Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rnr
rnr
Path Finder
Member since:
07-15-2014
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 07-15-2014 |
Activity Feed
- Got Karma for Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group?. 06-05-2020 12:47 AM
- Got Karma for How to get size counters for Splunk indexes over a period of time to check how fast volume utilization is growing?. 06-05-2020 12:47 AM
- Got Karma for What happens when a log file gets renamed and later compressed?. 06-05-2020 12:47 AM
- Posted Re: Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-18-2014 08:31 AM
- Posted Re: Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-17-2014 01:57 PM
- Posted Re: Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-16-2014 07:38 AM
- Posted Re: Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group? on Getting Data In. 12-15-2014 02:16 PM
- Posted Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-15-2014 02:05 PM
- Tagged Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-15-2014 02:05 PM
- Tagged Trigger script execution upon bucket change from hot to warm on Deployment Architecture. 12-15-2014 02:05 PM
- Posted Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group? on Getting Data In. 11-19-2014 08:47 AM
- Tagged Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group? on Getting Data In. 11-19-2014 08:47 AM
- Tagged Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group? on Getting Data In. 11-19-2014 08:47 AM
- Tagged Is it possible to configure load balancing on universal forwarders with preferable servers in tcpout group? on Getting Data In. 11-19-2014 08:47 AM
- Posted Re: What happens when a log file gets renamed and later compressed? on Getting Data In. 10-23-2014 07:47 AM
- Posted Re: What happens when a log file gets renamed and later compressed? on Getting Data In. 10-21-2014 07:41 AM
- Posted What happens when a log file gets renamed and later compressed? on Getting Data In. 10-20-2014 02:38 PM
- Tagged What happens when a log file gets renamed and later compressed? on Getting Data In. 10-20-2014 02:38 PM
- Tagged What happens when a log file gets renamed and later compressed? on Getting Data In. 10-20-2014 02:38 PM
- Tagged What happens when a log file gets renamed and later compressed? on Getting Data In. 10-20-2014 02:38 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 1 |
12-18-2014
08:31 AM
I'm configuring this whole thing simply for sending buckets to S3 as soon as they are eligible (which is warm status).
I'm still confused with search and alert settings. Number of results > 1 should be for which period of time?
And another option, is it "once" or "for each result"? And if "for each result", what should be field value for throttling results, which splunk requires to be set in this case.
... View more
12-17-2014
01:57 PM
Now I'm confused about "real time" search.
In the alert config "Alert Type: Real-time"
In the search, if Presets = "All time (real-time)", then query returns nothing. Hmm, how come if there are events during the day and they shown with for example "1 hour window" preset?
I understand that "1 hour window" will return results in realtime + 1 hour back. But what should be set in this case for the search request used in trigger?!
I configured search as "1 hour window" realtime, but I am not sure if it affect trigger anyhow. Does it?
... View more
12-16-2014
07:38 AM
Cool, it's quite easy to get what's being moved.
The request is
host = splnk-indx index=_internal sourcetype=splunkd "finished moving hot to warm"
I guess this would be the best way to implement same type of functionality as option coldToFrozenScript provides in indexes.conf?
http://docs.splunk.com/Documentation/Splunk/6.2.0/Alert/Configuringscriptedalerts
Or maybe there is undocumented option hotToWarmScript, no? 🙂
... View more
12-15-2014
02:16 PM
For those who interested in configuring local forwarders with prefferable destination and transparent failover, it's quite easy to do with haproxy.
For server located in zoneA:
{standard set of haproxy options}
frontend fe-splunkfwd
mode tcp
option tcplog
log global
bind 127.0.0.1:7997
default_backend be-splunkfwd
# For splunk forwarders
backend be-splunkfwd
mode tcp
option tcplog
timeout server 15s
timeout connect 2s
server fwd-server-name-zoneA 10.10.19.11:7997 maxconn 8192 check inter 1s
server fwd-server-name-zoneB 10.19.20.11:7997 maxconn 8192 check inter 1s backup
Change backup option in the be-splunkfwd backend respectively for server locate in zoneB.
Of course it would work just fine with ELB, but on the other side local haproxy would give much better control of traffic. Nice to have it for a high logs throughput from host.
... View more
12-15-2014
02:05 PM
Is it possible to make splunk send notification (or trigger script execution directly) when it moved backet between different states? Specifically from hot to warm.
There is coldToFrozenScript option in indexes.conf (coldToFrozenScript = $SPLUNK_HOME/bin/cold_to_frozen.sh), I'm looking for something like hotToWarmScript.
This is required for backup purpose.
Thank you,
Roman Naumeneko
... View more
- Tags:
- buckets
- indexes.conf
11-19-2014
08:47 AM
1 Karma
I'd like to configure universal forwarders on boxes in multiple AZ to forward event to a preferable heavy forwarder located in the same AZ. The problem is word "preferable", universal forwarder doesn't have such settings (would be nice to have based on latency to forwarder for example).
Has anybody tried to build such setup using AWS tools, like Route 53 or ELB?
Router53 provides internal DNS, but I'm not sure if it can resolve names based on request source, that is AZ)
"Preferable" forwarder of course is not the end of the world, but would be nice to have.
--Roman
... View more
10-23-2014
07:47 AM
Thanks you guys for a comprehensive explanation.
... View more
10-21-2014
07:41 AM
Ok, thanks for the suggestion.
How is the old file being handled? Does splunk recognize that it's just renamed file and indexing should continue?
... View more
10-20-2014
02:38 PM
1 Karma
Hi,
I've looked though similar questions about log rotation and also the most related documentation topic here
http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/HowLogFileRotationIsHandled
but still it wasn't clear what happens when a log file gets renamed and later compressed. Lets look at the typical scenario with nginx logs.
access.log is being written, then renamed to access-20141020.log and nginx continues to write there. Splunk should recognize this situation by default without any additional settings or tweaking, because it's the same file, correct?
But what happens when nginx switches files, especially if amount of data is quite large - say MB/s? Is splunk going to finish indexing old file, send data to forwarder, pick up new access.log and continue from there? Will it pick up new file immediately?
Compressing access-20141020.log should be straightforward with blacklisting of archive files in indexer.conf
Thank you,
Roman Naumenko
... View more
10-17-2014
07:26 AM
All worked, thank you.
... View more
10-16-2014
02:23 PM
Ok, that did the trick!
And last question, if I want to have data.total_size in GB - how to apply "eval"?
... View more
10-16-2014
01:58 PM
Thank you, there is such index.
Is there a way to aggregate it by day? It shows data for each 30 sec.
Although aggregation like avg is not required, just looking to get any size value per index per day.
... View more
10-16-2014
12:44 PM
1 Karma
Hi Splunk experts,
Here is a search request:
| eventcount summarize=false report_size=true index=* | eval GB = size_bytes / 1024 / 1024 / 1024 | eval GB = round(GB, 0) | sort GB | reverse | head 10
How can I get these size counters for splunk indexes over period of time, say daily?
I'd like to check how fast vol utilization by indexes is growing over time.
... View more
