Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About strousseau
strousseau
Path Finder
Member since:
06-24-2016
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-24-2016 |
Activity Feed
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 02-03-2017 01:36 AM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 02-03-2017 12:30 AM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-31-2017 02:31 PM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-20-2017 01:17 AM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-18-2017 01:45 PM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-18-2017 08:18 AM
- Posted Re: Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-17-2017 03:16 PM
- Posted Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-16-2017 02:05 PM
- Tagged Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-16-2017 02:05 PM
- Tagged Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-16-2017 02:05 PM
- Tagged Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-16-2017 02:05 PM
- Tagged Unable to import a file with two spaces as separator, which occur once. How to edit my transform configurations? on Getting Data In. 01-16-2017 02:05 PM
- Posted Re: How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 07-08-2016 01:24 AM
- Posted Re: How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:28 AM
- Posted How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
- Tagged How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
- Tagged How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
- Tagged How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
- Tagged How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
- Tagged How to get more precision for latitude and longitude fields with geostats? on Splunk Enterprise. 06-24-2016 01:19 AM
Topics I've Started
02-03-2017
01:36 AM
Hello,
Some good news.
When I defined my own sourcetype, it was assigned to the app search and not to the app system.
If I assign my sourcetype to app system it works !!! But only for the transformation of the two spaces !! The third line is used as fields names.
If I try to manage the first line as fields names and to ignore the second line, the transformation of two spaces is no more executed !!
... View more
02-03-2017
12:30 AM
Hello,
Depending on setup for horodating, I have this message in the import wizard : CSV StreamId: 0 has extra incorrect columns in certain fields.
I have written the SEDCMD line to convert two spaces in one space but it seems not to be executed.
Another rule to convert 2017 to 2018 is not executed.
Regards
... View more
01-31-2017
02:31 PM
Hello,
Is there any log I can read to see if the rule is called ?
Is SEDCMD is functionnal on Windows ?
I don't understand what I'm doing wrong. Even replace 2017 by 2018 is ko.
Please help me...
strousseau
... View more
01-20-2017
01:17 AM
Yes,
I restart splunk server at each try.
I have the same problem with Splunk Enterprise 6.5.1 on linux
When I import datas in Splunk, at the second step (somthing like setup source type) and put my own sourcetype, I see my SEDCMD rule but nothing happens. I try to replace 2017 by 2018, a basic rule, and I doesn't work.
... View more
01-18-2017
01:45 PM
Hello,
I made some another tries with vendor_sales.log from the tutorial and put it on d:.
I updated C:\Program Files\Splunk\etc\apps\search\local\props.conf
I never succeeded to make the replacement.
Even with the wizard, no replacement.
Regards,
Stéphane
... View more
01-18-2017
08:18 AM
Hello,
I made so many tries that I am not sure there is no typo in my code.
I even tried to insert the rule in two différents sections of props.conf. First one is the section for my new source type and second one is the section named [source::*mycompany*.log]. None works.
So I will try the sample from hunters [Splunk] with replacement in AcctId field.
Regards
Stéphane
... View more
01-17-2017
03:16 PM
Hello,
Thanks a lot for your answer,
I made many tries but unfortunately, no one worked.
I modified the right props.cof (C:\Program Files\Splunk\etc\apps\search\local\props.conf) and restarted Splunk each time.
Even at import time, I tried to modify the search and replace string in Advanced tab and it didn't work.
Here are the different syntax I used.
SEDCMD-single-whitespace = s/2017/2018/g
SEDCMD-single-whitespace = s/(^\d{8})\s\s/\1\s/g
SEDCMD-single-whitespace = s/(^\d{8})\s\s/\1 /g
SEDCMD-single-whitespace = s/(^\d{8})\s\s/\1/g
SEDCMD-single-whitespace = s/(^\d{8})\s\s(*)/\1 \2/g
The first one is very simple but it didn't work !
Di I need to make a tranformation and modify traform.conf ?
Regards
Stephane
... View more
01-16-2017
02:05 PM
Hello,
I'm trying to import this kind of file :
\#DATE TITRE1 TITRE2 TITRE3
#LINE TO IGNORE
20170101 LIGNE1COL1 LIGNE1COL2 "LIGNE1 COL 3"
20170101 LIGNE2COL1 LIGNE2COL2 "LIGNE2 COL 3"
20170101 LIGNE3COL1 LIGNE3COL2 "LIGNE3 COL 3"
20170101 LIGNE1COL1 LIGNE1COL2 "LIGNE1 COL 3"
20170101 LIGNE2COL1 LIGNE2COL2 "LIGNE2 COL 3"
20170101 LIGNE3COL1 LIGNE3COL2 "LIGNE3 COL 3"
20170101 LIGNE1COL1 LIGNE1COL2 "LIGNE1 COL 3"
20170101 LIGNE2COL1 LIGNE2COL2 "LIGNE2 COL 3"
20170101 LIGNE3COL1 LIGNE3COL2 "LIGNE3 COL 3"
20170101 LIGNE1COL1 LIGNE1COL2 "LIGNE1 COL 3"
20170101 LIGNE2COL1 LIGNE2COL2 "LIGNE2 COL 3"
Please take take of two space between the date and the second column in the "values" oart and only one space in the "header" part.
Titles are in the first line.
I don't want the second line to be read.
So, I defined a new source type with spaces as separator. I ignore lines starting with character # and I say fields names are on the first line.
The problem is that Splunk defines a new field named "EXTRA_FIELD_5" with values from the last column ("LIGNE1 COL 3").
The field TITRE2 has values of the second column (LIGNE1COL1) and the field TITRE3 has values like LIGNE1COL2.
If I replace the two spaces into only one space, the values are loaded in the right way except the second line which is read whatever i set up.
So I tried to use transformation to transform two spaces in one space but this doesn't work. Here is the rules :
[source::\*mycompany\*.log]
#SEDCMD-single-whitespace = s/ / /g
#SEDCMD-remove-line = s/#LINE TO IGNORE\n//
I am not sure I'm using the right props.conf (Splunk\etc\users\admin\search\local\props.conf, Splunk\etc\apps\search\default\props.conf or Splunk\etc\system\default\props.conf).
I don't understand why the second line is not ignored.
I googled the problem and saw some answer talking about HEADER_FIELD_LINE_NUMBER = 1 and PREAMBLE_REGEX = ^#.*
This doesn't work.
I think my syntax is correct because this search works : source="\*mycompany\*.log" | rex field=DATE mode=sed "s/2017/2018/g"
I'm using Splunk Light Free Version 6.4.1
So please help me to understand what is wrong and how to solve my problem.
Regards
Stephane
... View more
07-08-2016
01:24 AM
Hello,
I just answer myself.
I've found Clustered Single Value Map Visualization (https://splunkbase.splunk.com/app/3124/) and it does exactly what I want.
Regards
Stephane
... View more
06-24-2016
01:28 AM
The question is quite the same as this one https://answers.splunk.com/answers/219888/how-to-display-exact-locations-on-a-dashboard-map.html but no answer for this one.
Hope I will be more lucky.
... View more
06-24-2016
01:19 AM
Hello,
I'm a beginner with Splunk and have made some tries to learn how to use it.
I'm using some data from http://data.paysdelaloire.fr/api/publication/24440040400129_NM_NM_00184/APPUIS_VELOS_NM_STBL/content/?format=csv
The result in Splunk with geostats for that data should be something like http://data.paysdelaloire.fr/donnees/detail/appuis-velos-de-nantes-metropole/?tx_icsoddatastore_pi1[cgu]=on&tx_icsoddatastore_pi1[btn_registration]=valider&visualization=2
The problem is not the number in bubbles, but too few bubbles.
Here is what I get with different levels of zoom in Splunk
http://hpics.li/e4bb113
http://hpics.li/0824637
So, can someone tell me how to get more precision on the map?
Regards
Stephane
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
