Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About jimmyzhangau
jimmyzhangau
New Member
Member since:
01-21-2017
06-05-2020
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-21-2017 |
Activity Feed
- Posted What Capabilities is needed to Create Identity Management for Data Enrichment in ES on Security. 04-26-2018 08:44 PM
- Tagged What Capabilities is needed to Create Identity Management for Data Enrichment in ES on Security. 04-26-2018 08:44 PM
- Posted Re: How to understand "Splunk software can extract only dates from a source, not times. If you need to extract a time from a source, use a transform." " on Getting Data In. 05-15-2017 09:59 PM
- Posted How to understand "Splunk software can extract only dates from a source, not times. If you need to extract a time from a source, use a transform." " on Getting Data In. 05-14-2017 07:04 PM
- Tagged How to understand "Splunk software can extract only dates from a source, not times. If you need to extract a time from a source, use a transform." " on Getting Data In. 05-14-2017 07:04 PM
- Posted Missing Index Even Specifying Index in inputs.conf on Getting Data In. 01-26-2017 08:21 PM
- Tagged Missing Index Even Specifying Index in inputs.conf on Getting Data In. 01-26-2017 08:21 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
04-26-2018
08:44 PM
Hi,
When I wanted to create a new lookup in ES through ES->Configure->Data Enrichment->Identity Management, there's no "New" button, the role we are using is ess_admin, from the documentation, "edit_identitylookup" is the capability should be granted, but I've already include that capability into the role. Any other capabilities do we have to grant to the role?
Cheers,
... View more
- Tags:
- splunk-enterprise
05-15-2017
09:59 PM
From this example you can see Splunk can extract both date and time by using props.conf, but why in the note, it said :"Splunk software can extract only dates from a source, not times. If you need to extract a time from a source, use a transform." Also, I don't think here 'source' means 'filename', it should mean all types of data sources.
... View more
05-14-2017
07:04 PM
The note is here,
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/HowSplunkextractstimestamps
But I have a problem to understand this,
In the example below in that page, you can see props.conf can extract both date and time without transforms.conf
Another example that includes time zone information:
…Valid_Until=Thu Dec 31 17:59:59 GMT-06:00 2020
To extract the timestamp, add this to props.conf:
[host::bar]
TIME_PREFIX = Valid_Until=
TIME_FORMAT = %a %b %d %H:%M:%S %Z%z %Y
... View more
- Tags:
- timestamps
01-26-2017
08:21 PM
Hi,
The architect of the deployment is UF(Windows)->HF->Indexer->SH, only UF is installed in Windows platform and all other instances are Linux. The inputs.conf in UF is below:
[default]
host = XXX-PC
index = main
sourcetype = Win-UF
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor://C:\temp\temp.log]
disabled = 0
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[perfmon://FreeDiskSpace]
interval = 10
disabled = 0
[perfmon://Memory]
interval = 10
disabled = 0
[perfmon://LocalNetwork]
interval = 10
disabled = 0
[perfmon://CPUTime
interval = 10
disabled = 0
As you can see, I explicitly configure the default index that all windows events collected by UF should go. From search head, I could successfully got all file monitoring events from default index, but I couldn't get any performance events, and I got warning message from SH:
Search peer XYZ has the following message: Received event for unconfigured/disabled/deleted index=perfmon with source="source::Perfmon:Memory" host="host::XXX-PC" sourcetype="sourcetype::Perfmon:Memory". So far received events from 1 missing index(es).
Why did Splunk still report missing index even I specified the default index to be main? and why not the event be sent to main index?
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
