×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wwwdrich
Explorer
Member since: ‎01-24-2011
‎06-05-2020
Community Statistics
Posts 7
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎01-24-2011
Activity Feed
View All

Re: Host override issues

by in Getting Data In
‎12-04-2012 09:20 AM
‎12-04-2012 09:20 AM
Great news, that works!! Thanks for the tip, I didn't think it would honor that on the forwarders. ... View more

Re: Host override issues

by in Getting Data In
‎12-04-2012 07:38 AM
‎12-04-2012 07:38 AM
These are universal forwarders, I thought they didn't support any manipulation of the data? I'll have to give that a try, since the forwarder configs are managed via. the deployment server it's an easy fix. I'll add a comment with how it goes. Thanks! ... View more

Host override issues

by in Getting Data In
‎12-03-2012 10:32 AM
1 Karma
‎12-03-2012 10:32 AM
1 Karma
I am trying to override the host field based on an element in the source path. This is data that is being forwarded from a universal forwarder and we want the host the data originally came from as the host field, not the hostname of the forwarder. To date, I have tried modifying etc/system/local/transforms.conf and props.conf both on the indexers and in the search app on our search heads; all with no luck. I have also tried various values in transforms.conf ranging from both MetaData:Source and source for SOURCE_KEY and using source:: in the regex. Anyone have any ideas what I'm doing wrong? Here is what is currently in transforms.conf and props.conf: transforms.conf: [set-host-elasticsearch] SOURCE_KEY = MetaData:Source REGEX = /hosts/([^/]+)/logs/ DEST_KEY = MetaData:Host FORMAT = host::$1 props.conf: [elasticsearch] TRANSFORMS-set-host-elasticsearch = set-host-elasticsearch The regex works fine in a search, I can run the following and get a table of hosts: sourcetype=elasticsearch | rex field=source "/hosts/(?<hostname>[^/]+)/logs/" | stats count by hostname As an example, my source path might be something like: /rel/ps/applications/elasticsearch/hosts/tvrap571/logs/test_cre_gld.log ... View more

Re: PDF server: HTTP Error 502: Bad Gateway

by in Reporting
‎09-21-2011 04:02 PM
‎09-21-2011 04:02 PM
I was able to fix this on my server by adding the host and port of my splunk server into System Settings -> Email alert settings -> Link hostname. For example, if your pdfserver is installed on splunk.mydomain.com and running on port 8000, you would add splunk.mydomain.com:8000 to that field. ... View more

FreeBSD 8.2 support?

by in Getting Data In
‎04-07-2011 09:54 PM
‎04-07-2011 09:54 PM
Has anyone successfully installed splunk 4.2 on FreeBSD 8.x? I'm getting the following error output on FreeBSD 8.2 from the intel pkg: > sudo pkg_add ~/splunk-4.2-96430-freebsd-6.1-intel.tgz pkg_add: could not find package /bin/uname ! tar: Unrecognized archive format tar: +CONTENTS: Not found in archive tar: Error exit delayed from previous errors. pkg_add: tar extract of /bin/mv failed! pkg_add: unable to extract table of contents file from '/bin/mv' - not a package? pkg_add: autoload of dependency '/bin/mv' failed! It is acting like the download isn't really a package file and has dependencies on non-standard FreeBSD file locations. When I get some time I will rip the package apart and see what might be going wrong inside of it. ... View more

Re: System Name from Syslog File

by in Getting Data In
‎01-24-2011 07:06 PM
‎01-24-2011 07:06 PM
I played a bit more -- if you use the RSYSLOG_TraditionalForwardFormat over TCP instead of UDP, you can use the syslog sourcetype with Splunk an it works just fine. The only problem is that it will have a "<##>" at the beginning of every message. That is the priority coming from the syslog message. ... View more

Re: System Name from Syslog File

by in Getting Data In
‎01-24-2011 06:27 PM
‎01-24-2011 06:27 PM
I couldn't get the above working properly with 4.1.6, so I ended up using a slightly modified transforms.conf file: [rsyslog-native-host] DEST_KEY = MetaData:Host REGEX = [\d\-\+:.]+T[\d\-\+:.]+\s+(\S+) FORMAT = host::$1 Another option is to use the RSYSLOG_TraditionalForwardFormat template in your rsyslog.conf file. That will forward messages that look like standard syslog messages. The problem that neither of these solves however is that splunk is adding the timestamp and host it finds in the message header to the message. So even with a proper regex to extract the hostname, you still end up with messages like this in your logs: Jan 24 10:09:07 localhost 2011-01-24T10:09:07.974181-08:00 xxxx snmpd[29862]: Received SNMP packet(s) from UDP: [127.0.0.1]:47553 Does anyone know of a way to strip that off of the logged messages w/o jumping through too many hoops? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All