Activity Feed
- Posted Re: Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 10:12 AM
- Posted Re: Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 10:03 AM
- Posted Re: Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 09:55 AM
- Posted Re: Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 09:50 AM
- Posted Re: Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 09:42 AM
- Posted Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 09:20 AM
- Tagged Cannot find log messages for -1d@d but -7d@d works on Splunk Search. 01-23-2018 09:20 AM
- Posted Re: tsidx topologycruncy on Getting Data In. 03-10-2016 10:57 AM
- Posted Re: tsidx topologycruncy on Getting Data In. 03-10-2016 09:25 AM
- Posted Re: tsidx topologycruncy on Getting Data In. 03-08-2016 06:34 AM
- Posted tsidx topologycruncy on Getting Data In. 03-07-2016 08:18 AM
- Tagged tsidx topologycruncy on Getting Data In. 03-07-2016 08:18 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
01-23-2018
10:12 AM
Thanks. I just posted this message below:
Yesterday's log is somehow added to an exception from earlier this week. Let's close this one for now. I'll investigate further on my end.
... View more
01-23-2018
10:03 AM
hrm...this is interesting. Yesterday's log is somehow added to an exception from earlier this week. Let's close this one for now. I'll investigate further on my end.
Thanks all.
... View more
01-23-2018
09:55 AM
I assumed that 'present in my data' means that I'm able to search and find those logs in Splunk. But perhaps it's better for me to ask for your criteria as well 🙂
Is that assumption correct? or did you mean something else?
... View more
01-23-2018
09:50 AM
"Finished Importing data" | earliest=-d@d latest=@d
With the pipe, I get an error: Search Factory: Unknown search command 'earliest'.
"Finished Importing data" earliest=-d@d latest=@d
Without the pipe, I get: No results found. Try expanding the time range.
... View more
01-23-2018
09:42 AM
I don't follow. Are you saying that most of my application log(at least >90% of it) is present in my data, and that single log message is not present in data? I'm just trying to understand how this would happen, and understand how to prevent it.
If my Splunk query is wrong, how would one search and/or create an alert that checks for existence of a log message for the last 24 hours?
Thanks!
... View more
01-23-2018
09:20 AM
I have a Splunk alert that has been sending false emails. The alert is sent when a string is absent from the application's log. The search itself is actually not finding the log message, which I assume is the reason for the log not being triggered.
This search in Splunk UI: "finished importing data" earliest=-1d@d
Results: no messages found.
But when I search back 7 days, the expected log message appears.
Ex: "finished importing data" earliest=7d@d
Results: messages are returned as expected
Furthermore, I am able to see other messages from the application logs from the last 24 hours in Splunk, but the specific text "finished importing data" only appears when I search for 7 days or greater.
Any ideas why 7-day search would return results but not a 1-day search? Your help is greatly appreciated.
Currently running Splunk version 7.0.1.
... View more
- Tags:
- splunk-enterprise
03-10-2016
09:25 AM
Awesome! Thanks jkat54. I found a reference under a saved search with the reference to 'namespace=topologyCronSearch'. looks like this search (called Config: Topology Data Generator) was set up alongside the Splunk App for AWS App.
... View more
03-08-2016
06:34 AM
Hi,
The full path is /opt/splunk/var/lib/splunk/tsidxstats/topologyCronSearch
Thanks.
... View more
03-07-2016
08:18 AM
Sifting through the discussions about tsidx files, I still find myself confused on how these populate. Currently on my search head, there are 25GB in the tsidx/topologyCrunch directory. The only apps I have installed are Splunk App for AWS and Nessus. From the Settings > Report Acceleration Summary, no accelerations are configured.
My questions are: 1) how can i determine where these files are coming from, and 2) how do i go about removing them.
Thanks!
... View more
- Tags:
- splunk-enterprise
