Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About stefan_radovano
stefan_radovano
Explorer
Member since:
05-27-2014
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 05-27-2014 |
Activity Feed
- Karma Re: host regex does not seem to work for richgalloway. 06-05-2020 12:46 AM
- Karma Re: Field transformation based on source for emechler_splunk. 06-05-2020 12:46 AM
- Got Karma for Field transformation based on source. 06-05-2020 12:46 AM
- Posted Re: After upgrading to Splunk 6.2, why can I no longer log in using Chrome and KeePass with saved credentials? on Security. 11-19-2014 12:43 AM
- Posted Re: After upgrading to Splunk 6.2, why can I no longer log in using Chrome and KeePass with saved credentials? on Security. 11-19-2014 12:28 AM
- Posted Re: Field transformation based on source on Getting Data In. 06-14-2014 06:15 AM
- Posted Re: Field transformation based on source on Getting Data In. 06-14-2014 05:37 AM
- Posted Field transformation based on source on Getting Data In. 06-12-2014 02:30 AM
- Tagged Field transformation based on source on Getting Data In. 06-12-2014 02:30 AM
- Tagged Field transformation based on source on Getting Data In. 06-12-2014 02:30 AM
- Tagged Field transformation based on source on Getting Data In. 06-12-2014 02:30 AM
- Posted Re: host regex does not seem to work on Splunk Search. 05-28-2014 05:38 AM
- Posted Re: host regex does not seem to work on Splunk Search. 05-28-2014 05:25 AM
- Posted Re: host regex does not seem to work on Splunk Search. 05-28-2014 05:24 AM
- Posted host regex does not seem to work on Splunk Search. 05-28-2014 01:19 AM
- Tagged host regex does not seem to work on Splunk Search. 05-28-2014 01:19 AM
- Tagged host regex does not seem to work on Splunk Search. 05-28-2014 01:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 |
11-19-2014
12:43 AM
This seems to be related: http://answers.splunk.com/answers/177065/after-upgrading-to-splunk-62-why-can-i-no-longer-l.html
The javascript console shows in my case:
POST https://splunk.cnt.int:8000/en-GB/account/login 401 (Unauthorized)
This is in the accountpage.js file, line 6. The only file with that name I can find in my splunk folder is /opt/splunk/share/splunk/search_mrsparkle/exposed/js/build/accountpage.js , owner is splunk.splunk and it's readable by everyone.
splunkd.log shows this whenever I try:
11-19-2014 09:42:55.834 +0100 ERROR UserManagerPro - Login failed: Username and password are required
11-19-2014 09:42:55.834 +0100 ERROR UiAuth - user= action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.62 Safari/537.36" clientip=x.x.x.x
So it's pretty clear it's trying to login with empty username/password fields.
... View more
11-19-2014
12:28 AM
I also have the exact same problem. Rather annoying.
... View more
06-14-2014
06:15 AM
I actually tried to do this via GUI (Fields/Field Extraction) but when I chose "source" for "Apply To", it also wanted me to specify which source. I obviously didn't want to restrict it to one particular source, didn't know what to put in there. Was I doing something wrong ?
In any case, this worked. I just had to restart splunk. Is there no way around restarting ?
... View more
06-12-2014
02:30 AM
1 Karma
Hi All,
We log data from devices belonging to different customers, they are written to our syslog server in files named /data/log/CUSTOMER/site/router1.log, for example. I wanted to have a search-time field called customer with the value CUSTOMER, taken from the source filename.
I did this via the web GUI, under Settings/Fields/Field Transformation, this is what was written in $SPLUNK_HOME/etc/apps/search/local/transforms.conf:
[get_customer]
FORMAT = customer::$1
REGEX = \/data\/log\/(.*)\/site.*
SOURCE_KEY = MetaData:Source
Unfortunately nothing happens, I get no field named customer when I search. From what I can tell, the regex is correct. I also tried just "source" as SOURCE_KEY but nothing changed. Is anything wrong with my transform ?
I am also not sure how this transform is applied, is it run against log messages arriving via all indexes ?
As additional info, we are running splunk on a separate server (so basically the indexer) and we use a light forwarder on our syslog server. The transform above is done on the indexer.
Thanks,
Stefan
... View more
05-28-2014
05:38 AM
Well, this is weird, it works when I remove the anchor tags but I could SWEAR that I tried without too. And I am pretty sure I've seen examples in here with people using anchor tags. In any case, thank you!
... View more
05-28-2014
05:25 AM
The command above actually contains backslashes behind the dots at the end, they are just removed by this site apparently.
... View more
05-28-2014
05:24 AM
Unfortunately it's not working either. I don't think the escape is needed to be honest. For example, I can type this into the search bar:
index=main | rex field=source ^/data/log/Core/(? .*).cnt.int.log$
and it produces entries with the host extracted correctly, so the regex is fine. I just don't understand why it's not being applied on indexing.
... View more
05-28-2014
01:19 AM
Hello all,
I am new to Splunk and I am currently evaluating 6.1. We collect logs from a bunch of devices (routersand switches) to a central syslog server (syslog-ng) and currently splunk runs on this server. I am trying to get it to detect the hostname of the device from the log filename but I can't seem to get it to work.
I went through a lot of the questions already posted here and it seems to me what I am doing should work, but it doesn't.
This is the entry I have in /apps/search/local/inputs.conf:
[monitor:///data/log/Core/*]
blacklist = \.(gz|bz2|z|zip|\d)$
disabled = false
followTail = 0
host =
whitelist = \.cnt.int.log$
host_regex = ^/data/log/Core/(.*)\.cnt\.int\.log$
sourcetype = cisco:ios
(this was added by the web gui)
The files look like this:
/data/log/Core/router1.cnt.int.log
/data/log/Core/router2.cnt.int.log
/data/log/Core/router3.cnt.int.log
/data/log/Core/router4.cnt.int.log
/data/log/Core/router4.cnt.int.log.1
/data/log/Core/router4.cnt.int.log.2.gz
/data/log/Core/router4.cnt.int.log.3.gz
/data/log/Core/router5.cnt.int.log
/data/log/Core/router6.cnt.int.log
/data/log/Core/router7.cnt.int.log
The regex looks fine to me, it checks out ok in RegExr. Despite all this, when I go to the Web gui, search and click on Data summary, I only see the syslog server hostname. There is none of those router1, router2 and so on hostnames which I expected to see.
Any idea why this is not working ?
Regards,
Stefan
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
