Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jchilovich
jchilovich
New Member
Member since:
02-21-2013
06-05-2020
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 02-21-2013 |
Activity Feed
- Posted Re: Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 02-13-2014 05:40 AM
- Posted Re: Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 02-13-2014 05:38 AM
- Posted Re: Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 02-13-2014 05:38 AM
- Posted Re: Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 08-05-2013 05:48 AM
- Posted Re: Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 08-05-2013 05:48 AM
- Posted Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 07-26-2013 12:48 PM
- Tagged Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 07-26-2013 12:48 PM
- Tagged Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 07-26-2013 12:48 PM
- Tagged Why am I receiving these errors on startup of WAS Universal Forwarder on Getting Data In. 07-26-2013 12:48 PM
- Posted Re: how do I pull in Tomcat logs, ie catalina.log' periodically on Splunk Search. 07-26-2013 10:53 AM
- Posted Re: how do I pull in Tomcat logs, ie catalina.log' periodically on Splunk Search. 07-26-2013 10:53 AM
- Posted Re: how do I pull in Tomcat logs, ie catalina.log' periodically on Splunk Search. 07-24-2013 12:51 PM
- Posted how do I pull in Tomcat logs, ie catalina.log' periodically on Splunk Search. 07-23-2013 01:01 PM
- Tagged how do I pull in Tomcat logs, ie catalina.log' periodically on Splunk Search. 07-23-2013 01:01 PM
- Posted Re: can't restart splunk on Websphere Application Server/Universal Forwarder on All Apps and Add-ons. 07-09-2013 05:32 AM
- Posted Re: can't restart splunk on Websphere Application Server/Universal Forwarder on All Apps and Add-ons. 07-09-2013 05:25 AM
- Posted can't restart splunk on Websphere Application Server/Universal Forwarder on All Apps and Add-ons. 07-08-2013 06:14 AM
- Posted Re: not getting universal forwarder to load up correctly on Deployment Architecture. 06-17-2013 06:42 AM
- Posted Re: not getting universal forwarder to load up correctly on Deployment Architecture. 06-17-2013 06:39 AM
- Posted not getting universal forwarder to load up correctly on Deployment Architecture. 06-14-2013 11:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-13-2014
05:40 AM
mad4wknds, I posted my comments above.
... View more
02-13-2014
05:38 AM
mad4wknds,
It's been a while since I had this issue but, after I updated all the TRANSFORM references, I had not additional problems. Using the btool --debug ( 'splunk btool check --debug' ) worked great since it identified lines I looked over.
... View more
02-13-2014
05:38 AM
mad4wknds,
It's been a while since I had this issue but, after I updated all the TRANSFORM references, I had not additional problems. Using the btool --debug ( 'splunk btool check --debug' ) worked great since it identified lines I looked over.
... View more
08-05-2013
05:48 AM
Excellent. Thank you. that fixed the errors. can't believe I didn't catch that simple change.
... View more
08-05-2013
05:48 AM
Excellent. Thank you. that fixed the errors. can't believe I didn't catch that simple change.
... View more
07-26-2013
12:48 PM
upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an example). App does start and execute.
Possible typo in stanza [WebSphere:ActivityLog] in /local/home/a_was0/splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf, line 194:
TRANSFORM-was_host = host-extract
Possible typo in stanza [WebSphere:ActivityLog] in /local/home/a_was0/splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf,
line 195: TRANSFORM-profile = profile-extract
I look here as per docs: $SPLUNK_HOME/splunkforwarder/etc/system/default/ and find no transforms.conf file.
Instead I find it in:/.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default
in Transforms.conf:
[host-extract]
SOURCE_KEY = MetaData:Host
REGEX = host::(.+)
FORMAT = was_host::"$1"
WRITE_META = true
[profile-extract]
SOURCE_KEY = MetaData:Source
REGEX = profiles\W{1,2}([\w-.]+)
FORMAT = profile::"$1"
WRITE_META = true
Ran the following: 'splunk btool check --debug'
Possible typo in stanza [WebSphere:ActivityLog] in /.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf, line 194: TRANSFORM-was_host = host-extract
Did you mean 'TIME_FORMAT'?
Did you mean 'TIME_PREFIX'?
Did you mean 'TRANSFORMS- '?
Did you mean 'TRANSFORMS-colorchange'?
Did you mean 'TRUNCATE'?
Did you mean 'TZ'?
Did you mean 'TZ_ALIAS'?
Did you mean 'This means that if you have e.g. EVAL-x'?
Did you mean 'the default event boundary detection (BREAK_ONLY_BEFORE_DATE'?
Also see this in the output:
No spec file for: /.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/transforms.conf
No spec file for: /.../splunkforwarder/etc/system/default/app.conf
No spec file for: /.../splunkforwarder/etc/system/default/conf.conf
No spec file for: /.../splunkforwarder/etc/system/local/deploymentclient.conf
I'm still learning but what am I missing?
Is the transforms.conf in incorrect spot?
Are there parms I'm to add in one of these files?
... View more
07-26-2013
10:53 AM
Thanks for the info. I'll work on setup.
... View more
07-26-2013
10:53 AM
Thanks for the info. I'll work on setup.
... View more
07-24-2013
12:51 PM
I'm somewhat new to Splunk so no, you're correct. So I would create an entry in each forwarder for each log (heavy forwarder so could also use the GUI interface? )then splunk keeps track. ok, makes sense. Do you suggest a seperate index for these type of logs so I can also add entry to 'delete' after say 7 days?
... View more
07-23-2013
01:01 PM
I've read many a post and either I'm just not getting it or it's just not the answer. I want to index the daily catalina log file (per each JVM)say every 5 minutes and of course only want those lines new in the last 5 minute time frame? I'm assuming I need to write a stanze in the inputs.conf but unsure on the format and how to capture the timestamp and save from the last run.
Thanks
... View more
- Tags:
- tomcat
07-09-2013
05:32 AM
I'm posting my comment above as an answer so this shows updated.
Found the issue !! it relates to a python folder found in the splunkforwarder/bin directory. once I rename that folder to '.old', the application will start. This will lead to another question to be posted.
Thanks
... View more
07-09-2013
05:25 AM
Found the issue !! it relates to a python folder found in the splunkforwarder/bin directory. once I rename that folder to '.old', the application will start. This will lead to another question to be posted. Thanks
... View more
07-08-2013
06:14 AM
I have installed the Websphere Applications Server on a Universal Forwarder and had it working, sending to an Indexer on a non-WAS box. The location of the Indexer has now been relocated. Once the Indexer was established, I ran the following 2 commands on the WAS instance:
./splunk set deploy-poll :
./splunk add forward-server : -auth admin:changeme
I then execute a restart and receive the following error. What am I missing here? Nothing has changed as far as I'm aware except for the above two commands exeuted.
bash-3.2$ ./splunk restart
splunkd is not running. WARNING: initlog is deprecated and will be removed in a future release
[FAILED]
Splunk> 4TW
Checking prerequisites...
Checking mgmt port [8089]: open
Could not find platform independent libraries
Could not find platform dependent libraries
Consider setting $PYTHONHOME to [: ]
ImportError: No module named site
... View more
06-17-2013
06:42 AM
Thanks for the response.
yes, ran the jar file to create the outputs.conf file and was able to get data sent to indexer instance. my question is more directed to if needing a full Splunk instance on the WAS server before I loaded the Universal Forwarder. I think I have my answer since I tried both with/without.
I got confused on the directories that the Forwarder and the Forwarder Add-on created. I loaded the forwarder Add-on & the Appliance add-on under 'apps' directory '/splunkforwarder/etc/apps' which I'm assuming was the correct way to go.
... View more
06-17-2013
06:39 AM
Thanks for the response.
yes, ran the jar file to create the outputs.conf file and was able to get data sent to indexer instance. my question is more directed to if needing a full Splunk instance on the WAS server before I loaded the Universal Forwarder. I think I have my answer since I tried both with/without.
I got confused on the directories that the Forwarder and the Forwarder Add-on created. I loaded the forwarder Add-on & the Appliance add-on under 'apps' directory '/splunkforwarder/etc/apps' which I'm assuming was the correct way to go.
... View more
06-14-2013
11:09 AM
I'm completely confused.
After reading thru the many Q/A on universal forwarder and installing on WAS, didn't help
I want the Universal forwarder on a WAS box to send to Indexer on UNIX box. I loaded UF followed by Splunk Forwarder Add-on for WAS all on the WAS box.
1) Do I have to have a full Splunk instance initially?
2) if not, from what directory do I install (unpack the tar file) for the Add-on portion? somehow I have 3 directories a) splunk, b)splunk_forwarder_addon_was, c)splunkforwarder. this is confusing the heck out of me.
3) Seems that the forwarder defaults to port 8089 and not 8000. I think I can work around that based on what I've read. Just need to get past everything else.
PLEASE HELP
... View more
- Tags:
- universalforwader
- was
04-26-2013
12:48 PM
Based on other questions submited, it looks like I might be able to change the inputs.conf file but need to make sure.
what I want to do is limit the data pulled in on 'top' & 'ps'. I want to add " | HEAD 20". If I'm reading this right, I can add that command on the line following 'source = top' as I have below. is this correct? Is there a better way to accomplish this? any pointers would be appreciated.
[script://./bin/top.sh]
interval = 60
sourcetype = top
| head 20 (<==== new entry)
source = top
index = os
disabled = 1
... View more
- Tags:
- searches
04-19-2013
01:09 PM
first, I'm new to splunk (and to UNIX actually). building a POC for mangement. Downloaded pinger couple of weeks ago but never installed. now I'm ready. see that there is an update. I attempted to download new version BUT do not get a tar file. Only 'spl'.
1) what am I doing wrong?
2) how do I install the spl?
3) get errors when unzipping current version. can you supply install instructions (command, steps etc.) please.
thanks
... View more
- Tags:
- errors
04-18-2013
10:38 AM
Thank you. This cleared out what I needed. Can I follow up with yet another question?
What kind of script do I need (or whatever the process would be) to clean out all data after say 7 days? A weeks worth of data should be more than enough for any RCA needed.
... View more
04-16-2013
12:11 PM
I'm new to the tool and just attemtping to build a POC. I have limited disk space and have reached tis limit. tried command "./splunk clean eventdata -index <???>" but
1) not positive as to how to determine what index files I should look for to finish the argument. Where do I identify each index?
2) I get folloiwng message "In order to clean, Splunked must not be running" - How do I 'turn it off'?
3) when running the above clean command, do I run this from the /bin or do I run from a different library?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
