Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About spluzer
spluzer
Communicator
Member since:
07-20-2019
04-28-2023
Community Statistics
| Posts | 52 |
| Solutions | 4 |
| Karma Given | 12 |
| Karma Received | 3 |
| Member Since | 07-20-2019 |
Activity Feed
- Posted How to match host fields between two separate lookups? on Splunk Search. 04-24-2023 11:54 AM
- Posted Re: Splunk_TA_windows - some Stanza from Inputs.conf does not work? on All Apps and Add-ons. 04-08-2022 08:40 AM
- Posted Why is Windows 2019-FWD (client) missing inputs/sourcetypes on front end? on Monitoring Splunk. 04-08-2022 06:55 AM
- Posted Powershell script to install UF on multiple remote windows machines on Installation. 11-03-2021 12:28 PM
- Posted Re: Azure VM - Won't report to Deployment server on Getting Data In. 11-03-2021 12:20 PM
- Posted Powershell Scripted input truncated in raw on Getting Data In. 08-16-2021 05:58 AM
- Posted Re: Azure VM - Won't report to Deployment server on Getting Data In. 05-07-2021 10:11 AM
- Posted Splunk free - setting up a distributed environement (Search Head, 1 IDX, 1 UF, maybe a deployment server) on Deployment Architecture. 05-07-2021 10:06 AM
- Posted Azure VM - Won't report to Deployment server on Getting Data In. 05-04-2021 12:40 PM
- Karma How to install splunk universal forwarder on multiple windows system with powershell script? for vinod94. 12-30-2020 09:48 AM
- Posted Re: Splunk apps: How do you resolve certificate verification errors? on Security. 10-26-2020 06:38 AM
- Karma Re: Splunk apps: How do you resolve certificate verification errors? for SplunkIT3337. 10-26-2020 06:38 AM
- Posted Re: SSL Error on configuring Splunk forwarding using own certificates on Security. 10-23-2020 06:30 AM
- Posted Re: Troubleshooting SSL Error on Forwarder on Security. 10-09-2020 07:06 AM
- Karma Connection not secure : splunk web with https when using internal cert for Ksr1982. 10-07-2020 06:37 AM
- Karma Re: Create an alert for SplunkForwarders with custom data inputs not in deployment server for gcusello. 06-05-2020 12:51 AM
- Karma Re: How to create an alert for multiple alerts (fires when too many of specific alerts are activated) for rbechtold. 06-05-2020 12:50 AM
- Karma Re: eval / rex a field and change its output for to4kawa. 06-05-2020 12:50 AM
- Karma Re: Dashboard with a submit button so user can blacklist a server?? for woodcock. 06-05-2020 12:50 AM
- Karma Re: dashboard can add value to lookup through submit button.,,,Need a button to remove from lookup (so users can blacklist and whitelist servers) for woodcock. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
04-24-2023
11:54 AM
Hello all, I have two lookups-- lookup1.csv with a "host" field and lookup2.csv with a "Host" field I want to see if any hosts match Pretty silly, but IM blanking on this for some reason
here is how I was doing it, but it doesn't seem to find the hit (even when I add it in a matching host purposefully for testing) | inputlookup lookup1.csv | rex field=host "(?<host>[^.]+)\." | dedup host | appendpipe [ | inputlookup lookup2.csv ] | table host Host | eval results = if(match(upper(Host),upper(host)), "hit", "miss") | table host Host results
... View more
Labels
- Labels:
-
lookup
04-08-2022
08:40 AM
Experiencing the same issue with widows 2019 clients only as well. Any updates with this?
... View more
04-08-2022
06:55 AM
Hey all, I have a 2019 windows client - sending some default data , but there are a handful of inputs that are visible on the inputs.conf in the apps folder (which some of the inputs on that very same inputs.conf are working) that are not showing up on the front end. These same apps and corresponding inputs are working on non-windows 2019 FWDs/clients Any ideas? Thanks!
... View more
- Tags:
- sourcetype
- windows
Labels
- Labels:
-
forwarder management
11-03-2021
12:28 PM
Hey splunksters, I don't do much powershelling, but I have a big list of windows azure servers that need to have the universal forwarder installed Anyone have a poweshell script to install a a forwarder on multiple remote (azure) windows machines? Preferably the script will need to check to see if a forwarder is already installed and then skip it if it is. Thanks
... View more
Labels
- Labels:
-
universal forwarder
11-03-2021
12:20 PM
Update: The outputs.conf on the azure client did not have the fqdn for the indexer and deployment server. We weren't including the fqdn in the outputs.conf the was being deployed, bc all of our hosts at the time were on-prem. Obviously, Azure needed the full name like (splunkserver.somedomain:8089) Instead of splunkserver:8089
... View more
08-16-2021
05:58 AM
Hey Splunksters, I have a scripted input (powershell) that outputs correctly 6 fields on the screen like this: expiration_date user login cardRequired location account_last_changed mm/dd/yy 15:03 joblo some_stats true/false blah mm/dd/yy 16:06 However, when splunk ingests these fields, it is cutting off the last one (account_last_changed) in the _raw Anybody know why? Tried setting TRUNCATE=0 and TRUNCATE=500000 etc etc in the props.conf Cannot for the life of me get that last field to show up in Splunk I also thought that perhaps it was treating that last field like a new time_stamp ans was thus getting confused and cutting it off. However, I tried moving the field closer to the first time_timestamp in the actual script (got all six fields to output correctly to the screen) but Splunk was still cutting it off. Any help is much appreciated! Thanks!
... View more
Labels
- Labels:
-
scripted input
05-07-2021
10:11 AM
Thanks! I will check it out. I guess I'm still a little confused. In the past, after installing the forwarder, I could find the host in the forwarder management GUI- THEN I would set up a server class for that machine. I don't see the host showing up at all in forwarder management. However, I haven't had access to the machine yet, so I will check the logs you mentioned on the client side when I gain access...thanks again!
... View more
05-07-2021
10:06 AM
Hey Splunksters, My work environment is switching from Windows (large distributed enviro) to Linux pretty soon. I'd like to get familiar with architecting in Linux so I had a couple of questions: I'm wondering if I can simply spin up 3-5 aws linux vm's and use the free version of splunk to get familiar with the process of creating a distributed enviro (assigning a search head, 1 idx, maybe couple of forwarders and a deployment server using the free splunk??? Or, is the free splunk Enterprise only good for 1 download on 1 machine ?? Thanks!
... View more
Labels
- Labels:
-
distributed search
05-04-2021
12:40 PM
Hey Splunksters, I have an Azure VM that I put a forwarder on that is supposed to reach out to my on-prem deployment server (which I have successfully done in my separate development environment). (just a little backstory in case this helps anyone) Originally it was installed using a script that pointed to the wrong Deployment server, so I uninstalled the forwarder - then reinstalled it pointing to the correct deployment server I checked the deploymentclient.conf and it is pointed correctly - restarted the service etc etc. - But none of the deployment apps are showing up on the client - and the DS GUI does not show the the client server in forwarding management Ran a test-netconnection from the Azuer machine to the DS using the DS management port - and got TCP success However, when I run test connection on the DS back to the Azure machine it fails -- Which would lead me to believe there is a firewall or isn't set to bi-directional port etc etc etc. HOWEVER, my DEV setup gives me the exact same test connection failure going FROM: the DS TO: the Azure client machine ----BUT IT STILL WORKS (data comes in, apps deploy , etc in DEV ) ---so I'm confused That's why I feel like I am taking crazy pills. Considering doing a full reboot of the client machine, but that is not optimal at the moment. Thanks!
... View more
- Tags:
- deployment serve
Labels
- Labels:
-
universal forwarder
04-30-2020
02:13 PM
Hey Splunkers,
Just wondering if anyone had some cool suggestions for better disk metrics
We are currently using %_disk_time (among others) for performance monitoring for our hosts
While it may be somewhat useful to know that drives are 100% busy, that fact in and of itself, is not as useful.
I would expect that drives holding data would be 100% busy because the drive is being read from or written to almost all of the time, especially on some of our more heavily used systems
Just from my own basic knowledge, that metric combined with “Average Disk Que Length”, would be more relevant. If a disk is busy almost all of the time, and there is a large queue, the disk might be a bottleneck, and require further investigation.
However, I imagine RAID configuration needs to be factored in (which I'm not sure about) -and I'm wondering how others are doing it. Any help is much appreciated
I'm currently playing around with it like this:
index=windows sourcetype="PerfmonMk:LogicalDisk"
| stats avg(Current_Disk_Queue_Length) as average by host instance
| search average>1
| sort - average
... View more
- Tags:
- disk-performance
03-05-2020
05:26 AM
Greeting all,
There are some custom apps out there on universal forwarders. They may be working now, but they need to be put in custom deployment apps so that they are not lost.
Any ideas on setting up an alert or report to track these forwarders with custom data inpouts?
Thanks!
... View more
- Tags:
- alerting
12-11-2019
05:58 AM
Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!
... View more
12-11-2019
05:23 AM
hello all,
I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas
sourcetype interval
blah 300
blah2 15 01 * * * *
blah3 3600
blah4 18 02 * * *
Here is my comically bad regex I've been working with, but cant seem to make it work
| rest splunk_server=local /services/data/inputs/script
| search (disabled = 0 AND interval=*)
| dedup sourcetype
| eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval")
| table sourcetype interval output
Thanks!
... View more
11-15-2019
05:33 AM
I cant download any additional apps. Which leaves me with the monitoring console. Is there something in the monitoring console that addresses sourcetype intervals that I am missing?
... View more
11-14-2019
11:40 AM
1 Karma
Hey Splunkerinos,
Noob Here. The code below tells us what sourcetypes haven't reported in, which is great and all.. However, I need to get a little deeper analysis to determine if we actually care about that sourcetype that hasnt reported in....To do that I need to get the INTERVALS for when these sourcetypes report ...for instance, if i havent heard from a sourcetype in 9 hours, (currently filtering to over a week, but you get my drift) but it only reports every ten hours, then i dont care and then I can blacklist it to keep it from showing up.......perhaps another lookup (multi-column) with sourcetype , interval, blacklist ...Not really sure how i would implement that though ...Thanks for your help !
| tstats latest(_indextime) as lt by host sourcetype
| search NOT [inputlookup sourcetype_blacklist.csv | table sourcetype]
| eval NOW=now()
| eval difftime=NOW-lt
| rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 "1-2 Weeks"=604801-1209600 "2-3 Weeks"=1209601-1814400 default="Greater than 3 Weeks"
| eventstats count(host) as tots_hosts by sourcetype
| eventstats dc(sourcetype) as tots_st by host
| search difftime >= 604801
| eventstats count(host) as ghost_hosts by sourcetype
| eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100
| eval percent_ghost_host=round(percent_ghost_host,2)
| eventstats dc(sourcetype) as ghost_st by host
| eval percent_ghost_st = (ghost_st / tots_st) * 100
| eval percent_ghost_st=round(percent_ghost_st,2)
| dedup sourcetype
| rename host as Host sourcetype as Sourcetype range as "Time Missing" percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes"
| table Host Sourcetype "Time Missing" "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole"
... View more
