About petersob

petersob · ‎10-20-2013

now I solved that by writing a custom search command.

petersob · ‎10-20-2013

Hi all, I trying to implement online help for my custom search commands. There is a searchbnf.conf located in the $SPLUNK_HOME/etc/system/default directory. If I put my configuration into that file everything is working fine, but if I create a new searchbnf.conf in my app-local directory it will not be recognized by splunk. Is there any possibility to create the searchbnf.conf in the app context (without changing the system-wide one)? Regards, Peter

petersob · ‎10-18-2013

something like that, but this one doesn't care about the gap between 5000 and 10000. There maybe a multiple gaps between the min and max, and I need to know all the gaps. Thats the problem.

petersob · ‎10-18-2013

if i do something like that: "... | stats min(from) as first, max(to) as last by type" I will miss, that there is a gap between 5000 and 10000.

petersob · ‎10-18-2013

...and the second point was, to use that range log events to find the right item type. In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type.

petersob · ‎10-18-2013

yes, they would be one line per event. In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers. I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions.

petersob · ‎10-18-2013

Hello Community, have two simple questions about dealing with value ranges: 1) how to put ranges together? I have log informations with ranges, e.g.: from="1001" to="2000" type="aaa" from="2001" to="4000" type="aaa" from="4001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB" I would like to compress it to get something like that: from="1001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB" that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type. Is there any simple way to go to get it solved? 2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it? Ragards, Peter

petersob · ‎10-13-2013

after hour of reading several postings here finally I found a solution for this problem. my problem is nothing else as determining the gap between the last log info and now. Well, this search does it for me now: source=/logs/processes.log earliest=-2h | stats max(_time) As LatestTime by process | eval Gap=(now()-LatestTime) | search Gap>3600 means: every process what was "seen" in the last 2 hours must be "seen" during the last hour also. If not I can raise an alert now!

petersob · ‎10-13-2013

Hello, I want to check if a process is still running. The process is logging periodically a short info on polling a directory. Now, I will to use that info to detect if the process is not running anymore. Normally, a simple search for the info would be: search myprocess is doing the work and then defining the alert for eventcount = 0 would do the job. But... I would like to do it in a generic way, that means, that "is doing the work" is actually unknown. This has to work with every process which is logging something periodically. Now, I have a defined a search doing a simple event count over time periods (hourly): source=/logs/processes.log earliest=-3h@h | chart count over process by _time span=1h this give me a table like this: process 1381651200 1381654800 1381658400 myproc1 12 12 1 myproc2 15 15 0 myproc3 233 243 102 well, that means that the process "myproc2" did not log anything in the last hour and I need an alert for that issue. What I've tried is to extract somehow the last column and evaluate the apopriate process name (process column) but I couldn't get it done. Any Ideas hot to do that? Maybe I'm thinking too complicated? Regards, Peter

Posts	9
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎10-13-2013

Online Status	Offline
Date Last Visited	‎03-01-2023 02:03 AM

Splunk doesn't recognize searchbnf.conf

How to deal with value ranges?

checking if a a process is still running (time bas...

Re: How to deal with value ranges?

Splunk doesn't recognize searchbnf.conf

Re: How to deal with value ranges?

Re: How to deal with value ranges?

Re: How to deal with value ranges?

Re: How to deal with value ranges?

How to deal with value ranges?

Re: checking if a a process is still running (time...

checking if a a process is still running (time bas...