Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About schose
schose
Contributor
Member since:
06-28-2012
06-05-2020
Community Statistics
| Posts | 124 |
| Solutions | 14 |
| Karma Given | 16 |
| Karma Received | 50 |
| Member Since | 06-28-2012 |
Activity Feed
- Got Karma for Re: how to monitor memory usage per process?. 06-05-2020 12:50 AM
- Got Karma for Is the Splunk overview app 7.2 ready for download?. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk search issues with timezone of logs from forwarders. 06-05-2020 12:50 AM
- Got Karma for Host Memory increase is not displayed by Splunk. 06-05-2020 12:50 AM
- Got Karma for Re: How to create a custom alert action Python script with parameters from search results?. 06-05-2020 12:50 AM
- Karma Re: How to recalculate earliest and latest in view? for niketnilay. 06-05-2020 12:49 AM
- Karma Re: Do you need a containerized version for AppInspect? for gjanders. 06-05-2020 12:49 AM
- Karma Re: apply shcluster-bundle returning insufficient permission to access this resource for goelli. 06-05-2020 12:49 AM
- Karma oauth with Splunk Add-on Builder for summitsplunk. 06-05-2020 12:49 AM
- Karma Re: How to invoke SPL from a field? for goelli. 06-05-2020 12:49 AM
- Got Karma for Re: Can you use a SMB share as cold storage on Splunk for Windows?. 06-05-2020 12:49 AM
- Got Karma for Re: How to recalculate earliest and latest in view?. 06-05-2020 12:49 AM
- Got Karma for How to recalculate earliest and latest in view?. 06-05-2020 12:49 AM
- Got Karma for Has anyone successfully configured _HTTPOUT_ROUTING in outputs.conf?. 06-05-2020 12:49 AM
- Got Karma for which tokens are allowed in alert_actions.conf. 06-05-2020 12:49 AM
- Karma Re: Splunk role capabilities needed for splunk apply shcluster-bundle for goelli. 06-05-2020 12:48 AM
- Karma Re: How to monitor a structured XML log file without indexing duplicate events? for alemarzu. 06-05-2020 12:48 AM
- Karma Re: SSL LDAP breaks from 6.3.3 to 6.3.5 for rafamss. 06-05-2020 12:48 AM
- Karma Re: What is the keyboard shortcut for the Splunk 6.5.0 search bar formatting on a German keyboard? for DATEVeG. 06-05-2020 12:48 AM
- Got Karma for What is the keyboard shortcut for the Splunk 6.5.0 search bar formatting on a German keyboard?. 06-05-2020 12:48 AM
12-10-2019
04:12 AM
Hi,
you can just copy one index to another host (as far as there are single-instances) - there are no issues with that. just make sure your settings for indexes.conf are the same and file permissions are set accordingly.
This also works for clustered enviorments with a little more efford.
Regards,
Andreas
... View more
11-29-2019
12:44 AM
I downvoted this post because data loss.
... View more
11-12-2019
03:41 AM
You can use a lookup definition to point to the recent .csv file. This would help you not to revise the searches.
... View more
10-15-2019
05:05 AM
Hi all,
I want to configure a Datamodel in different apps. On app should define the datamodel (here search). The seconds app should (here: dm_acc) should define schedule and acceleration.
andreas@art-mb-2.local:~/splunk/etc/apps$ cat search/metadata/local.meta
[datamodels/metricbeat]
access = read : [ * ], write : [ admin ]
owner = testuser
[models/metricbeat]
access = read : [ * ], write : [ admin ]
owner = testuser
andreas@art-mb-2.local:~/splunk/etc/apps$ cat search/local/datamodels.conf
[metricbeat]
#acceleration = true
#acceleration.earliest_time = 0
acceleration.hunk.dfs_block_size = 0
andreas@art-mb-2.local:~/splunk/etc/apps/dm_acc$ cat default/datamodels.conf
[metricbeat]
acceleration = true
acceleration.earliest_time = 0
acceleration.cron_schedule = * * * * *
andreas@art-mb-2.local:~/splunk/etc/apps/dm_acc$ cat metadata/local.meta
[]
access = read : [ * ], write : [ admin ]
export = system
this seems to work fine so far. I can query the DM using
| tstats summariesonly=t count values(host) from datamodel=metricbeat
Unfurtunaly I'm receiving an error message: "Error in data model "metricbeat" : JSON file contents not available." when using the WebGUI and access Datamodels.
Any hint's?! Does this look like a GUI bug?!
Regards,
Andreas
... View more
Hi,
i created a custom search command | dobump . Feel free to test it out and give feedback.
https://github.com/schose/TA-dobump
Cheers,
Andreas
... View more
10-01-2019
11:04 PM
Hi,
i created a custom search command "| dobump ". Feel free to test it out and give feedback.
https://github.com/schose/TA-dobump
Cheers,
Andreas
... View more
09-02-2019
06:47 AM
1 Karma
Hi,
The results of your SPL search are passed to your custom alert action script from stdin as json format.
This example will create a file testResult.txt within bin directory.. you can check out the json there..
from __future__ import print_function
from future import standard_library
standard_library.install_aliases()
import sys, json, urllib.request, urllib.error, urllib.parse
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] != "--execute":
print("FATAL Unsupported execution mode (expected --execute flag)", file=sys.stderr)
sys.exit(1)
else:
#settings = json.loads(sys.stdin.read())
result = sys.stdin.read()
settings = json.loads(result)
file = open("testResult.txt", "w")
file.write(result)
file.close()
print("here we go", settings)
sys.exit(0)
resulting json for search:
index=_internal | head 10 | rename host as testhost sourcetype as testsourcetype source as testsource | table testhost testsourcetype testsource
{"app":"search"...","result":{"testhost":"hostname","testsourcetype":"splunkduiaccess","testsource":"/Users/andreas/splunk/var/log/splunk/splunkduiaccess.log"}}
... View more
08-28-2019
04:31 AM
Hi all,
I'd like to create a custom alert action, which doesn't get it's custom parameters from savedsearches.conf, but from another (custom) configuration file.
I guess from the alert action (python) script it should be no issue to read and parse another configfile instead of using the json which is coming from stdin.
so far I have no idea how to display the values for the parameters in the webgui of the alert from another source than savedsearches.conf.
Did anyone may fall over a custom alert action not using the default way to save and display parameters?
Thanks for you help in advance,
Andreas
... View more
07-29-2019
03:04 PM
Hi forum,
we are facing large increasing delays between dispatchtime and scheduledtime in scheduler log. We see delays up to 200 seconds for searches which are scheduled every minute - resulting in not-scheduled searches.
this directly correlates to "ERROR SHCRepJob - failed to delegate job job=SHPDelegateSearchJob peer="peername", guid="466C6F6D-2779-4BFD-AE1F-64A71D0A5AC8" saved_search=system;; err="
messages we see at the SHC Captain.
Any hints? Other Single-Search-head instances do not show any issues. Using v.7.1.6
Best Regards,
Andreas
... View more
07-14-2019
04:43 AM
1 Karma
Hi,
you have to configure your perfmon input to collect memory usage by process:
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = multikv
object = Process
useEnglishOnly=true
index = os_nometrics
... View more
07-14-2019
04:01 AM
Hi,
index="test_data" sourcetype="SAP:data"
| rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S")
| eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";")
| eval mvf2 = mvzip(mvf1, SYS_NAME, ";")
| mvexpand mvf2
| eval n=split(mvf2,";")
| eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2)
| eval _time=strptime(TIMESTAMP, "%Y-%m-%d %H:%M:%S")
| timechart span=5m min(PROC_VALUE) avg(PROC_VALUE) max(PROC_VALUE)
should do the job
... View more
06-11-2019
08:26 AM
1 Karma
Hi,
TZ have to be set at parsing time - which means it will not work on universal forwarder. Set the setting on your indexers or intermediate heavy forwarders and it will fix you issue.
Best Regards,
Andreas
... View more
03-25-2019
06:45 AM
Hi,
mapped windows drives are user specific. When spunkforwarder should access logs from a mapped drive, the drive have to be mapped in the user context where UF is running.
Permissions denied may indicate, that your UF is running as system user. In that case the COMPUTERNAME$ account have to be used to grant access rights.
... View more
03-15-2019
04:07 AM
Hi nick,
thanks for your help. It looks like when it's implemented as StreamingCommand the columns are not reordered.
... View more
03-15-2019
03:10 AM
Hi forum,
I'm trying to implement a custom reporting command. Here is the smallest implementation which does nothing but giving the results back.
from __future__ import absolute_import, division, print_function, unicode_literals
import os
from splunklib.searchcommands import dispatch, ReportingCommand, Configuration, Option, validators
import sys
from splunklib import six
@Configuration()
class SavetableCommand(ReportingCommand):
@Configuration()
def map(self, records):
return records
def reduce(self, records):
return records
dispatch(SavetableCommand, sys.argv, sys.stdin, sys.stdout, __name__)
Unfortunately this doesn't give me the correct order of the incoming resultset.
Example:
| tstats count values(source) as a where index=_internal by sourcetype | table sourcetype count a | mycommand
Gives back a table with a count sourcetype - so it looks like columns of the stats are reordered alphabetically.
How would it be possible to return the columns is in a correct order?!
Thanks and best regards,
Andreas
... View more
01-07-2019
03:29 AM
Hi all,
is there any reason why eventgen.conf and sample files are not included in v3.5.0 while it is available in older versions (e.g.: v3.4.2)?
~/Downloads/Splunk_TA_bluecoat-proxysg/default$ ls -1
app.conf
eventtypes.conf
inputs.conf
props.conf
tags.conf
transforms.conf
~/Downloads/Splunk_TA_bluecoat-proxysg/default$ cat app.conf | grep -i version
version=3.5.0
Best Regards,
Andreas
... View more
12-11-2018
04:39 AM
1 Karma
Hi forum,
We increased Memory on multiple VM Instances running splunk from 64GB to 128GB. On some instances change is reflected in splunk on some doesn't. Splunk was restarted after memory was increased.
I'm using
index=_introspection host=myinstances* hostwide | stats latest(data.mem) by host
and
| rest splunk_server_group=dmc_group_* /services/server/status/resource-usage/hostwide | search splunk_server=myinstance*
output on one of the instances which are displayed with 64GB RAM:
cat /proc/meminfo
MemTotal: 130023424 kB
MemFree: 4469608 kB
Buffers: 1801916 kB
Cached: 115051716 kB
SwapCached: 21600 kB
Active: 58163608 kB
Inactive: 60075332 kB
Active(anon): 1080072 kB
Inactive(anon): 307072 kB
Active(file): 57083536 kB
Inactive(file): 59768260 kB
any hints? Version is 7.1.3.1 running Linux.
Regards,
Andreas
... View more
- Tags:
- splunk-enterprise
11-22-2018
07:08 AM
Hi,
Routing with pros.conf and transforms.conf instead of inputs.conf should do the job:
props:
[opsec]
TRANSFORMS-route=routefw_cluster
transforms:
[routefw_cluster]
REGEX=.+
DEST_KEY=_TCP_ROUTING
FORMAT=fw_cluster
Best regards,
Andreas
... View more
11-16-2018
02:05 AM
I mean the number doesn't count if you have them well automated. But today every of these hosts having multiple ports for multiple device types. I would feel more comfortable with filtering at a central place than filtering on every syslog-port configuration, writing the output to a different directory and create a new input app.
... View more
11-16-2018
01:10 AM
Hi,
Actually for UF devices we are setting a datarouting meta field on the inputs which is checked on iHF and the iHF is routing the event in one or multiple idx clusters. So you can decide if data from a certain input should go to idxcluster0 and/or idxcluster1 and/or staging and/or dev environment.
For syslog it's another story as you typically have one input app for n hosts as you doing kind of [monitor://logs/cisco_ios//.log] input thing.
For us it would be the easier way to filter at the central iHF instances than on 30+ syslog servers which have all their individual config or have a certain (port) configuration on the syslog clients. At this central instance we can automate quite well with just generating the app. We are just haven't done this at scale and get some information if somebody other out there might can share some experience.
Best Regards,
Andreas
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
