×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
petersob
Explorer
Member since: ‎10-13-2013
‎03-01-2023
Community Statistics
Posts 9
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎10-13-2013
Activity Feed
View All

Re: How to deal with value ranges?

by in Deployment Architecture
‎10-20-2013 09:26 AM
‎10-20-2013 09:26 AM
now I solved that by writing a custom search command. ... View more

Splunk doesn't recognize searchbnf.conf

by in Splunk Search
‎10-20-2013 09:23 AM
1 Karma
‎10-20-2013 09:23 AM
1 Karma
Hi all, I trying to implement online help for my custom search commands. There is a searchbnf.conf located in the $SPLUNK_HOME/etc/system/default directory. If I put my configuration into that file everything is working fine, but if I create a new searchbnf.conf in my app-local directory it will not be recognized by splunk. Is there any possibility to create the searchbnf.conf in the app context (without changing the system-wide one)? Regards, Peter ... View more

Re: How to deal with value ranges?

by in Deployment Architecture
‎10-18-2013 01:25 PM
‎10-18-2013 01:25 PM
something like that, but this one doesn't care about the gap between 5000 and 10000. There maybe a multiple gaps between the min and max, and I need to know all the gaps. Thats the problem. ... View more

Re: How to deal with value ranges?

by in Deployment Architecture
‎10-18-2013 01:15 PM
‎10-18-2013 01:15 PM
if i do something like that: "... | stats min(from) as first, max(to) as last by type" I will miss, that there is a gap between 5000 and 10000. ... View more

Re: How to deal with value ranges?

by in Deployment Architecture
‎10-18-2013 12:49 PM
‎10-18-2013 12:49 PM
...and the second point was, to use that range log events to find the right item type. In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type. ... View more

Re: How to deal with value ranges?

by in Deployment Architecture
‎10-18-2013 12:49 PM
‎10-18-2013 12:49 PM
yes, they would be one line per event. In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers. I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions. ... View more

How to deal with value ranges?

by in Deployment Architecture
‎10-18-2013 11:46 AM
‎10-18-2013 11:46 AM
Hello Community, have two simple questions about dealing with value ranges: 1) how to put ranges together? I have log informations with ranges, e.g.: from="1001" to="2000" type="aaa" from="2001" to="4000" type="aaa" from="4001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB" I would like to compress it to get something like that: from="1001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB" that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type. Is there any simple way to go to get it solved? 2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it? Ragards, Peter ... View more

Re: checking if a a process is still running (time...

by in Alerting
‎10-13-2013 08:29 AM
‎10-13-2013 08:29 AM
after hour of reading several postings here finally I found a solution for this problem. my problem is nothing else as determining the gap between the last log info and now. Well, this search does it for me now: source=/logs/processes.log earliest=-2h | stats max(_time) As LatestTime by process | eval Gap=(now()-LatestTime) | search Gap>3600 means: every process what was "seen" in the last 2 hours must be "seen" during the last hour also. If not I can raise an alert now! ... View more

checking if a a process is still running (time bas...

by in Alerting
‎10-13-2013 03:41 AM
‎10-13-2013 03:41 AM
Hello, I want to check if a process is still running. The process is logging periodically a short info on polling a directory. Now, I will to use that info to detect if the process is not running anymore. Normally, a simple search for the info would be: search myprocess is doing the work and then defining the alert for eventcount = 0 would do the job. But... I would like to do it in a generic way, that means, that "is doing the work" is actually unknown. This has to work with every process which is logging something periodically. Now, I have a defined a search doing a simple event count over time periods (hourly): source=/logs/processes.log earliest=-3h@h | chart count over process by _time span=1h this give me a table like this: process 1381651200 1381654800 1381658400 myproc1 12 12 1 myproc2 15 15 0 myproc3 233 243 102 well, that means that the process "myproc2" did not log anything in the last hour and I need an alert for that issue. What I've tried is to extract somehow the last column and evaluate the apopriate process name (process column) but I couldn't get it done. Any Ideas hot to do that? Maybe I'm thinking too complicated? Regards, Peter ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-01-2023 02:03 AM
Karma from
View All