head Cluster. The app provides Dashboards and Alerts.
Some of the app's users have write permissions. When they change a Dashboard or Alert, the config will be saved to myapp/local/ on the SHC members.
At some point, I want to revert the users' changes (doesn't matter why).
So how do I easily and centrally delete all the data under myapp/local/ on the SHC members? I only came up with un-deploying and re-deploying the app from the Deployer, but this causes a rolling cluster restart, and I don't want that.
Kind regards,
Thomas
... View more
11-02-2015
08:39 AM
Hello Alex,
in the inputs.conf one needs to provide input_timestamp_column_number and tail_rising_column_number . How do we get the column number manually if there is no result to the query yet?
How are the columns counted anyway? And why is *column_name not sufficient?
Regards,
Thomas
... View more
05-05-2015
07:35 AM
Hi Adam,
have you tried "TA-bluecoat" (included in ES App). Works fine with the fields relevant for us. Also try the "App for Webproxies". Excellent piece!
Regards,
Thomas
... View more
