cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
vinaypradhan
Explorer
Member since: ‎08-15-2019
‎04-25-2023
Community Statistics
Posts 11
Solutions 2
Karma Given 2
Karma Received 2
Member Since ‎08-15-2019
Activity Feed
View All

Re: .net SDK unable to run a blocking search

by in Splunk Search
‎06-14-2022 06:21 AM
‎06-14-2022 06:21 AM
hey yes, this is how I did it.  SearchResultStream searchResultStream;     Job job;       //create a job, setting the execution mode to "blocking"   job = await service.Jobs.CreateAsync("yoursearchstring");       // print search results   IEnumerable<SearchResult> myresults;   using (searchResultStream = await job.GetSearchResultsAsync())   {   myresults = searchResultStream.AsEnumerable<SearchResult>();   foreach (SearchResult result in searchResultStream)   {   _time = Convert.ToDateTime(result.GetValue("_time"));   UserName = result.GetValue("UserName");   ComputerName = result.GetValue("ComputerName");   }   }   ... View more

Re: How to drop events on a heavy forwarder?

by in Getting Data In
‎07-29-2021 08:52 AM
1 Karma
‎07-29-2021 08:52 AM
1 Karma
For syslog events, dropping events works in a different way. I was able to finally get it to work. Posting it here, so that it might help someone else who is facing the same kind of situation.  Because of the way Splunk identifies and cooks a syslog, the syslog event ends up getting cooked using one of the configurations in the default props.conf called syslog-host We will have to override that so that the events get dropped first before Splunk tries to cook the event.  For example, if we want to drop all syslog events coming from server that have expr in their names, then this needs to be done this way Ad this to prop.sconf #syslog [syslog] TRANSFORMS = drop_events_syslog, syslog-host And add drop_events_syslog in transforms.conf: [drop_events_syslog] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(.*expr.*)\]?\s DEST_KEY = queue FORMAT = nullQueue The most important thing here is that, in props.conf, we have to mention our drop stanza first and then also mention the syslog-host stanza. This will ensure syslog-host stanza gets handled after drop gets handled. ... View more

Re: How to monitor search head cluster from a moni...

by in Deployment Architecture
‎04-01-2021 11:11 AM
‎04-01-2021 11:11 AM
Mr. Woodcock, I have 2 MC in distributed mode - only 1 showing peers. 2 MC in standalone mode no peers defined. It is something I inherited. Does this look like over doing it? Too much resources used for same reasons? Please advise. ... View more

Splunk 7.3.1 Windows apply shcluster-bundle -targe...

by in Deployment Architecture
‎09-10-2019 01:04 PM
‎09-10-2019 01:04 PM
I am trying to push my first app through the search head deployer. this is a brand new Splunk 7.3.1 environment with 3 search heads, 1 search head deployer, an indexer cluster with 2 indexers and a master. I was able to create new indexes, replicate them and get data into them via forwarders. Now i am trying to push an app that i had from an older Splunk installation (6.0) I have copied the app folder to C:\program Files\Splunk\etc\cshcluster\apps\ when i do apply shcluster-bundle i get this error Error while creating deployable apps: Error moving tmp_staging_area="C:\Program Files\Splunk\var\run\splunk\deploy.b94554b735abfbef.tmp" to dst="C:\Program Files\Splunk\var\run\splunk\deploy": Access is denied. I tried giving Everyone full permission on the var\run\splunk folder The deploy folder isnt there. if i try to create manually, as soon i run the above command the deploy folder gets deleted. i see some session files gets created session-cdddb8bfb120d499621edad0785d147ba3cc36d1 session-cdddb8bfb120d499621edad0785d147ba3cc36d1.lock Not able to figure out what the problem is? Any help is greatly appreciated. ... View more

Re: splunk query with sub search not returning the...

by in Splunk Search
‎08-15-2019 06:07 AM
‎08-15-2019 06:07 AM
what is the logic of the result that you are expecting? are you expecting to see only the common ones between File1.log and File2,log ? you can try using set intersect here, which should get you only the common entries. https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Set ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-25-2023 11:44 AM
Karma from
View All
Karma given to
View All