Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About andrewkenth
andrewkenth
Communicator
Member since:
10-16-2013
06-05-2020
Community Statistics
| Posts | 83 |
| Solutions | 9 |
| Karma Given | 0 |
| Karma Received | 16 |
| Member Since | 10-16-2013 |
Activity Feed
- Got Karma for How to use a $ in a form search?. 09-10-2020 10:58 PM
- Got Karma for Re: Upgrading to 6.1.1 - splunk start hangs with "Checking for possible UI view conflicts". 06-05-2020 12:46 AM
- Got Karma for Rotating Data to Frozen After Time Period. 06-05-2020 12:46 AM
- Got Karma for How to use a $ in a form search?. 06-05-2020 12:46 AM
- Got Karma for Hide Interesting Fields?. 06-05-2020 12:46 AM
- Got Karma for Hide Interesting Fields?. 06-05-2020 12:46 AM
- Got Karma for Can not extract fields in Splunk 6 with IE8. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk Crashing. 06-05-2020 12:46 AM
- Got Karma for Splunk Crashing. 06-05-2020 12:46 AM
- Got Karma for Inputs.conf and Multiple sourcetypes. 06-05-2020 12:46 AM
- Got Karma for List All Lookups in An App?. 06-05-2020 12:46 AM
- Got Karma for List All Lookups in An App?. 06-05-2020 12:46 AM
- Got Karma for Re: Sideview Utils Newb: using Table and Redirector in 6.0. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils Newb: using Table and Redirector in 6.0. 06-05-2020 12:46 AM
- Got Karma for Edited default.css but no changes. 06-05-2020 12:46 AM
- Got Karma for Splunk Replication a Good BCP Alternative?. 06-05-2020 12:46 AM
- Posted Re: Where can I find Checksum for Splunk Downloads? on #Random. 02-01-2017 10:45 AM
- Posted Where can I find Checksum for Splunk Downloads? on #Random. 02-01-2017 07:33 AM
- Posted Re: Why is there no Raw Events export option when I have a search with stats command or returns a table? on Splunk Search. 09-19-2014 01:48 PM
- Posted Why is there no Raw Events export option when I have a search with stats command or returns a table? on Splunk Search. 09-19-2014 12:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-01-2017
10:45 AM
Documenting for the next person. It's on the download page after select download. I glazed over when I originally downloaded the file.
... View more
02-01-2017
07:33 AM
Hi all,
I did a search and found an answer but it is from 2013 and does not appear to be relevant any longer. Where can I find the checksum's for the downloads? In my case, I'm looking for the checksum for the splunk-6.5.2-67571ef4b87d-Linux-x86_64.gz file.
Thanks!
Andrew
... View more
09-19-2014
01:48 PM
That's what I thought was happening. I'd like to see what you see when you click on the events tab, the raw logs or a csv with each field in it. If Splunk can show you the related events why can't you export what you see?
... View more
09-19-2014
12:55 PM
From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv however I do not see Raw Events when I have a search that has the stats command present or returns a table. Any idea how to get a round this?
... View more
06-13-2014
09:10 AM
1 Karma
Updating Answers with relevant info.
Upon startup of a new version Splunk ($SPLUNK_HOME/lib/python2.7/site-packages/splunk/clilib/migration.py) scans every file in it's directory structure ($SPLUNK_HOME). Unfortunately for us we have a NAS appliance mounted under $SPLUNK_HOME used for retention purposes that takes a daily snapshot of every file and stores it. 58 files for 58 days. This scan took about 14 hours to complete. The temporary solution is to edit the script (and manage going forward during upgrades until a solution can be found).
Script edit ($SPLUNK_HOME/lib/python2.7/site-packages/splunk/clilib/migration.py), change .snapshot to whatever you'd like to avoid scanning.
def findPreviewFiles():
# skip over .snapshot subdirectories, which cause sadness when
# SPLUNK_HOME is a netapp mountpoint with exposed snapshot dirs
return comm.findFiles(comm.splunk_home, "\\.%s$" % EXT_MIGRATE,
skipdir_pattern=r"[\\/].snapshot$")
... View more
06-12-2014
12:05 PM
We are running on Redhat Linux.
... View more
06-12-2014
12:04 PM
Just as the title states.
Oddly enough I've upgraded to 6.1.1 from 6.0 3 times w/o issue. This time we start splunk is hanging with the message "Checking for possible UI view conflicts".
Any ideas?
Exact commands used to upgrade.
1) Copy upgrade TAR from DEV to UAT
Log in to u-wcm-splunk
su wcsplnku
mkdir /tmp/splunk_upgrade
scp @d-wcm-splunk:/tmp/splunk_upgrade/* /tmp/splunk_upgrade
2) Copy /apps/wcm-splunk to apps/splunk-bak (or backup anywhere)
mkdir /apps/splunk-bak
rsync -av --progress /apps/wcm-splunk /apps/splunk-bak --exclude archive
3) Stop Splunk
/apps/wcm-splunk/bin/./splunk stop
4) Install upgrade
tar -xvf /tmp/splunk_upgrade/splunk-6.1.1-207789-Linux-x86_64.tar -C /apps/ --transform s/splunk/wcm-splunk/
( chmod -R 755 /apps/wcm-splunk/ if not owned by wcsplnkp users)
5) Copy the follwoing files from the lower environment to the appropriate directories:
cp /tmp/login.css /apps/wcm-splunk/share/splunk/search_mrsparkle/exposed/css/
cp /tmp/web.conf /apps/wcm-splunk/etc/system/local/
cp /tmp/application.css /apps/wcm-splunk/etc/apps/CharlesRiverInfoSec/appserver/static/
cp /tmp/default.css /apps/wcm-splunk/share/splunk/search_mrsparkle/exposed/css/skins/default/
6) Start splunk
/apps/wcm-splunk/bin/./splunk start --accept-license --answer-yes
... View more
Labels
- Labels:
-
upgrade
05-23-2014
11:29 AM
Ahha! I think I figured it out. I copied the upgrade file over as my own user then untarred it as you should as the application user. I think the permissions on the files then retained MY (not the application user) id’s permissions causing a bunch of permissions issues.
In Dev I did a chmod 777 * in /$SPLUNK_HOME and now everything works.
So I think that was my issue….
... View more
05-23-2014
10:13 AM
I upgraded my dev instance today from 6.0 to 6.1.1 and am all of a sudden getting this error:
Problem parsing indexes.conf: stanza=charlesriver Required parameter=homePath not configured
Which indexes.conf file is this referring to and what does it mean?
This is the content of my etc/apps/CharlesRiverInfoSec/local/indexs.conf file:
[charlesriver]
coldPath = $SPLUNK_DB/charlesriver/colddb
homePath = $SPLUNK_DB/charlesriver/db
thawedPath = $SPLUNK_DB/charlesriver/thaweddb
maxTotalDataSizeMB = 500000
Obviously I do have a homePath here.
... View more
05-22-2014
06:52 AM
You may need to reapply the changes. Did you do that?
... View more
05-21-2014
11:06 AM
I ended up automating a cp cmd and adding the date on the end of the file.
cp <origfilepath> <newfilepath>_`date +"%Y%m%d"`.csv
The easiest way to do this is via chrontab but we use other means (autosys).
I also need to use the sourcefile name in the crcSalt as well in inputs.conf
crcSalt = <SOURCE>
... View more
05-20-2014
01:44 PM
To answer the why it's a list that is maintained, however we need the ability to go back in time and view the state of the list on any particular date. I was thinking that as well but was hoping there was a better way using inputs.conf or similar setting.
... View more
05-20-2014
01:29 PM
Just as it states. Is there way to monitor a file and reload it everyday even if it has not changed? Only once per day however.
Thanks!
... View more
05-20-2014
12:30 PM
That did not seem to work. Instead I used a case to check the day of the week:
| where Date > case(strftime(now(),"%w")="1", relative_time(now(), "-3d@d"), strftime(now(),"%w")!="1", relative_time(now(), "-1d@d"))
... View more
05-20-2014
11:22 AM
Is there a function to return the last weekday?
Instead of:
relative_time(now(), "-1d@d")
Is there any notation to say workday or weekday?
... View more
- Tags:
- relative_time
- weekday
05-20-2014
11:09 AM
That did not work but it put me on the right path. I'm not sure if it's @mon that isn't' working or what but this works:
| where Date > relative_time(now(), "-31d@d")
... View more
05-20-2014
09:53 AM
I have 3 searches that I'm appending. Each returns a Name and Date. Then I take the maximum of each of the Dates and show it.
Now I'd like to show only those that have a Date in the last month. How can I do this? earliest does not seem to be working, likely because I may be stripping the _time off when I turn it into a stats table (not sure..?).
If I do individual earliest or use the time picker it limits the entire search, which I do not want to do.
Any advice?
Basiclaly I'm taking the append results and doing a
| stats max(Date) as Date by LogonName
I tried
| stats max(Date) as Date by LogonName | Search earliest=-28d
but did not get the resutls I'm expecting (no results!)
Any advice guys and gals?
... View more
04-03-2014
07:05 AM
That is what I was thinking but how do I enforce a time zone on data that has already been imported?
... View more
04-02-2014
01:52 PM
How can I move the data in my pre move to a different time zone?
I am indexing w/o any time zone specification.
... View more
04-02-2014
01:52 PM
How can I move the data in my pre move to a different time zone?
I am indexing w/o any time zone specification.
... View more
