Activity Feed
- Posted Re: Compare 2 datasets on Splunk Search. 07-06-2021 09:43 AM
- Posted Re: Compare 2 datasets on Splunk Search. 06-29-2021 01:13 PM
- Posted Re: Compare 2 datasets on Splunk Search. 06-28-2021 02:48 PM
- Posted Compare 2 datasets on Splunk Search. 06-28-2021 02:25 PM
- Got Karma for Splunk DB Connect: How to resolve dbxquery error "Failed to run query... Connection is not available, request timed out after 30000ms". 09-16-2020 05:39 AM
- Got Karma for How do you Filter events from Json?. 06-05-2020 12:50 AM
- Got Karma for Re: How do I table a transactionid value using regular expression?. 06-05-2020 12:49 AM
- Karma Re: How do I extract the time from this sample timestamp and convert it into seconds to find the different from the current time? for martin_mueller. 06-05-2020 12:48 AM
- Got Karma for Multiple index join with different formatted data JSON and RAW is not working. 06-05-2020 12:48 AM
- Got Karma for Re: Multiple index join with different formatted data JSON and RAW is not working. 06-05-2020 12:48 AM
- Got Karma for Splunk DB Connect: How to resolve "AttributeError: 'module' object has not attribute 'getServerConfKeyValue'" after configuring new database connection?. 06-05-2020 12:48 AM
- Got Karma for How to add and configure a new indexer to my Splunk environment?. 06-05-2020 12:48 AM
- Got Karma for Splunk DB Connect: How to resolve dbxquery error "Failed to run query... Connection is not available, request timed out after 30000ms". 06-05-2020 12:48 AM
- Got Karma for Re: Why is my triggered alert email not sending?. 06-05-2020 12:47 AM
- Posted Can I use the same Splunk Cloud heavy forwarder to send data to on-premises Splunk? on Getting Data In. 05-14-2020 12:10 PM
- Posted How to not lose any new data in Splunk upgrade? on Installation. 04-20-2020 02:09 PM
- Posted Re: The Splunk web interface is not opening on Security. 04-09-2020 09:12 AM
- Posted Is the installation file same for setting up splunk search head, indexer and deployment server? on Deployment Architecture. 04-08-2020 02:20 PM
- Posted How do I forward logs from a network/shared location on a Windows machine to Splunk? on Getting Data In. 02-06-2019 02:08 PM
- Tagged How do I forward logs from a network/shared location on a Windows machine to Splunk? on Getting Data In. 02-06-2019 02:08 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
07-06-2021
09:43 AM
No this will not help me. I have like 500-600 site IDs. I will have to go through the entire list to see the IDs are present for both the dates. Any other solution? I only want to find the sites ids that has only 1 occurrence.
... View more
06-29-2021
01:13 PM
This did not work, I tried below, (index=support source=sites SITE_ID=S028 AND SITE_ID=S056 earliest=-1d@d latest=-0d@d) OR (index=support source=sites SITE_ID=S028 AND SITE_ID=S056 AND SITE_ID=S10 earliest=-0d@d latest=now) | bin _time span=1d@d | stats count by _time SITE_ID | stats values(_time) as _time by SITE_ID | where mvcount(_time) = 1 It gives me 0 events/results. Can you please help?
... View more
06-28-2021
02:48 PM
We have a field called Site_id which is a string. Example: Set 1 - Site id = a1, a2, a3 Set 2 - Site id = a2, a3, a4 My result should be Site id = a1, a4
... View more
06-28-2021
02:25 PM
I have 2 data sets index=support source=sites earliest=-1d@d latest=-0d@d index=support source=sites earliest=-0d@d latest=now I want to pull out that data which is changed in data set 2 as compared to data set 1
... View more
05-14-2020
12:10 PM
I have a heavy forwarder currently sending data to Splunk Cloud.
Can I use the same heavy forwarder to stop data sending to Splunk Cloud and start sending data to on-premises Splunk?
If yes, then how?
... View more
04-20-2020
02:09 PM
We have couple of indexers in distributed environment. What would happen if I bring both the indexers down. Is there a data loss and I will miss all data coming in from the UF's? If so what is the best way to make sure I don't lose any new data?
... View more
- Tags:
- splunk-enterprise
04-09-2020
09:12 AM
I am also facing the same issue. Here are contents from web_service.log.
Please help.
2020-04-09 15:52:19,659 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Caught signal SIGTERM.
2020-04-09 15:52:19,659 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Bus STOPPING
2020-04-09 15:52:20,025 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: HTTP Server cherrypy.cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down
2020-04-09 15:52:20,042 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Stopped thread 'Monitor'.
2020-04-09 15:52:20,060 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Stopped thread '_TimeoutMonitor'.
2020-04-09 15:52:20,060 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Bus STOPPED
2020-04-09 15:52:20,060 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Bus EXITING
2020-04-09 15:52:20,060 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Bus EXITED
2020-04-09 15:52:20,060 INFO [5e8f3268e07ff3e57fe250] root:129 - ENGINE: Waiting for child threads to terminate...
2020-04-09 15:53:30,757 INFO [5e8f44fab27f1ac18dd290] __init:168 - Using default logging config file: /opt/splunk/etc/log.cfg
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init:206 - Setting logger=splunk level=INFO
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init:206 - Setting logger=splunk.appserver level=INFO
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init:206 - Setting logger=splunk.appserver.controllers level=INFO
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init:206 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init:206 - Setting logger=splunk.appserver.lib level=WARN
2020-04-09 15:53:30,758 INFO [5e8f44fab27f1ac18dd290] __init_:206 - Setting logger=splunk.pdfgen level=INFO
2020-04-09 15:53:31,114 INFO [5e8f44fab27f1ac18dd290] lists:59 - List controller loaded: EntitiesListGenerator
2020-04-09 15:53:31,114 INFO [5e8f44fab27f1ac18dd290] lists:65 - Setting lists/entities
2020-04-09 15:53:31,114 INFO [5e8f44fab27f1ac18dd290] lists:59 - List controller loaded: JobsListGenerator
2020-04-09 15:53:31,114 INFO [5e8f44fab27f1ac18dd290] lists:65 - Setting lists/jobs
2020-04-09 15:53:31,119 INFO [5e8f44fab27f1ac18dd290] root:266 - Proxied mode ip_address=127.0.0.1 port=8065 exposed_port=8000:
2020-04-09 15:53:31,198 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: mgmtHostPort (str): 127.0.0.1:8089
2020-04-09 15:53:31,200 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: server.max_request_body_size (int): 524288000
2020-04-09 15:53:31,200 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: server.socket_host (str): 127.0.0.1
2020-04-09 15:53:31,200 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: server.socket_port (int): 8065
2020-04-09 15:53:31,200 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: serverCert (str): $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
2020-04-09 15:53:31,200 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: serverName (str): ip-10-160-161-135.wm.com
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: server_pooling_storage (str):
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: showProductMenu (bool): False
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: showUserMenuProfile (bool): False
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: simple_error_page (bool): False
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: site_packages_path (str): /opt/splunk/lib/python2.7/site-packages
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: splunkdConnectionTimeout (int): 30
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: splunkdTrustedIP (NoneType): None
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: sslVersions (str): ssl3, tls
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: start_time (float): 1586447611.19
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: startwebserver (int): 1
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: staticAssetId (str): D57E47082B0454004F85C8AB503D7A8366A7AF9009AF73B5B96D04AC031B5081
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: staticCompressionLevel (int): 9
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: static_dir (str): share/splunk/search_mrsparkle/exposed
2020-04-09 15:53:31,195 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: error_page.default (instancemethod): >
2020-04-09 15:53:31,195 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: error_page.default (instancemethod): >
2020-04-09 15:53:31,201 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: static_endpoint (str): /static
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: staticdir (str): /opt/splunk/share/splunk/search_mrsparkle/exposed
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: template_dir (str): share/splunk/search_mrsparkle/templates
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: testing_dir (str): share/splunk/testing
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: testing_endpoint (str): /testing
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.csrfcookie.name (str): splunkweb_csrf_token_8000
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.csrfcookie.port (str): 8000
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.decode.on (bool): True
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.encode.encoding (str): utf-8
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.encode.on (bool): True
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.log_headers.on (bool): True
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.log_tracebacks.on (bool): True
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.response_headers.headers (list): [('Server', 'Splunk')]
2020-04-09 15:53:31,202 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.response_headers.on (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.httponly (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.name (str): session_id_8000
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.on (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.restart_persist (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.secure (bool): False
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.storage_path (str): /opt/splunk/var/run/splunk
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.storage_type (str): file
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.sessions.timeout (int): 60
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: tools.trailing_slash.on (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: trap_module_exceptions (bool): True
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: trustedIP (str): 127.0.0.1
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: ui_inactivity_timeout (int): 60
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: updateCheckerBaseURL (str): https://quickdraw.splunk.com/js/
2020-04-09 15:53:31,203 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: use_future_expires (bool): True
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: userRegistrationURL (str): https://www.splunk.com/page/sign_up
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: verifyCookiesWorkDuringLogin (bool): True
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: version_label (str): 6.5.0
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: version_number (str): 6.5.0
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:650 - CONFIG: x_frame_options_sameorigin (bool): True
2020-04-09 15:53:31,204 INFO [5e8f44fab27f1ac18dd290] root:717 - DJANGO: configuring...
2020-04-09 15:53:31,326 INFO [5e8f44fab27f1ac18dd290] root:762 - DJANGO: not starting, found no apps
2020-04-09 15:53:31,327 INFO [5e8f44fab27f1ac18dd290] root:129 - ENGINE: Bus STARTING
2020-04-09 15:53:31,335 INFO [5e8f44fab27f1ac18dd290] root:129 - ENGINE: Started monitor thread '_TimeoutMonitor'.
2020-04-09 15:53:31,416 INFO [5e8f44fb697f1abf19c9d0] root:129 - ENGINE: Started monitor thread 'Monitor'.
2020-04-09 15:53:31,439 INFO [5e8f44fab27f1ac18dd290] root:129 - ENGINE: Serving on 127.0.0.1:8065
2020-04-09 15:53:31,439 INFO [5e8f44fab27f1ac18dd290] root:129 - ENGINE: Bus STARTED
[root@ip-10-160-161-135 splunk]# cat web_service.log
... View more
04-08-2020
02:20 PM
Is the installation file same for setting up splunk search head, indexer and deployment server?
... View more
- Tags:
- splunk-enterprise
02-06-2019
02:08 PM
I have installed a universal forwarder on the Windows machine, but the actual logs are getting generated at a shared location.
How do I get these logs forwarded to Splunk?
Logs generated locally to the machine (C:\test) are getting forwarded to Splunk.
Any help is appreciated.
... View more
01-16-2019
01:32 PM
index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| Table MESSAGE
Above is my string, I want to extract S01234 from MESSAGE="CommonAsyncGETController.execute() : scope :S01234" and have a new column called scope and output as below,
Scope
S01234
Please help.
... View more
01-03-2019
08:02 AM
1 Karma
Below is my JSON. I want to display all events where responseTime >11.
Please assist.
log: { [-]
actionCd: Update
appSourceCd: MAS
appTargetCd: OCS
contextID: daa095c0-6e9b-1abf-970a-fffffc8664b7
correlateID: 1149623816
customUID: 05248008
interfaceName: wm_businessservices.customerService.flowServices:publishSvcReqEvents
requestTypeCd: SvcReq2
responseTime: 9
... View more
12-21-2018
09:23 AM
Hi,
Below is my sample payload. I want to convert/display it into a column value pair.
Eg, ESBTransactionID
75010569
Any help is appreciated.
75010569\n OCS\n \n Update\n TKT\n TKT\n \n OCS Driver\n \n OCS Driver\n \n 000141076513003\n false\n \n \n R_SUBBED\n TKT
... View more
11-21-2018
09:00 AM
We have a process that runs on a specific machine every day for 60 iteration for 5 mins between each iteration per day. This process logs the time it took for each iteration to complete in a text file. But the forwarder is not forwarding data at real time.
For example:
The below 3 iteration were logged into splunk at the same time where as there is a 5 mins interval between each run.
11/21/18 3:43:08.000 AM TestIteration35=48.63477
11/21/18 3:43:08.000 AM TestIteration34=48.14551
11/21/18 3:43:08.000 AM TestIteration33=48.31934
Anyway to fix this?
... View more
- Tags:
- splunk-enterprise
08-29-2018
03:54 PM
Hi,
I am struggling to monitor files from a windows machine.
Below is my inputs.conf file
[default]
index=maspat
[monitor://C:\MASPAT\Results]
sourcetype=mas
crcSalt=
ignoreolderThan=1d
Not sure why I see an unknown log like below getting logged instead of the actual files.
LogName=Application
SourceName=SecurityCenter
EventCode=15
EventType=4
Type=Information
ComputerName=AZP*******.wm.com
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=72097
Keywords=Classic
Message=Updated Symantec Endpoint Protection status successfully to SECURITY_PRODUCT_STATE_SNOOZED.
... View more
- Tags:
- splunk-enterprise
08-27-2018
09:34 AM
1 Karma
Works Perfect! Thanks.
... View more
08-27-2018
09:13 AM
Below is my log,
[ERL_ROUTE_ACK_INTERFACE] 2018-08-27 11:06:02 DEBUG [callUpdateERLRouteStatus] ERLRouteAckServiceImpl at line ? | Successfully updated the HDR record for transactionId : 869584588
I want to table the transactionId value.
Can somebody please help?
... View more
07-27-2018
06:41 AM
Hi,
Below is my paragraph and I want to extract the routeorder value from the paragraph.
Please assist.
other_app_launch_data: Third Party App Launch Data:354736071554019 Data passed:Bundle{service_url : http://example.com/service; site_number : S04136; vehicle_id : 210648; driver_id : 082775; pre_post : post; tabletid : 354736071554019; first_name : Gennadiy; environment : Production; fuel : ; route_id : ***ROUTEORDER#**158682677**;*** device_id : 354736071554019; DVIR_RESPONSE_ACTION : DVIR_POST_CHECK_RESPONSE; meter_time : 717; meter_distance : 161724; last_name : Trofimchik; }Bundle reqCode:9804
... View more
06-18-2018
03:22 PM
index=adjusted| eval Variance=TOTAL_PAID_DRVR_MINUTE_CNT-PLAN_PAID_DRVR_MINUTE_CNT|eval test=if(Variance>=120,[search index=adjusted|return $test],"")||table MA_NM,SITE_CD,SITE_NM,PRMRY_SUB_TYPE_LOB_NM,PE_LOB_NM,SUB_LOB_DESC,RTE_NUM,RTE_EXECUTION_SVC_DT,DEPART_SITE_DTM,ARRIVE_SITE_DTM,TOTAL_PAID_DRVR_MINUTE_CNT,PLAN_PAID_DRVR_MINUTE_CNT,EXCPTN_REASON_DESC,STATUSCODE,STATUSDATE,Variance
Above is my search query.
I want the table the results only when Variance is >=120.
Any suggestions?
... View more
- Tags:
- splunk-enterprise
How did you identify that the external server was marking the email as spam. Is there a way we can search for all the spam marked emails in splunk?
... View more
01-31-2018
04:20 PM
Not sure why but the above query is returning only single value from the jason. Please help.
date site
2018-01-30 S01027
... View more
01-31-2018
12:46 PM
can you give me a complete search query?
I am doing,
index=* | table date, site
... View more
01-31-2018
12:19 PM
Hi,
I want to extract fields like date, site, etc from the below log (jason), how can I do this?
[{"date":"2018-01-30","site":"S01027","routePublishCount":"17","routeCount":"97","customerCount":"931"},{"date":"2018-01-30","site":"S02923","routePublishCount":"16","routeCount":"119","customerCount":"1248"},{"date":"2018-01-30","site":"S03175","routePublishCount":"14","routeCount":"79","customerCount":"701"},{"date":"2018-01-30","site":"S03422","routePublishCount":"24","routeCount":"146","customerCount":"1486"}]
... View more
