About datamine

datamine · ‎11-15-2021

hi All, I have created a python script in my local that's working fine for me. But need to create it as a splunk addon to deploy for Splunk cloud hence need to pass username, password and accesstoken as variables to the code instead of hardcoding. Can someone please point me to any sample example scripts where we are passing variables to the script. Since am beginner in python finding it difficult with the Splunk python helper functions. Thanks, Devon

datamine · ‎08-20-2021

Message am getting is

datamine · ‎08-20-2021

Am aware of the Maxout limit of 50k , am asking the best ways to get the results more than 50k from subsearch to join my output. My use case needs the results more than 50k. And by the way am using join. So am looking for ways to optimize the query itself without changing limits if its possible and we are using splunk-cloud so even if we request i doubt they will change the limits as they have a simple stance of saying its not allowed as per documentation unfortunately not much of help from splunk-cloud. Output settings for subsearch commands By default, subsearches return a maximum of 10,000 results. You will see variations in the actual number of output results because every command can change what the default maxout is when the command invokes a subsearch. Additionally, the default applies to subsearches that are intended to be expanded into a search expression, which is not the case for some commands such as join, append, and appendcols. For example, the append command can override the default maximum if the maxresultrows argument is specified, unless you specify maxout as an argument to the append command. The output limit of the join command is controlled by subsearch_maxout in the limits.conf file. This defaults to 50,000 events.

datamine · ‎08-19-2021

Hi All, Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000. Thanks, Dave

datamine · ‎08-19-2021

But what if our subsearch has results more than 50000 and we need to those as well. As splunk subsearches has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000. Thanks, Dave

datamine · ‎09-22-2020

hi All,IN the AWS inputs logs we are getting timestamps behind 2 hours and we need to adjust it to UTC + 02:00 . I have applied it in in the props.conf on the HF where the aws input is configured as below[source::s3:/cloudfx-s3/*] TZ = UTC+02:00But it didnt worked , Can someone please let me know if its the right way to adjust the Timestamp in the logs ? 020-09-22 12:14:43 FCO50-C1 2253 5.171.196.19 GET d1q57ainn85gvl.TA_jvmjam.net /fe-api/v1/notifications 200 https://m.lego.it/scommesse-live Mozilla/5.0%20(Linux;%20Android%2010;%20Mi%209T%20Pro)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/85.0.4183.81%20Mobile%20Safari/537.36 =1600770582725 - Miss QumS5aHxkycZd-vjOLlapECGcIYloeTTUq4KursjmmdpHWotnCLDQ== m.lego.it https 2147 0.110 - TLSv1.3 TLS_AES_128_GCM_SHA256 Miss HTTP/2.0 - - 32299 0.110 Miss application/json;%20charset=utf-8 1895 - - 2020-09-22 12:14:43 IAD66-C1 23128 157.55.39.108 GET d1q57ainn85gvl.TA_jvmjam.net /slot-machine/wild-rails/ 200 - Mozilla/5.0%20(compatible;%20bingbot/2.0;%20+http://www.bing.com/bingbot.htm) - - Miss jG0oTG9mljNfR0k-NQ5R6u_EWH0v0cggDlPDLfzmOgPEMMJrDHCtiQ== www.lego.it https 296 0.594 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Miss HTTP/1.1 - - 13054 0.468 Miss text/html;%20charset=utf-8 22053 - Here it is 12:14:43 but we need it as +2H as 14:14:43

datamine · ‎04-29-2020

hi All, After setting up the incoming webhooks in the slack and provided the webhook url in the Slack setup configuration in splunk. Post these steps have tested from the search Manually and it does works. | sendalert slack param.channel="#soc_alert" param.message="Lorem ipsum" But its not sending the Notification to the slack channel for the Triggered Alert actions. Can someone help me here what might have went wrong. from the log events i don't find any useful info. 04-29-2020 10:12:08.984 +0200 INFO sendmodalert - Invoking modular alert action=slack for search="Threat - Test to sand alert to Slack - Rule Clone" sid="scheduler_devo01SplunkEnterpriseSecuritySuite_RMD5ea696853f5a89cc2_at_1588147800_75240" in app="SplunkEnterpriseSecuritySuite" owner="devo01" type="saved" Thanks, Devon

datamine · ‎11-25-2019

Hi all, I have a chart displaying 3 line charts based on our test results. Now we would like to show the test start and end timings like a marker on the _time in the x - axis like a vertical marker or something like that saying when the test has been started and ended. Here is my second search: index=gc sourcetype=gc_analysis |table _time test_status |where test_status!="null" Is it possible to mark the above chart with the field test_status marking the x - axis when the test has been started and ended. Thanks, Devon

datamine · ‎11-24-2019

hi All, Am trying to extract the fields for only the text when it contains start or end as my test_status field that should contain only those values and the value next to the test_status field as my test_name example:DeVone_Benchmarking_Suite. When am trying auto regex and delimiter like space am getting other values as well in those field which am not interested. Can someone help me how to extract only those values in my fields. Please find the sample events below. [2019-11-24T13:20:48.226-0500][580.588s] GC(8) Garbage Collection (Allocation Rate) 8532M(69%)->2574M(21%) [2019-11-24T13:18:28.315-0500][440.678s] GC(7) Garbage Collection (Allocation Rate) 11414M(93%)->1744M(14%) [2019-11-24T13:16:13.876-0500][306.239s] GC(6) Garbage Collection (System.gc()) 2560M(21%)->1268M(10%) [2019-11-24T13:16:12.570-0500][304.932s] GC(5) Garbage Collection (Allocation Rate) 8270M(67%)->2560M(21%) [2019-11-24T13:14:01.328-0500][173.690s] GC(4) Garbage Collection (Allocation Rate) 11576M(94%)->1758M(14%) [2019-11-24T13:11:14.353-0500][6.716s] GC(0) Garbage Collection (Warmup) 1264M(10%)->958M(8%) [2019-11-24T13:11:07.709-0500][0.071s] Using The Z Garbage Collector [2019-11-24T13:11:07-05:00] DEVJVM-Test-Start DeVone_Benchmarking_Suite SEGUE1401_12GB_MEMORY [2019-11-24T13:11:07-05:00] DEVJVM-Test-End DeVone_Benchmarking_Suite [2019-11-24T13:11:06.014-0500][1491.413s] GC(23) Garbage Collection (Allocation Rate) 2514M(22%)->1832M(16%) [2019-11-24T13:10:55.376-0500][1480.775s] GC(22) Garbage Collection (Allocation Rate) 9108M(81%)->1500M(13%) [2019-11-24T13:08:21.376-0500][1326.775s] GC(21) Garbage Collection (Allocation Rate) 10124M(90%)->1682M(15%) Thanks, Devon

datamine · ‎11-11-2019

hi All, Post upgrading the RHEL to release v8.0 (Ootpa) we have observed that the Add-on for Unix and Linux is not generating results for sourcetype vmstat. Upon checking by manually running the script vmstat.sh its not giving any results. some other scripts are running. Has anyone else faced this issue? Cheers!

datamine · ‎11-01-2019

hi @FrankVl I have tried on Windows, Ubuntu and CentOS by running the installer without stopping the Splunk UF process and it seems the installer will stop the process and then proceeds with replacing the files and upgrade steps. I havent seen any errors post upgrading on the logs. Thanks, Devon

datamine · ‎11-01-2019

hi All, How to add the edit button to the Dashboard panels in the App "Splunk App for Jenkins". I tried the hideEdit="false" option in the dashboard xml but it didnt worked for me. Am thinking maybe as these dahsboards are cascaded to html and JS maybe its not working. Can someone help me how to do it. Thanks, Devon

datamine · ‎11-01-2019

hi @acharlieh Am using Splunk App for jenkins (v2.0.2) and i dont see the option to run the searches from the charts which i would like to have it. As those panles are using html and JS i dont even see the option to EDIT the panels. Is there a way that i can add the EDIT Button to those views? Thanks, Devon

datamine · ‎11-01-2019

Hi all, After upgrading the Splunk App for Jenkins from v1.0.8 to v2.0.2 we are not able to see the option to open the search results behind the charts like we used to see in v1.0.8? It seems that opening the results search with mousehover on charts has been disabled or removed. Can someone help me enable it? Thanks, Devon

datamine · ‎10-30-2019

hi @edavison how do these python programs are called? in inputs.conf i see the stanza name same as python program. Am i right? [github_api_repos_stats] start_by_shell = false sourcetype = github:repos:stats interval = 86400 disabled = 0 [github_api_repos_commits] start_by_shell = false sourcetype = github:repos:commits interval = 3600 disabled = 0 [github_api_repos_issues] start_by_shell = false sourcetype = github:repos:issues interval = 86400 disabled = 0 Thanks, Devon

datamine · ‎10-29-2019

hi All, We have an index cluster(2 indexers) and we need to archive the Frozen buckets to a storage location. Do we need to specify the frozen buckets on idx1 and idx2 to point to same location path or do we need to configure them in separate locations? IDX1: /mnt/s3/frozen/ IDX2: /mnt/s3/frozen/b2/ Thanks, Devon

datamine · ‎10-24-2019

Hi All, Is it possible to pull the data from Graphite into Splunk by any Add-ons' or Apps? Thanks, Devon

datamine · ‎10-21-2019

hi All, Does anyone has any idea about the cons if we upgrade a UF on Linux/Windows machine without stopping the splunk service? In documentation ut says first we need stop the splunk service and then install the new/higher version like from v7.0.5 to v7.3.1 Thanks, Devon

datamine · ‎10-08-2019

hi @esnyder Has it been removed recently ? because i can still see free trails for ES App but ITSI is missing. If we would like to get a trial for ITSI any process to follow inorder to get it? Thanks, Devon

datamine · ‎10-08-2019

hi All, Any idea why ITSI is missing in the free trial downloads. https://www.splunk.com/en_us/download.html It has other premium Apps but ITSI is missing? Thanks, Devon

datamine · ‎10-04-2019

Thanks @jacobevans ! But we dont want to have any static count value to be used rather than a dynamic one based on the previous 30 mins/hour count(a specific market) is reduced more than x% percentage to the count(only that market now in last 30min/hour) then it should alert. Cheers, Devon

datamine · ‎10-04-2019

hi @sandeepmakkena if i remove the date_hour then i get values but its taking the count of all markets as count and taking the difference from that. Is there a way to calculate the difference only from the count of that market alone and then calculate percentage for that market. thanks, Devon

datamine · ‎10-04-2019

hi @sandeepmakkena , It didnt worked. when i run the serach before saving it as alert its not giving me any stats. Thanks, Devon

datamine · ‎10-03-2019

Hi all, We are receiving web traffic to one index from multiple markets like the below search. Now we have been asked to setup an alert if there is any decrease in 50% of volume in any market over a time period like an hour or in 30 mins. Can some one help me how to achieve this? Charting the Traffic by Market wise: index=webtraffic sourcetype=mobile_traffic marketName=* eventType="ProductAdded" |timechart count by marketName useother=f usenull=f Thanks!

Posts	25
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎10-03-2019

Online Status	Offline
Date Last Visited	‎01-16-2023 04:01 PM

How to add username, password variables in python ...

How to increase the subsearches maxout limit ?

Change the time stamp in the log data by adding 2+...

Slack Notification Alert: Triggered Alert not send...

How to overlay or mark a chart based on column val...

Extracting fields for a specific text

Splunk Addon for unix and Linux not supporting Red...

How to enable the Edit button on the dashboard vie...

Splunk App for Jenkins: Dashboard charts not showi...

how to set the frozen path in Index Cluster?

How to add username, password variables in python ...

Re: How to increase the subsearches maxout limit ?

Re: How to increase the subsearches maxout limit ?

How to increase the subsearches maxout limit ?

Re: How to increase the subsearch limit?

Change the time stamp in the log data by adding 2+...

Slack Notification Alert: Triggered Alert not send...

How to overlay or mark a chart based on column val...

Extracting fields for a specific text

Splunk Addon for unix and Linux not supporting Red...

Re: What will happen if you Upgrade UF without sto...

How to enable the Edit button on the dashboard vie...

Re: How can i disable the search that opens when i...

Splunk App for Jenkins: Dashboard charts not showi...

Re: mfa is it possible with just api key,mfa enabl...

how to set the frozen path in Index Cluster?

How to pull the time series data from Graphite int...

What will happen if you Upgrade UF without stoppin...

Re: why splunk ITSI free trial is missing on the d...

why splunk ITSI free trial is missing on the downl...

Re: How to setup alert for x% decrease in count by...

Re: How to setup alert for x% decrease in count by...

Re: How to setup alert for x% decrease in count by...

How to setup alert for x% decrease in count by mar...