Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bnorthway
bnorthway
Path Finder
Member since:
03-05-2015
06-05-2020
Community Statistics
| Posts | 32 |
| Solutions | 2 |
| Karma Given | 110 |
| Karma Received | 12 |
| Member Since | 03-05-2015 |
Activity Feed
- Karma Python SDK escaping regular expressions in search for askjoe. 06-05-2020 12:47 AM
- Karma How to drilldown from a timechart to another dashboard by clicking on the legend value? for feickertmd. 06-05-2020 12:47 AM
- Karma Re: How to drilldown from a timechart to another dashboard by clicking on the legend value? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to drilldown from a timechart to another dashboard by clicking on the legend value? for martin_mueller. 06-05-2020 12:47 AM
- Karma Problems filtering results using lookup field for ruiaires. 06-05-2020 12:47 AM
- Karma Using Sudo as part of an input command for deadbot. 06-05-2020 12:47 AM
- Karma Re: Using Sudo as part of an input command for jrodman. 06-05-2020 12:47 AM
- Karma Re: How to create a saved search? for arkadyz1. 06-05-2020 12:47 AM
- Karma Re: Use search results to populate a lookup table for woodcock. 06-05-2020 12:47 AM
- Karma Re: The Lovely Transaction Command for inode. 06-05-2020 12:47 AM
- Karma Fill nulls based on previous value for arramack. 06-05-2020 12:47 AM
- Karma Re: Fill nulls based on previous value for gyslainlatsa. 06-05-2020 12:47 AM
- Karma Age of a ticket in Business Days, excluding Weekends and Public Hoildays for SwatiApte. 06-05-2020 12:47 AM
- Karma We want to install Splunk for Symantec on a Windows server, but what is TA-sepapp12 and how do I install and configure it? for abovebeyond. 06-05-2020 12:47 AM
- Karma Re: We want to install Splunk for Symantec on a Windows server, but what is TA-sepapp12 and how do I install and configure it? for ppablo. 06-05-2020 12:47 AM
- Karma Django Web Framework: How to retrieve the current user session token with the Python SDK? for eirik_talberg. 06-05-2020 12:47 AM
- Karma Re: How to use eval if there is no result from the base search and without the use of any subsearch? for MuS. 06-05-2020 12:47 AM
- Karma Why are my headers being indexed from my csv file? for lquinn. 06-05-2020 12:47 AM
- Karma What are the benefits of the KV store vs a traditional lookup table in Splunk 6.2? for responsys_cm. 06-05-2020 12:47 AM
- Karma Re: What are the benefits of the KV store vs a traditional lookup table in Splunk 6.2? for skylasam_splunk. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 0 |
12-11-2015
11:52 AM
do you know how to re-run the search for token1 when the value for token2 changes?
... View more
12-02-2015
08:14 AM
I had the same problem on 6.3.0. I deleted the stash_new files and re-ran the backfill commands, and now the data is showing up correctly. Thanks
... View more
11-13-2015
12:07 PM
Great tip! Don't forget you can use the reverse command before streamstats as well.
... View more
09-24-2015
07:58 AM
Where would I find the configuration that is attempting to find this user?
... View more
07-15-2015
08:58 AM
Unfortunately, the docs say:
"NONE" will leave the event time set to whatever time was selected by the input layer
For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
My solution was to use a batch input:
[batch://D:\data*.csv]
sourcetype = foo
move_policy = sinkhole
and the sourcetype stanza in props.conf has DATETIME_CONFIG = NONE .
NOTE batch input will DELETE files as it imports them! So make a copy first!
... View more
07-14-2015
11:08 AM
I had configured the input in $SPLUNK_HOME/etc/system/local/inputs.conf. That is incorrect. I deleted that input stanza, and re-added the input through the GUI, and the new stanza was created in $SPLUNK_HOME/etc/apps/search/local/inputs.conf. All is good again!
... View more
07-14-2015
07:59 AM
you should post a new question with your problem and a more detailed description of your configuration, etc.
... View more
07-08-2015
06:00 AM
the code in your input tag is significantly different from the documentation example I linked. I suggest you follow the documentation, then modify the example to your needs after you have got the example working.
... View more
07-07-2015
08:39 AM
Have you followed the documentation here? Note that you will need to change your outer tags from to `. You also need to define a token for your input.
It would be very helpful if you could update your question with the XML for your dashboard.
... View more
07-07-2015
05:44 AM
1 Karma
FYI the Splunk service must be stopped before removing files from the fishbucket
... View more
07-06-2015
11:13 AM
Thanks. That what I was figuring out also. What is the difference in removing INDEXED_EXTRACTIONS = JSON and adding AUTO_KV_JSON = false ? It looks like end-user performance would be better through the former, so that the fields don't have to extracted at every search?
... View more
07-06-2015
10:07 AM
3 Karma
In my screenshot, you can see my events have duplicate fields. I am trying to figure out why this is occurring. The source data is a json in a plain text file. The source json data does not have duplicate fields, and the events themselves are not duplicated -- only the fields. Do you have any ideas why this could be occurring?
Here's my props.conf
[my_json]
INDEXED_EXTRACTIONS = json
KV_MODE = json
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = timestamp
category = Structured
description = JSON. Timestamp is in "timestamp" field
disabled = false
pulldown_type = true
... View more
06-26-2015
01:13 PM
I have the same problem (Why isn't this in the official docs for host_segment?) but I don't want to change all events of the syslog sourcetype. What should I do?
... View more
06-26-2015
09:57 AM
If you're editing the raw XML, none
... View more
06-15-2015
10:54 AM
I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY attribute is only valid for index-time operations. Also, the TRANSFORMS attribute in props.conf is only valid at index-time as well.
Given this, I plan on re-importing my data.
... View more
06-10-2015
10:27 AM
1 Karma
I talked to Splunk support, and they suggested the following: $SPLUNK_HOME\bin\splunk.exe restartss You'll have to enter splunk admin credentials the first time, and it's not as fast as I'd like, but it does restart Django.
... View more
06-02-2015
12:09 PM
I am developing a Splunk app. As with normal Django development (using runserver or your favorite application server), sometimes it is necessary to restart the Python process that is running Django. I don't need to restart the whole Splunk service. Does anyone know how I would restart the Python executable that loads the Django bindings/etc? Thank you.
... View more
05-29-2015
10:49 AM
1 Karma
is that an environment variable, or how exactly do you do that? Could someone update the official docs to explain how to set up a development environment? I have the exact same issue.
... View more
05-28-2015
01:56 PM
I removed the path entirely and Splunk was able to find the CSV correctly! Running the saved search does not update the CSV, but at least the lookup part is working...
... View more
05-28-2015
10:49 AM
yes I have restarted. I posted the relevant sections from my config files
... View more
05-28-2015
09:01 AM
I ended up using a wrapper script as explained here: http://answers.splunk.com/answers/8/can-i-add-python-modules-to-the-splunk-environment.html
... View more
05-28-2015
08:44 AM
I am following the directions on http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addfieldsfromexternaldatasources#Use_search_results_to_populate_a_lookup_table
I edited my savedsearches.conf as directed, but the CSV file is not being created. How can I troubleshoot this problem?
etc/apps/search/local/savedsearches.conf:
[Service Now assets]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
action.populate_lookup = 1
action.populate_lookup.dest = etc/system/lookups/service_now_assets.csv
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 0 18 * * *
description = ServiceNow assets
display.events.fields = ["sourcetype","Message_Name","source","Message_Info","Message_Title","Server","msg","Server"]
display.events.type = table
display.visualizations.charting.chart = area
display.visualizations.show = 0
enableSched = 1
quantity = 5000
relation = less than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
run_on_startup = false
search = index=service_now source=service_now earliest=-1d
etc/system/local/transforms.conf:
[service_now_asset]
filename = etc/system/lookups/service_now_assets.csv
case_sensitive_match = false
etc/system/local/props.conf:
[asset_properties]
LOOKUP-servicenow = service_now_asset Server
... View more
05-28-2015
08:39 AM
In my splunkd.log, these messages repeat constantly (several times per minute). I turned on INFO-level logging to see if the extra information is useful. This user, "bnorthway", is an OS user (Linux), but not an LDAP user. There also used to be a Splunk (non-LDAP) user, but this account has been deleted.
Why is Splunk trying to find this account on the LDAP server? How can I stop this?
ERROR AuthenticationManagerLDAP - Could not find user="bnorthway" with strategy="<domain>"
ERROR UserManagerPro - Failed to get LDAP user="bnorthway" from any configured servers
INFO UserManagerPro - No user context available while checking capability=, auditInfo=""
... View more
