Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About michaeljorgense
michaeljorgense
Path Finder
Member since:
11-24-2016
02-13-2024
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 35 |
| Karma Received | 4 |
| Member Since | 24-11-2016 |
Activity Feed
- Karma Re: Universal forwarder 9.1.0 (linux) changed owner for mykol_j. 11-06-2023 03:33 PM
- Karma Re: Universal forwarder 9.1.0 (linux) changed owner for jotne. 11-06-2023 03:33 PM
- Karma Re: Universal forwarder 9.1.0 (linux) changed owner for PickleRick. 11-06-2023 03:26 PM
- Karma Re: Universal forwarder 9.1.0 (linux) changed owner for auradk. 11-06-2023 03:25 PM
- Karma Re: Universal forwarder 9.1.0 (linux) changed owner for auradk. 11-06-2023 03:25 PM
- Karma Re: data rebalance progresses is very poor or getting stuck for rbal_splunk. 08-14-2022 12:37 AM
- Karma How to upgrade Mongo in Splunk 9.0.0? for amartin6. 07-31-2022 10:43 PM
- Karma Re: How to upgrade Mongo in Splunk 9.0.0? for amartin6. 07-31-2022 10:42 PM
- Karma Re: Splunk sub-processes start/stop every minute (splunk-admon, splunk-powershell, etc). How do we prevent this? for rkantamaneni_sp. 07-20-2020 09:35 PM
- Karma Re: Splunk sub-processes start/stop every minute (splunk-admon, splunk-powershell, etc). How do we prevent this? for jtacy. 07-20-2020 09:35 PM
- Karma Splunk sub-processes start/stop every minute (splunk-admon, splunk-powershell, etc). How do we prevent this? for hortonew. 07-20-2020 09:35 PM
- Posted Re: Splunk sub-processes start/stop every minute (splunk-admon, splunk-powershell, etc). How do we prevent this? on Getting Data In. 07-20-2020 09:32 PM
- Karma Could not determine $SPLUNK_HOME, perhaps it should be set in environment. for Dimitri_McKay. 07-01-2020 10:43 PM
- Karma Re: Could not determine $SPLUNK_HOME, perhaps it should be set in environment. for Dimitri_McKay. 07-01-2020 10:43 PM
- Karma Re: Splunk as SMDR Listener for jlsabaut. 06-18-2020 06:09 PM
- Karma Splunk as SMDR Listener for richardphung. 06-18-2020 06:09 PM
- Posted Re: Splunk as SMDR Listener on All Apps and Add-ons. 06-18-2020 06:07 PM
- Got Karma for Re: Splunk Stream not showing netflow data. 06-05-2020 12:50 AM
- Karma Re: Field extraction from host field value for jajung. 06-05-2020 12:49 AM
- Karma Re: loading a Driver for postgresql. for burakcinar. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
07-20-2020
09:32 PM
@rkantamaneni_sp are you talking about this being specifically fixed in Splunk Universal Forwarder version 7.3.0? i.e. would just patching the Windows UFs to use 7.3.0 fix this issue? Or does it need 7.3.0 in the server end too? Also I notice there isn't any reference to SPL-145668 in the Splunk Universal Forwarder release notes yet.
... View more
06-18-2020
06:07 PM
@jlsabaut it looks like the migration to new Splunk Answers might have lost the attachment you provided with tips on setting this up. Would you mind re-sharing please? @richardphung I would also prefer to send this to a syslog server and not direct to Splunk so thanks for asking my question for me. But it sounds like from the answer for the Avaya Call app to work it's not in syslog format. Possibly can have the Avaya system export syslog in another way? Just not on the SMDR screen.
... View more
05-13-2019
11:44 PM
1 Karma
This looks like close something I am experiencing. My understanding is the streamfwd binary needs to phone home to the Splunk App for Stream as described here:
https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/DeploymentArchitecture#How_streamfwd_communicates_with_splunk_app_stream
This is where you configure streamfwd to talk to the Stream App:
https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/ConfigureStreamForwarder#Verify_location_of_splunk_app_stream_in_inputs.conf
In your config this is set to:
splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
To me it looks like your logs are showing that streamfwd is getting a connection refused when connecting via http to localhost on tcp port 8000. It's getting a connection refused when attempting that.
Are you able to, on that same splunk server, access:
http://localhost:8000/en-us/custom/splunk_app_stream/ping
If you can't that might indicate your problem, i.e. a local firewall, DNS resolution of "localhost" etc might not be working for you?
... View more
05-13-2019
11:16 PM
In the Splunk App for Stream, i.e. not the TA, access the Configuration->Configure Streams menu item from the navigation bar. Scroll down until you find the stream titled "netflow" and choose "edit". Then, in the resulting config screen, ensure that the Mode is set to "enabled". This will enable the stream as described above by @seg42
... View more
03-19-2019
04:32 AM
2 Karma
Sorry to bump a question well answered a while ago. I stumbled across it while searching for something else.
The answer to this question has changed and there is now an ITSI Certificate available.
More info can be found here:
https://www.splunk.com/en_us/training/certification-track/splunk-itsi-certified-admin.html
Thought I should update this question in case someone else stumbles across it and wants to know about ITSI certification.
... View more
04-26-2018
09:43 PM
Thanks @jajung. That was exactly the problem. Once I reconfigured permissions on the app config to "all apps" then the new fields were immediately accessible within Search & Reporting.
... View more
04-26-2018
09:36 PM
It looks like this has all come down to a Splunk permissions issue.
I edited the permissions on my app within Splunk & set the permissions for “sharing for config file-only objects” to “all apps” not “this app only (system)” and now Search & Reporting app shows me the fields I've been trying to extract immediately.
So possibly any number of previous attempts/syntax options has been working but permissions weren't allowing me to see it.
... View more
04-26-2018
04:05 PM
I tried your suggested host_regex config & can confirm that the host field is still being extracted successfully from the file name, i.e. no change there as it was working before.
Unfortunately it hasn't made the props.conf inline extraction work.
inputs.conf:
[monitor:///path/to/file/*/child_AE_*.log]
index=mjtest
sourcetype=mjtest
host_regex = \/path\/to\/file\/.*?\/child_AE_(\S+).log
props.conf:
[mjtest]
EXTRACT-group_and_site = (?<group>\w{3})(?<site>\w{3})\w+ in host
... View more
04-26-2018
03:49 PM
Thanks for the suggestion. The host field is being extracted properly using the regex I have posted. I will give your suggestion a try regardless of that fact in case it helps the later props/transforms regex extraction & update you soon.
... View more
04-26-2018
03:47 PM
Sorry for any confusion. The only time I used that incorrect stanza name was in my original question, in the REPORT extraction attempt. Once corrected by @FrankVI I changed it & have never posted config since showing me using it incorrectly. I'm not sure why you think I am still using it, but I'm not.
... View more
04-26-2018
03:13 AM
Thanks again for the reply & for confirming that it looks ok to your eyes.
This is a specific app just for testing this new input. Nothing else in inputs.conf, props.conf or transforms.conf that could conflict. In fact no other config files in this app but those files in a local/ sub-dir.
I've used btool to confirm that the props settings were visible previously & also seen them in the 'Field Extractions' dashboard in the Web GUI. So I know they are loaded into splunk successfully.
Permissions are fine (splunk runs as root anyway on this test server) & I have been restarting splunk after every change to props.conf. Trust me when I say that's about 30+ times in the last 2 days before I even logged this question.
Again, thanks for taking the time, I guess I'll take it up with support.
... View more
04-25-2018
11:36 PM
Looks like I accidentally "commented" on the wrong response. Thanks for your reply @FrankVI, please find my response to it below @woodcock comment.
... View more
04-25-2018
05:26 PM
Thanks very much for your reply Frank.
Unfortunately I tested both suggestions & neither is working, i.e. no 'group' or 'site' field at search time on the data in my index. Not on previously indexed data or fresh data that I add to the file to be ingested.
Please find below my config files for each scenario with the fixes you suggested.
Inline scenario.
inputs.conf:
[monitor:///path/to/file/*/child_AE_*.log]
index=mjtest
sourcetype=mjtest
host_regex = /path/to/file/.*/child_AE_(\w+).log
props.conf:
[mjtest]
EXTRACT-group_and_site = (?<group>\w{3})(?<site>\w{3})\w+ in host
Report scenario.
inputs.conf:
[monitor:///path/to/file/*/child_AE_*.log]
index=mjtest
sourcetype=mjtest
host_regex = /path/to/file/.*/child_AE_(\w+).log
props.conf:
[mjtest]
REPORT-fieldextract = group_site_extract
transforms.conf:
[group_site_extract]
REGEX = (?<group>\w{3})(?<site>\w{3})\w+
SOURCE_KEY = host
Thanks for your help so far! 🙂
... View more
04-25-2018
02:11 AM
1 Karma
Hi,
I would like to extract two new fields from the value of the host field at search time. I'd like the first 3 characters of the host field value to be a new field named 'group', and the next 3 characters of the host field value to be a new field named 'site'.
e.g.
if
host = AAABBBsomestring
then
group = AAA
site = BBB
I believe I have the regex to make this work. I've tested it with rex in a Splunk Search & can see the new fields 'group' & 'site' being correctly populated in the events resulting from that rex modified search.
Here is my search:
index=mjtest | rex field=host "(?<group>\w{3})(?<site>\w{3})\w+"
So I then tried to place this as an inline field extraction in props.conf.
My environment for testing is a single virtual machine hosting all splunk functions including search head & indexers. Additionally the files being monitored are also on this same test server. All config files named below are in my own app in SPLUNK_HOME/etc/apps/app_name/local.
My inputs.conf looks like:
[monitor:///path/to/file/*/child_*.log]
index=mjtest
sourcetype=mjtest
host_regex = /path/to/file/.*/child_(\w+).log
My props.conf looks like:
[mjtest]
EXTRACT-group,site = (?<group>\w{3})(?<site>\w{3})\w+ in host
However these fields are not extracted at search time, well they don't appear in the event data or the list of interesting fields in a Splunk Search.
Any clues on why this might be? Is it because I'm setting the host value via host_regex in inputs.conf? I would have thought that wouldn't matter as that would happen before any props.conf actions took place in the processing pipeline.
For what it's worth I also tried doing a REPORT extraction with a props.conf & transforms.conf combo of the below which also didn't work.
props.conf:
[sourcetype::mjtest]
REPORT-fieldextract = group_site_extract
transforms.conf:
[group_site_extract]
REGEX = (?<group>\w{3})(?<site>\w{3})\w+
SOURCE_KEY = host
Ultimately I don't mind which way my goal is achieved... but it's driving me crazy why it's not working.
Any help would be much appreciated.
Michael.
... View more
11-29-2016
07:17 PM
Thanks for the reply Guilhem.
It sounds like it is actually possible to monitor nmon files elsewhere in real-time, just not recommended.
How would I go about doing so if I wanted to see what the cost of doing so is like? I assume I'd have to modify a local copy of inputs.conf to point at my separate nmon files.
Would I have to modify any other config files?
Would simply modifying inputs.conf automatically call your parsers and helper scripts when changes were made to my outside TA-nmon nmon files?
Would modifying inputs.conf, automatically stop TA-nmon from generating it's own files or would I have to disable that somewhere also?
I'm quite keen to keep my nmon files as the source of data & monitor them in real-time. So any pointers on how to achieve that would be greatly appreciated 🙂
... View more
11-24-2016
09:42 PM
Does this answer mean I can't use this app, to capture real time performance data from nmon files generated OUTSIDE of TA-nmon?
i.e. I have an AIX server generating nmon data 24 hours a day. I have a Universal Forwarder installed with TA-nmon deployed. Can't I just have TA-nmon, in real time, monitor the AIX generated nmon files & send the data to Splunk?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-13-2024
06:39 PM
|
