cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Skorfulose
Explorer
Member since: ‎02-10-2015
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 9
Karma Received 3
Member Since ‎02-10-2015
Activity Feed
View All

Re: What is your best practice for search slicing ...

by in Knowledge Management
‎07-25-2016 09:06 AM
‎07-25-2016 09:06 AM
Hello sundareshr, thanks, this works. But depending on the search time range the subsearch can be quite slow. I think I need to find some optimizations for it. Regards, Thomas ... View more

What is your best practice for search slicing by h...

by in Knowledge Management
‎07-01-2016 07:49 AM
‎07-01-2016 07:49 AM
Hey there! I did not find an optimal solution for myself yet. But I guess many of you have similar use cases, so maybe you can explain how you handle such situations: Let's say you have an application consisting of: load balancers web servers application servers database servers And you have separate environments for: production staging development So you probably want to slice your searches different ways: Either by server role: Show me any errors on web servers (no matter whether prod, staging or dev) Or by server environment: Show me any errors in production environment (for all: lb, web, app, db) So I started tagging my hosts like this: [host=server1] production = enabled webserver = enabled [host=server2] production = enabled database = enabled [host=server3] staging = enabled webserver = enabled ... Now I can quickly perform normal searches like index=perfmon tag=webserver or index=perfmon tag=production . I know one can also use eventtypes, macros or lookups to achieve almost the same. The reason I prefer tags over the others is I can assign multiple attributes to one host easily. Doing the same with eventtypes or macros gets tedious quickly. If you add a webserver to production, you have to change two macros. And if you have more attributes (pci etc), it doesn't scale well. So here is my current problem: I have built a KV Store lookup storing the currently deployed application builds by host: _key=host and value=buildnumber . If I e.g. want to query the buildnumber for a specific environment I cannot use my tags: | inputlookup my_buildnumbers where tag=webserver would be great because the filtering would be done directly in KV Store / MongoDB. But obviously this doesn't work because Mongo doesn't know my tags. | inputlookup my_buildnumbers | eval host=_key | search tag=webserver unfortunately doesn't work either. I guess because tags aren't added for inputlookups. Only for real events. | inputlookup my_buildnumbers | search `webservers` with the macro expanding to (host=server1 OR host=server2) would probably work. But as mentioned I dislike the macro approach for the reason above. Does anybody have a good idea? How do you handle such things? Cheers! Thomas ... View more

Re: DB Connect 2 health dashboard shows "no result...

by in All Apps and Add-ons
‎06-09-2016 08:51 AM
‎06-09-2016 08:51 AM
Hello saikatr, tomaszwrona, try configuring distributed search on the HF. Add your indexers (storing the dbx2 health logs) as search peers. Then the Health dashboard will work. As you already pointed out if you forward your HF's logs to the indexer, they are not available on the HF. The dashboard won't find any result if distributed search is not configured. Kind regards, Thomas ... View more

How to delete local changes to knowledge objects i...

by in Deployment Architecture
‎01-29-2016 06:45 AM
3 Karma
‎01-29-2016 06:45 AM
3 Karma
Hey there! I hope someone can give me hints on working with knowledge objects in a distributed environment. At the moment I am struggling with the following situation: I use the Deployer to deploy a custom app to my Search Head Cluster. The app provides Dashboards and Alerts. Some of the app's users have write permissions. When they change a Dashboard or Alert, the config will be saved to myapp/local/ on the SHC members. At some point, I want to revert the users' changes (doesn't matter why). So how do I easily and centrally delete all the data under myapp/local/ on the SHC members? I only came up with un-deploying and re-deploying the app from the Deployer, but this causes a rolling cluster restart, and I don't want that. Kind regards, Thomas ... View more

Re: Splunk DB Connect 2: How to create a DB Input ...

by in All Apps and Add-ons
‎11-02-2015 08:39 AM
‎11-02-2015 08:39 AM
Hello Alex, in the inputs.conf one needs to provide input_timestamp_column_number and tail_rising_column_number . How do we get the column number manually if there is no result to the query yet? How are the columns counted anyway? And why is *column_name not sufficient? Regards, Thomas ... View more

Re: CIM compliant event mapping for BlueCoat logs

by in All Apps and Add-ons
‎05-05-2015 07:35 AM
‎05-05-2015 07:35 AM
Hi Adam, have you tried "TA-bluecoat" (included in ES App). Works fine with the fields relevant for us. Also try the "App for Webproxies". Excellent piece! Regards, Thomas ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to