Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About paimonsoror
paimonsoror
Builder
Member since:
10-03-2016
06-05-2020
Community Statistics
| Posts | 171 |
| Solutions | 4 |
| Karma Given | 31 |
| Karma Received | 27 |
| Member Since | 10-03-2016 |
Activity Feed
- Got Karma for Re: Is it possible to ingest logs written to NAS (UNC Paths) ?. 07-22-2022 04:35 AM
- Got Karma for Can a sourcetype be aliased, meaning, can it inherit extractions from another sourcetype?. 06-01-2021 03:46 AM
- Karma Re: App for Infrastructure AWS Entities Disappeared for abrown_splunk. 06-05-2020 12:50 AM
- Got Karma for [Bug Report - Reported To Devs] If You Are Having Some Issues With Missing Entities in SAI, This May Help. 06-05-2020 12:50 AM
- Got Karma for [Bug Report - Reported To Devs] If You Are Having Some Issues With Missing Entities in SAI, This May Help. 06-05-2020 12:50 AM
- Got Karma for AWS Addon Not Showing Personal Health. 06-05-2020 12:50 AM
- Got Karma for Re: App for Infrastructure AWS Entities Disappeared. 06-05-2020 12:50 AM
- Got Karma for Re: App for Infrastructure AWS Entities Disappeared. 06-05-2020 12:50 AM
- Karma Re: What is the best practice: Implicit or Explicit Index Path Locations? for sloshburch. 06-05-2020 12:49 AM
- Karma Re: What is the best practice: Implicit or Explicit Index Path Locations? for ddrillic. 06-05-2020 12:49 AM
- Karma Re: What is the best practice: Implicit or Explicit Index Path Locations? for sloshburch. 06-05-2020 12:49 AM
- Karma Re: What is the best practice: Implicit or Explicit Index Path Locations? for inventsekar. 06-05-2020 12:49 AM
- Karma Re: Why are my users unable to change the permissions of a lookup? for paulbannister. 06-05-2020 12:49 AM
- Got Karma for Can the TA for Unix show dropped packets?. 06-05-2020 12:49 AM
- Got Karma for Has anyone brought Prometheus data into Splunk?. 06-05-2020 12:49 AM
- Got Karma for Has anyone brought Prometheus data into Splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: User getting "Argument "action.email" is not supported by this handler" when creating alert. 06-05-2020 12:49 AM
- Got Karma for Re: User getting "Argument "action.email" is not supported by this handler" when creating alert. 06-05-2020 12:49 AM
- Got Karma for Splunk Cisco UCS Add-On missing navbar and non-functioning UI since upgrade to Splunk 7.x. 06-05-2020 12:49 AM
- Got Karma for Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-18-2021
06:52 PM
Are there any new updates for this issue? I have the same issue. Splunk version 7.3.5 3 Search Headers sh1, sh2, sh3, (clusting) 4 indexers (clustering) Summary Interval 5 minutes. The same summary is performed twice a month irregularly, about twice a month. The result is doubled. ex) 01:00 summary results 5 01:05 summary results 5 01:10 summary results 5 01:15 summary results 5 01:20 summary results 10 (Error) correct results 5 01:25 summary result 5
... View more
11-20-2019
07:21 AM
I have been working on a Data model to use for AWS Billing information. It actually is an enhancement to the one used by the AWS app since this one will leverage the new AWS CUR bills.
For those who arent aware, AWS writes CUR billing every day, and it rewrites the month to date costs to s3 each day of the month until the next month. That means, to get the latest and greatest bill, you need to look at the assembly id to get the most up to date invoices.
All of my billing is going into amazon_billing and i have a lookup that runs to get the latest ` AssemblyId by month.
My datamodel has been created, and the purpose here is so that I can accelerate the data and get it visualizewd for folks looking to get their billing information. There is a single dataset in the model, search driven, and looks like:
index=amazon_billing sourcetype=aws:billing:cur [ | inputlookup aws_billing_assemblyId.csv | return AssemblyId]
I have a challenge getting this data model fully accelerated. The settings are set to a -6mon summary range with a backfill to match. The search time is set for 1h with 6 concurrent searches running. The period is set to */5 * * * * .
As expected, the acceleration building is slow because of the sheer amount of data over the last 6 months, and over the past few days, I have reached 76% acceleration with 1.91gb size on disk (52 buckets). The problem is that now it looks like it is stuck.
Looking at the scheduler searches, I can see the acceleration running, but it is only returning 52 results per run. Running my searches with 'summaries only' produces invalid results.
Could use some assistance on finding the ""right"" way to do this. Thanks!!
Edit: 1025EST One thing I should add to help this out: Goals: Want to be able to quickly traverse billing data, and present it in a dashboard so folks can see their cost per account, etc. I chose a datamodel here because, I need the "base" data accelerated, and then be able to slice and dice it depending on what i am trying to visualze (cost by account ,cost by service, etc)
... View more
Labels
- Labels:
-
data model
please accept answer if it was helpful 🙂
... View more
11-12-2018
11:08 AM
you sir, are a scholar. thanks!
... View more
02-07-2019
06:21 PM
2 Karma
For those wondering, this was introduced in 7.2.1 and is apparently resolved in 7.2.4
See https://docs.splunk.com/Documentation/Splunk/7.2.3/ReleaseNotes/Knownissues - SPL-163315 & SPL-163882
... View more
07-23-2019
10:28 AM
Just a very belated update: This was fixed as part of version 1.2.2. Thanks for the reporting and debugging!
... View more
12-27-2018
08:56 PM
What we've done is two things:
Create an IAM Role with the appropriate permissions in each AWS Account, specifically for Splunk.
Attach an IAM Policy to the EC2 IAM Role (in your case SplunkEC2Role) which allows sts:AssumeRole for those IAM Roles.
The documentation is pretty good on this subject: https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions
... View more
10-16-2018
10:06 AM
2 Karma
Just to build on what @abrown_splunk mentioned. Right now looks like the issue is that SAI doesn't support Splunk_aws_TA 4.6. It looks like with Splunk_AWS_TA, metrics still do come in, however they have an extra dimension to them. For example, CPUUtiliziation is a metric with 4.5, however that metric changes to CPUUtilization.average with 4.6.
I would hold off on upgrading to 4.6 if you rely on the dashboards from SAI.
... View more
10-14-2018
09:01 AM
I have noticed that I have some users in the environment that are selecting 'All Time' by default on data acceleration. The problem is that some of these users have long term data retention and very expensive searches. I was hoping there was a way to limit the max time range used for acceleration.
For now I have set up some alerts to notify me when someone is using "All Time"
... View more
10-09-2018
03:42 PM
Ah, figured it out:
See: https://answers.splunk.com/answers/432023/dashboard-base-search-is-not-working-for-all-panel.html
basically had to add 'fields' to force the base search to keep fields i needed
... View more
09-25-2018
12:32 PM
Please take a look into:
https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html
... View more
04-12-2018
07:43 PM
You can probably use some sort of rsync job that you can whenever you make changes.
... View more
03-26-2018
10:18 AM
Thanks so much for this, sent you the reward points 🙂
... oops ... i think i actually sent you double the points lol .... oh well.
... View more
03-08-2018
11:24 AM
I had a question from one of our engineers who are looking to leverage the metric indicies to do predictions of memory consumption over time. What we are looking to do is to start predicting, for example, the current memory used using mstats:
| mstats sum(_value) as memory_used WHERE index=metric_cpceng AND (metric_name=kvm_memory_used OR metric_name=kvm_memory_cached) AND pod=2 AND datacenter=ct span=1min earliest=-1y latest=-1h | where isnotnull(memory_used) | sort 0 _time | eval memory=round((memory_used/1024),0)| timechart span=1d max(memory)| `modvizpredict("max(memory)", "LLP5", "550", "0", "", "95")`
Now what we are looking to do now is plot a value for memory max over our chart so that we can track the intersect.
... View more
05-02-2018
07:29 PM
Great !!!!
Happy Splunking
... View more
06-28-2018
11:37 AM
This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.
... View more
02-19-2018
12:03 PM
Hi all; We have been working to get some great data out of the Splunk Add-on for Microsoft Cloud Services app. While we have been able to see some API and NSG flow data, we were wondering if there was any way to get PowerBI audit data? This is a big requirement from our Cloud Security team.
I wasn't able to find anything online except for a post from 'Bengbrewer' on the MSCloudServices docs page asking: "Feature Request. Could someone add the ability to ingest PowerBI related logs from the O365 Management API ?" back in July 2017
... View more
03-01-2018
01:05 PM
Agreed. I too opened up a post to see if it gets more attention. Looks like there is a bug in the script loader: https://answers.splunk.com/answers/623727/splunk-cisco-ucs-add-on-missing-navbar-and-non-fun.html
... View more
04-16-2018
01:12 AM
I've also written a Splunk add-on that lets you pull data straight from Event Hubs, with optional transformation along the way of data via JavaScript modules. I haven't listed it on Splunkbase yet, but it works well for me: https://github.com/joelw/event_hubs_for_splunk
... View more
12-14-2018
04:41 AM
Yes using https://github.com/lukemonahan/splunk_modinput_prometheus
Very good.
I used it with federate endpoint but there are other options out of the box but above all get's the job done.
I recommmend it, as it is also open source.
... View more
11-27-2017
07:06 AM
Regarding formatting of the result_link:
From my experience with Splunk talking to Jira, I could observe that
loadjob is used with head and tail when an alert is used in 'per result mode'.
If your search returned 3 results for example, there will be 3 alerts and the link for each will be:
head 1 tail 1 for the first
head 2 tail 1 for the second
head 3 tail 1 for the third
If the alert is configured in digest mode (that means you get one alert with all results provided by the search inside), Splunk will provide a link with "@go?sid="
... View more
10-26-2017
12:25 PM
Ok well im not sure if this is the right answer, but here is what i did to help me get around it.... not sure how efficient it is though:
index=app_smpeng sourcetype=smpeng:spectrum:performance
| head 1
| spath path=model-response-list.model-responses.model output=models
| mvexpand models
| eval _raw = models
| spath
| lookup spectrum_attributes.csv attribute as "attribute{@id}" OUTPUT description as attribute_description
| table attribute*
| fields - attribute-*
| eval temp=mvzip(attribute_description, attribute,"=")
| eval _raw = mvjoin(temp, ",")
I then dump the result into a summary index. Data comes back like so:
Model Name=SSPerformance,Condition=0,Model Handle=0x320000d,ArchMgr CPU Utilization=0.01499869663023355,ArchMgr MEM Proc Size=6.355070972273846E8,OS Mem Avail=3.048480768E9,OS Mem Total=8.254803968E9,OS Net Packet Read Errors=0.0,OS Net Packet Read=6.7992425643783285,OS Net Packet Write Errors=0.0,OS Net Packet Write=4.7994653395611735,OS Pages In=0,OS Pages Out=0,Search CPU Time Elapsed=0.0,Search Memory Used=0.0,Time Delta=10.001114,VNM Attr Bytes Read=2.7996881147440176,VNM Attr Bytes Write=2829.2848176713114,VNM Attr Read Calls=0.6999220286860044,VNM Attr Write Calls=0.09998886124085778,VNM Conn Bytes Recd=2875.379682703347,VNM Conn Bytes Sent=424.95266027364556,VNM Context Switch=8.09909776050948,VNM CPU Utilization=0.09165819895690372,VNM Disk Bytes Read=2.7996881147440176,VNM Disk Bytes Write=2829.2848176713114,VNM ICMP Requests=0.0,VNM ICMP Successes=0.0,VNM Mem Proc Size=6.595788799999496E8,VNM Net Bytes Read=2875.379682703347,VNM Net Bytes Write=424.95266027364556,VNM Notif Latency=0.0,VNM Notif Threads=-8.383655900952226E-15,VNM Poll Latency=1.4281955584776981E-11,VNM Poll Threads=0.06666668888690283,VNM Sigalarm=0.3999554449634311,VNM Sigio=1.0998774736494354,VNM SNMP Get Next Req=0.0,VNM SNMP Incoming Varbind=0.0,VNM SNMP Mult Get Req=0.0,VNM SNMP Nosuchname Resp=0.0,VNM SNMP Outgoing Varbind=0.0,VNM SNMP Readonly Resp=0.0,VNM SNMP Tot Req=0.0,VNM SNMP Tot Resp Bytes=0.0,VNM SNMP Tot Resp=0.0,VNM SNMP Trap Bytes=0.0,VNM SNMP Traps=0.0,VNM Timer Latency=-1.4077246065294874E-14,VNM Timer Threads=0.583333807735437
Which splunk easily parses as K=V pairs.
... View more
04-15-2020
06:18 AM
In case you are looking to give write permissions to an app, here is what you are required to do:
Source: splunk docs
Steps
1 From the Splunk Home page, select any app in the Apps Panel to open the app.
2 Click on the Applications menu in the Splunk bar, and select Manage Apps.
3 Find the app that you want to adjust permissions for and open its Permissions settings.
4 On the Permissions page for the app, give the role Read and Write permissions.
5 Click Save to save your changes.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
