Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About burras
burras
Communicator
Member since:
10-07-2013
10-19-2021
Community Statistics
| Posts | 62 |
| Solutions | 3 |
| Karma Given | 5 |
| Karma Received | 8 |
| Member Since | 10-07-2013 |
Activity Feed
- Got Karma for Can all fields be outputted with outputcsv in double quotes?. 06-05-2020 12:49 AM
- Karma Re: When running a CLI search with a specific timerange, is there a way to prevent INFO line from appearing? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: When running a CLI search with a specific timerange, is there a way to prevent INFO line from appearing? for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to overlay a single static line against a timechart with multiple series without displaying each series as its own line? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to have my summary index only index on the calculated value? for rjthibod. 06-05-2020 12:48 AM
- Got Karma for How to overlay a single static line against a timechart with multiple series without displaying each series as its own line?. 06-05-2020 12:48 AM
- Got Karma for Re: How to overlay a single static line against a timechart with multiple series without displaying each series as its own line?. 06-05-2020 12:48 AM
- Got Karma for Re: How to have my summary index only index on the calculated value?. 06-05-2020 12:48 AM
- Got Karma for JSON - Breaking single string into multiple events. 06-05-2020 12:48 AM
- Got Karma for Re: JSON - Breaking single string into multiple events. 06-05-2020 12:48 AM
- Got Karma for Re: JSON - Breaking single string into multiple events. 06-05-2020 12:48 AM
- Got Karma for Does the Splunk App for Web Analytics support more than one website from a single source?. 06-05-2020 12:47 AM
- Karma Re: Is it possibl to get a list of available indices ? for MuS. 06-05-2020 12:46 AM
- Posted Re: Calculating IOPS using FIO testing on Monitoring Splunk. 02-06-2019 01:30 PM
- Posted Re: Issue getting multi-value field to correlate properly on Building for the Splunk Platform. 03-30-2018 08:34 AM
- Posted Issue getting multi-value field to correlate properly on Building for the Splunk Platform. 03-28-2018 01:57 PM
- Posted Re: Can all fields be outputted with outputcsv in double quotes? on Reporting. 10-24-2017 12:35 PM
- Posted Re: DMC - Show Health Check results for more than 100 instances on Monitoring Splunk. 10-23-2017 02:10 PM
- Posted Re: Splunk App for NetApp - Add Clusters vs Individual Filers on All Apps and Add-ons. 10-23-2017 02:08 PM
- Posted Can all fields be outputted with outputcsv in double quotes? on Reporting. 10-23-2017 02:00 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-06-2019
01:30 PM
If you have separate hot/cold storage paths, I assume you would need to run this test multiple times with a different "directory" setting for each?
... View more
03-30-2018
08:34 AM
Thanks - using list fixed up the issue. Appreciate the help!
... View more
03-28-2018
01:57 PM
I have an existing data set that provides a dump of multiple data points in a single event. The data set looks something like this:
HOSTNAME = "NODE1"
License Type: MAIN INSTALLED.Count: 1 Mainboard: 0 I/O 1: 0 MFP 2: 0 Total Licenses in Use: 0
License Type: TRANSRATE INSTALLED.Count: 12 Mainboard: 0 I/O 1: 0 MFP 2: 0 Total Licenses in Use: 9
License Type: EXTENSION is NOT INSTALLED
And the data set continues with about 50 more license types per node. I've been able to set up extraction of various fields (node, license_type, license_avail, license_used) using props.conf and transforms.conf:
props.conf
[license]
EXTRACT-hostname = HOSTNAME=\"(?<node>\w+)\"
REPORT-license_type = license_type
REPORT-license_available = license_available
REPORT-license_used = license_used
transforms.conf
[license_type]
REGEX = License\sType:\s(?<license_type>\w+)\sINSTALLED\.Count
FORMAT = license_type::$1
MV_ADD = true
[license_available]
REGEX = INSTALLED\.Count\s(?<license_avail>\d+)\s+
FORMAT = license_avail::$1
MV_ADD = true
[license_used]
REGEX = \s+Total\sLicenses\sin\sUse:\s(?<license_used>\d+)
FORMAT = license_used::$1
MV_ADD = true
These seem to be working fine - I'm able to extract and see a list of all of the available licenses on the system (i.e. MAIN, TRANSRATE); the count of all available licenses (i.e. 1, 12), and the count of licenses actually in use (i.e. 0, 9). The problem I'm having is correlating this data together in an actual report for the users. I can't seem to make the numbers line up properly. I've tried numerous stats, charts, and other commands, but can't seem to make it line up into what should be a fairly simple report - For each node, list installed license types with a count of licenses available and licenses in use:
Host Type Available Used
NODE1 MAIN 1 0
NODE1 TRANSRATE 12 9
What I've ended up with is usually the same values for each license type or a completely unordered list with no correlation between the counts and the license type. Some of the searches I've used are:
|stats values(license_type) values(license_avail) values(license_used) by node - returns uncorrelated list of numbers
|stats latest(license_type) latest(license_avail) latest(license_used) by node - returns visually what I'm looking for but only 1 license type per node
I'm sure there's something pretty simple that I'm missing here but I appreciate any help...
... View more
- Tags:
- splunk-enterprise
10-24-2017
12:35 PM
Thanks - knowing that there weren't any options out there to do it directly in Splunk I ended up cobbling together a gawk script that was able to convert the output to a tilde-separated field.
... View more
10-23-2017
02:10 PM
This is currently not supported. An enhancement request has been submitted to Support.
... View more
10-23-2017
02:08 PM
After some additional research and discussion with the Support teams: VIP is the way to go. There is no need to add each individual cluster member separately.
... View more
We are currently using the outputcsv command to generate a report for one of our support teams. Overall it works great but they did have one request - currently only fields that have a special character in them get included in double quotes; all other fields are simply comma separated. To make life easier on that time we'd like to accomplish one of two goals: 1) have all fields included in double quotes, or 2) be able to output in a structured format other than CSV such as PSV or tilde-separated (their choice, not mine).
Our overall search is pretty standard - it's just a standard listing of output fields: |table field1 field2 field3 ... field X
Any help is greatly appreciated!
... View more
10-16-2017
01:52 PM
In this particular case K actually does equate to thousands while M equates to millions - not necessary kilo and mega. 21.7K should value out to 21700 while 2.11M should value out to 2110000. We don't see any values higher than an M ever. I adjusted the M to multiply by 1000000 and that fixed the problem. Thanks for all your help with this and I'll definitely be able to apply to my others use cases!
... View more
10-16-2017
08:18 AM
Adding the true() statement definitely seems to fix the no suffix issue. However, I'm still seeing invalid results when the suffix if "M". I hate not being able to upload images from work - it would make this a lot easier.
Using the eval statement provided above and an event of:
Network Congestion 2.11M 29.2K 27.4K 27.4K 27.4K 27.5K 37.4K
I get the following results:
Congestion
21100
network_congestion
2.11M
With the same eval statement and a data set of:
Network Congestion 21.7K 8531 8699 8755 8602 9862 0 0 0 0
I get the following results:
Congestion
21700
network_congestion
21.7K
... View more
10-11-2017
02:00 PM
I also noticed that while it works for values of "K", it does not appear to work for values of "M". We just had one come in that was congestion=2.05M and the dataInt field value ended up as 20500 which would mean it's being captured by the "K" case.
... View more
10-11-2017
01:57 PM
Thanks niketnilay - I ran with this and it looks like it's creating a new field called dataInt that has the new values in it. However, I noticed that any original values that didn't contain one of the alphanumeric identifiers are completely excluded (i.e. cases where congest=0 or any other value under 10K). Is there a way to add another statement to the case where if it doesn't match any of those you just multiply by 1?
... View more
10-11-2017
11:38 AM
Also of note, the values will not always have a "K" in them. We do see events that come in like this:
Congestion 0 55.3K 1836 40.2K 39.9K 38.9K 40.9K
Whatever solution is devised needs to be able to account for situations where the "K" is not present - I tried the convert memk() command but it didn't handle the entries that didn't have the "K" properly (didn't convert them to K base units).
... View more
10-11-2017
11:19 AM
We've already extracted the value out into a field that contains the alpha identifier (i.e. congestion=39.6K). The line included above is part of a much larger event - but it will always look like the above and will only ever have a single value (no mv fields for this one).
... View more
10-11-2017
10:17 AM
I've seen numerous questions out there that touch on this topic but haven't found an answer that actually meets my specific use case. I have data from several sources that report numeric data (such as bandwidth or other datatypes) but instead of returning the value as a number (such as 39600) it returns in this format: 39.6K. I'm able to ingest those values but Splunk, unsurprisingly, doesn't know how to handle that - it treats it as text instead of a number.
Long story short, I need a way to translate the following data points into numeric values, either at ingest time or at search time:
Congestion 39.6K 55.3K 41.2K 40.2K 39.9K 38.9K 40.9K
We only need to return the first value after "Congestion" - the 39.6K value. The other values are previous poll results and we're collecting that already. The output should end up looking like:
Congestion 39600
This specific data set should never go above "K", but I have other datasets that might go into M or G, etc., so I need something as flexible as possible. I've tried using rex and sed but I've not had any success yet with it. If anyone can provide any help, it'd be greatly appreciated as it will solve multiple issues for us...
... View more
07-28-2017
10:49 AM
We successfully got the app and add-on for this product installed. The only question I had was whether we should be adding individual filers, the cluster VIPs, or both to the OnTap Collection Configuration interface. The documentation I've found doesn't seem to have a lot of information on that. Any thoughts would be greatly appreciated!
... View more
07-10-2017
01:25 PM
I checked the job inspector and I see that it definitely looks like it's hitting all of the servers - I see the remoteSearchLogs for all of the appropriate systems and invocation counts look accurate and expected. The resultCount in the inspector shows 235 (which is pretty accurate) - it just only shows results of 100 in the display.
... View more
07-10-2017
01:07 PM
Our current Splunk deployment is around 300 servers. We have all of those systems in our DMC and our able to get data from them successfully. However, when running the Health Checks it only ever checks 100 systems, not the full spectrum of our systems. Is there a way to change the Health Checks so that they'll work on any number of Splunk instances that meet the DMC group requirements instead of limiting it to 100? The primary check I've been working with is the Assessment of Server ulimits since that checks all servers globally.
I've checked through some of the searches in the health checks and can't find anything there that specifically limits them to 100.
We're currently running 6.6.1 on the DMC and the other Splunk instances.
... View more
04-07-2017
11:28 AM
1 Karma
I mentioned this in my other comment above but want it here attached to the accepted answer as well - we were only able to get this working after we moved the props.conf from the indexer cluster to the HF running HEC itself. When running on the indexer cluster it was as if the props.conf didn't even exist.
... View more
04-07-2017
11:25 AM
1 Karma
Thanks to Support I was able to get this working. We found a couple of different things:
1) The props.conf was really close - we had to make 1 change to get it working properly (missing an escape on +[)?) ). Here's the final props.conf that worked:
[asset_play]
CHARSET=UTF-8
SHOULD_LINEMERGE=false
disabled=false
SEDCMD-fixfooters=s/]}//g
LINE_BREAKER=([\r\n,]*(?:{[^[{]+\[)?){"earlyAccess
TRUNCATE=0
TIME_PREFIX="deviceTimestamp":
MAX_TIMESTAMP_LOOKAHEAD=30
TIME_FORMAT=%s%3N
KV_MODE=json
2) We also discovered that putting props.conf on the indexer cluster did not work. Anything that was brought in through HEC was essentially untouched by anything in props.conf on an indexer. We had to specify this props.conf on the HF on which HEC was running.
Thanks everyone for your help with this!
... View more
03-30-2017
08:52 AM
I definitely agree - it sounds like it should be working. Here's what I'm seeing in the btool output:
/opt/splunk/etc/apps/search/local/props.conf [asset_play]
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/local/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/local/props.conf KV_MODE = json
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/local/props.conf LINE_BREAKER = ([\r\n,]*(?:{[^[{]+[)?){"earlyAccess
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 30
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/local/props.conf SEDCMD-fixfooters = s/]}//g
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/local/props.conf SHOULD_LINEMERGE = false
/opt/splunk/etc/system/local/props.conf TIME_FORMAT = %s%3N
/opt/splunk/etc/system/local/props.conf TIME_PREFIX = "deviceTimestamp":
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/system/local/props.conf TRUNCATE = 0
/opt/splunk/etc/apps/search/local/props.conf TZ = UTC
/opt/splunk/etc/apps/search/local/props.conf category = Custom
/opt/splunk/etc/apps/search/local/props.conf description = dena asset_play
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/local/props.conf disabled = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/apps/search/local/props.conf pulldown_type = 1
/opt/splunk/etc/system/default/props.conf sourcetype =
I'm not seeing anything obvious that looks like it would be causing a problem. But running with this configuration gives me an output that's still just a single event so there's gotta be something going on somewhere...
... View more
