Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About spluzer
spluzer
Path Finder
Member since:
07-20-2019
01-04-2021
Community Statistics
| Posts | 43 |
| Solutions | 3 |
| Karma Given | 12 |
| Karma Received | 3 |
| Member Since | 07-20-2019 |
Activity Feed
- Karma How to install splunk universal forwarder on multiple windows system with powershell script? for vinod94. 12-30-2020 09:48 AM
- Posted Re: Splunk apps: How do you resolve certificate verification errors? on Security. 10-26-2020 06:38 AM
- Karma Re: Splunk apps: How do you resolve certificate verification errors? for SplunkIT3337. 10-26-2020 06:38 AM
- Posted Re: SSL Error on configuring Splunk forwarding using own certificates on Security. 10-23-2020 06:30 AM
- Posted Re: Troubleshooting SSL Error on Forwarder on Security. 10-09-2020 07:06 AM
- Karma Connection not secure : splunk web with https when using internal cert for Ksr1982. 10-07-2020 06:37 AM
- Karma Re: Create an alert for SplunkForwarders with custom data inputs not in deployment server for gcusello. 06-05-2020 12:51 AM
- Karma Re: How to add a second token to narrow the dropdown time selection to "between" two time frames for arjunpkishore5. 06-05-2020 12:50 AM
- Karma Re: Need to add a token so "where" clause updates with a different time range for aberkow. 06-05-2020 12:50 AM
- Karma Re: dashboard can add value to lookup through submit button.,,,Need a button to remove from lookup (so users can blacklist and whitelist servers) for woodcock. 06-05-2020 12:50 AM
- Karma Re: Dashboard with a submit button so user can blacklist a server?? for woodcock. 06-05-2020 12:50 AM
- Karma Re: eval / rex a field and change its output for to4kawa. 06-05-2020 12:50 AM
- Karma Re: How to create an alert for multiple alerts (fires when too many of specific alerts are activated) for rbechtold. 06-05-2020 12:50 AM
- Got Karma for Re: How to create an alert for multiple alerts (fires when too many of specific alerts are activated). 06-05-2020 12:50 AM
- Got Karma for Re: Dashboard with a submit button so user can blacklist a server??. 06-05-2020 12:50 AM
- Got Karma for determining sourcetype reporting intervals. 06-05-2020 12:50 AM
- Karma Re: Understanding the LOOKUP command for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: How to create a dashboard with text input fields that will update a lookup file? for MuS. 06-05-2020 12:48 AM
- Posted Anyone using (disk_queue_length) instead of %_disk_time for disk metrics??? on Archive2. 04-30-2020 02:13 PM
- Posted Re: Create an alert for SplunkForwarders with custom data inputs not in deployment server on Alerting. 03-11-2020 06:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-30-2020
02:13 PM
Hey Splunkers,
Just wondering if anyone had some cool suggestions for better disk metrics
We are currently using %_disk_time (among others) for performance monitoring for our hosts
While it may be somewhat useful to know that drives are 100% busy, that fact in and of itself, is not as useful.
I would expect that drives holding data would be 100% busy because the drive is being read from or written to almost all of the time, especially on some of our more heavily used systems
Just from my own basic knowledge, that metric combined with “Average Disk Que Length”, would be more relevant. If a disk is busy almost all of the time, and there is a large queue, the disk might be a bottleneck, and require further investigation.
However, I imagine RAID configuration needs to be factored in (which I'm not sure about) -and I'm wondering how others are doing it. Any help is much appreciated
I'm currently playing around with it like this:
index=windows sourcetype="PerfmonMk:LogicalDisk"
| stats avg(Current_Disk_Queue_Length) as average by host instance
| search average>1
| sort - average
... View more
- Tags:
- disk-performance
03-05-2020
05:26 AM
Greeting all,
There are some custom apps out there on universal forwarders. They may be working now, but they need to be put in custom deployment apps so that they are not lost.
Any ideas on setting up an alert or report to track these forwarders with custom data inpouts?
Thanks!
... View more
- Tags:
- alerting
12-11-2019
05:58 AM
Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!
... View more
12-11-2019
05:23 AM
hello all,
I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas
sourcetype interval
blah 300
blah2 15 01 * * * *
blah3 3600
blah4 18 02 * * *
Here is my comically bad regex I've been working with, but cant seem to make it work
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| dedup sourcetype
| eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval")
| table sourcetype interval output
Thanks!
... View more
11-15-2019
05:33 AM
I cant download any additional apps. Which leaves me with the monitoring console. Is there something in the monitoring console that addresses sourcetype intervals that I am missing?
... View more
11-14-2019
11:40 AM
1 Karma
Hey Splunkerinos,
Noob Here. The code below tells us what sourcetypes haven't reported in, which is great and all.. However, I need to get a little deeper analysis to determine if we actually care about that sourcetype that hasnt reported in....To do that I need to get the INTERVALS for when these sourcetypes report ...for instance, if i havent heard from a sourcetype in 9 hours, (currently filtering to over a week, but you get my drift) but it only reports every ten hours, then i dont care and then I can blacklist it to keep it from showing up.......perhaps another lookup (multi-column) with sourcetype , interval, blacklist ...Not really sure how i would implement that though ...Thanks for your help !
| tstats latest(_indextime) as lt by host sourcetype
| search NOT [inputlookup sourcetype_blacklist.csv | table sourcetype]
| eval NOW=now()
| eval difftime=NOW-lt
| rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 "1-2 Weeks"=604801-1209600 "2-3 Weeks"=1209601-1814400 default="Greater than 3 Weeks"
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| search difftime >= 604801
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eval percent_ghost_host=round(percent_ghost_host,2)
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| eval percent_ghost_st=round(percent_ghost_st,2)
| dedup sourcetype
| rename host as Host sourcetype as Sourcetype range as "Time Missing" percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes"
| table Host Sourcetype "Time Missing" "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole"
... View more
11-14-2019
06:12 AM
Sorry, got a little side tracked on this task. This is amazing. Accepted accordingly, cheers!
... View more
11-07-2019
12:02 PM
Ended up creating a saved search :
tstats latest(_indextime) as lt by host sourcetype
runs every six hours (30 day grab)
Then dashboard panel uses this query:
| loadjob savedsearch=admin:search;my_saved_search
| eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d"), newer_than=relative_time(now(), "-$simple_2$d@d")
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| where lt < timeLastSeenCheck and lt>newer_than
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M"
| convert ctime(lt) as "Cutoff" timeformat="%Y/%m/%d %H:%M"
| dedup sourcetype
| rename host as Host sourcetype as Sourcetype percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes" Time_LAst_Seen_Check as "Day Last Seen"
| table Host Sourcetype "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole" "Day Last Seen" "Cutoff"
... View more
11-07-2019
11:56 AM
Here is what I ended up doing.
| tstats count
latest(_time) as _time
where index=* earliest=-48h latest=-24h
by host index sourcetype
| join type=left max=0 host index sourcetype [
| tstats count as currentcount
where index=* earliest=-24h latest=-0h
by host index sourcetype ]
| where isnull(currentcount)
| eval host=upper(host)
| convert ctime(_time) as "Data Last Received"
| table host index sourcetype count "Data Last Received"
| sort host index sourcetype
... View more
11-07-2019
06:50 AM
Thanks. To clarify, would I just take the first line | tstats latest(_indextime) as lt by host and sourcetpye) ...run it for 30 days (for example) and save THAT as the summary index?
... View more
11-06-2019
06:51 AM
Hey Splunksters,
Noob here.
The query below is for a dashboard panel that lets me toggle to see (for example) sourcetypes/ hosts that haven't sent data in 24 hours, but not more than 48 hours. It works, but its super slow. Any thoughts on the easiest way to speed this up? Perhaps a saved search? / loadjob? lookup? of so, what would the query for that look like???.. Any help is much appreciated!
<form>
<label>Missing Data Dashboard</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="simple">
<label>Select Period</label>
<choice value="1">Missing 1 day</choice>
<choice value="2">Missing 2 days</choice>
<choice value="3">Missing 3 Days</choice>
<choice value="4">Missing 4 Days</choice>
<choice value="5">MIssing 5 Days</choice>
<choice value="6">MIssing 6 Days</choice>
<choice value="7">MIssing 7 Days</choice>
<choice value="8">Missing 8 Days</choice>
<choice value="9">Missing 9 Days</choice>
<default>1</default>
</input>
<input type="dropdown" token="simple_2">
<label>Select Cutoff</label>
<choice value="2">Not > 2 Days</choice>
<choice value="3">Not > 3 Days</choice>
<choice value="4">Not > 4 Days</choice>
<choice value="5">Not > 5 Days</choice>
<choice value="6">Not > 6 Days</choice>
<choice value="7">Not > 7 Days</choice>
<choice value="8">Not > 8 Days</choice>
<choice value="9">Not > 9 Days</choice>
<default>2</default>
</input>
</fieldset>
<row>
<panel>
<title>Select Day for Silent Hosts / Sourcetypes (Last 15 Days)</title>
<table>
<search>
<query>| tstats latest(_indextime) as lt by host sourcetype
| eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d"), newer_than=relative_time(now(), "-$simple_2$d@d")
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| where lt < timeLastSeenCheck and lt>newer_than
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M"
| convert ctime(lt) as "Cutoff" timeformat="%Y/%m/%d %H:%M"
| dedup sourcetype
| rename host as Host sourcetype as Sourcetype percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes" Time_LAst_Seen_Check as "Day Last Seen"
| table Host Sourcetype "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole" "Day Last Seen" "Cutoff"</query>
<earliest>-15d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
... View more
11-03-2019
06:37 AM
Ok. I'm a dummy (missed some spl during copy/pasta)...Got it working ...Thanks arjunpkishore5!
... View more
11-01-2019
12:04 PM
Thanks..I see what you are getting at, but i dont get any results ...it was a longshot, but i tried setting the values to 2 , 3, 4 , 5 in the second dropdown?? but that didnt work either ....hmmmm
... View more
11-01-2019
11:27 AM
Thanks again!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-04-2021
11:28 AM
|
Karma given to
