Activity Feed
- Got Karma for How to estimate the splunk storage size. 06-05-2020 12:46 AM
- Posted filter windows application event by Source on Splunk Search. 05-29-2014 07:50 AM
- Tagged filter windows application event by Source on Splunk Search. 05-29-2014 07:50 AM
- Posted Re: bootstrapping process for splunk cluster on aws on All Apps and Add-ons. 05-19-2014 02:35 PM
- Posted bootstrapping process for splunk cluster on aws on All Apps and Add-ons. 05-16-2014 12:52 PM
- Tagged bootstrapping process for splunk cluster on aws on All Apps and Add-ons. 05-16-2014 12:52 PM
- Tagged bootstrapping process for splunk cluster on aws on All Apps and Add-ons. 05-16-2014 12:52 PM
- Posted How to estimate the splunk storage size on Deployment Architecture. 05-12-2014 11:31 AM
- Tagged How to estimate the splunk storage size on Deployment Architecture. 05-12-2014 11:31 AM
- Tagged How to estimate the splunk storage size on Deployment Architecture. 05-12-2014 11:31 AM
- Posted sizing of master node in cluster? is it same as peer nodes on Deployment Architecture. 05-09-2014 07:23 PM
- Tagged sizing of master node in cluster? is it same as peer nodes on Deployment Architecture. 05-09-2014 07:23 PM
- Posted How do I get an alert if my forwarder is not responding? - Monitoring Splunk Forwarder on Getting Data In. 04-07-2014 12:38 PM
- Tagged How do I get an alert if my forwarder is not responding? - Monitoring Splunk Forwarder on Getting Data In. 04-07-2014 12:38 PM
- Posted Pre-index filtering - filter non-xml lines from xml data on Getting Data In. 03-23-2014 03:41 PM
- Tagged Pre-index filtering - filter non-xml lines from xml data on Getting Data In. 03-23-2014 03:41 PM
- Tagged Pre-index filtering - filter non-xml lines from xml data on Getting Data In. 03-23-2014 03:41 PM
- Tagged Pre-index filtering - filter non-xml lines from xml data on Getting Data In. 03-23-2014 03:41 PM
- Posted Re: rex expression on Splunk Search. 01-16-2014 07:17 AM
- Posted rex expression on Splunk Search. 01-15-2014 01:43 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-29-2014
07:50 AM
I am using windows TA app to get events from windows event log.
The windows events are coming inside Indexer.
But i would like to filter them at universal forwarder if possible and get events for a particular source only - and not for all Applications - looking for specific values under "Source"
Source tells me that event is coming from which Application. So i want events only from Source=A and Source=B from windows application event log
... View more
- Tags:
- windowseventlog
05-19-2014
02:35 PM
I am going through the cookbook. Thanks.
Would you be able to point out the location in chef code where it gets the ip address from the master node splunk ec2 instance and uses that to configure the search head instance - just for example - i wanted to see how that logic works. how does the agent pass that info to recipe
I am trying to understand how the chef passes the ip address of the master node to search head and enters the ip address of the master node to create this section
[clustering]
master_uri = https://10.152.31.202:8089 in server.conf of search head- the ip address is dynamic.
... View more
05-16-2014
12:52 PM
I am referring to this article
https://github.com/splunk/splunk-aws-cloudformation
I am trying to understand the bootstrapping process of cluster
First bring up the master node
Then bring up search head ec2 instance
Before u spin up search head instance I would like
To update the configuration file on search head ec2
Instance to point to master node instance that just
Came up in previous step...I don't see that step
In this doc..
How would u typically do this step of updating conf
Files with ip addresses..in aws world?
... View more
- Tags:
- aws
- cloudformation
05-12-2014
11:31 AM
1 Karma
I will be feeding in 10 GB per day to 2 splunk indexers (clustered environment)
Replication Factor = 2
Searchable Factor = 2
How to estimate the storage size for index data on each indexer?
Assuming data retention policy for search will be around for 1 year.
... View more
- Tags:
- data
- estimation
05-09-2014
07:23 PM
i am about to define hardware configuration for setting up splunk cluster on AWS.
I know peer nodes have to be high I/O, and data resides on peer nodes so ebs size should be enough to handle replication and search factor.
What about master node that handles cluster?
Does it also need to be high IO or high cpu or high memory?
Whats a typical hardware requirement of master node in a 2 Search Head + 2 Search Peer configuration.
I am planning to have 6 instances on AWS . 2 for Search Heads + 2 For Search Peers + 1 Deployment Server + 1 Master Node... I dont know what to select for Master Node...- m2 large, m2 extra large , etc..
... View more
- Tags:
- cluster
04-07-2014
12:38 PM
Recently some of our universal forwarders stopped sending events to indexer?
Is there a way to get an alert if forwarders stop sending events?
... View more
- Tags:
- universal-forwarder
03-23-2014
03:41 PM
My event data contains the foll
POST:....
...
ffffff
ABCD
EFG
WERT
SDF
... and so on
As you see some lines are non-xml and some are xml..
my props.conf file has foll set of rules
[sourcetype]
BREAK_ONLY_BEFORE = | |
KV_MODE = xml
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
TRANSFORMS-set = setnull, setparsing
and in transforms.xml
[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = | |
DEST_KEY = queue
FORMAT = indexQueue
Will this work? ...the lines outside XML tags as shown in example should not be indexed..
And should i do this in heavy forwarders or at universal lightweight forwarders
... View more
01-16-2014
07:17 AM
thanks it works for me..i could tweak it to change the field delimiter...thanks
... View more
01-15-2014
01:43 PM
one of my field contains one big string as shown below
params={fl=doc_objectid,score&sort=doc_dateeffective+asc,doc_number+asc&start=0&q=((doc_name:"pd\-dir\-0017\+\(005220\)"^72)+AND+(doc_version:"2.0"))+AND++doc_docbase:QDOC_PD_DOCS_MIG^0.00001+AND+doc_objecttype:document^0.00001&rows=500}
Using rex expression i wanted to extract the value of doc_name which is embedded inside the params field - the value is equal to whatever comes in till we hit )
sourcetype = abc.log | fields params | rex "doc_name:<?mydocname>[]+\ - i tried this - its not working..wanted to extract it in mydocname and sort by that field
... View more
- Tags:
- rex
12-27-2013
04:06 PM
My event data contains the foll
POST:....
...
ffffff
ABCD
EFG
WERT
SDF
... and so on
As you see some lines are non-xml and some are xml..
my props.conf file has right set of rules
[sourcetype]
BREAK_ONLY_BEFORE = | |
KV_MODE = xml
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
TRANSFORMS-set = setnull, setparsing
and in transforms.xml
[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = | |
DEST_KEY = queue
FORMAT = indexQueue
Will this work? ...the lines outside XML tags as shown in example should not be indexed...
... View more
- Tags:
- transforms.conf
12-19-2013
12:48 PM
All configurations will be pushed by Deployment Server to Forwarder running on linux box.
What is the default port opened on Forwarder which is used by Server to push the data to forwarder?
Are there any other ports that needs to be opened at Forwarder side? or only one port is sufficient.
My forwarder is inside a hardware appliance. I need to open ports for server to talk to agent.
... View more
12-16-2013
08:28 AM
Tried this
sourcetype=gatewaylogs1 | eval type=case ( match(_raw,"<error>"), "Error", match(_raw,"<transaction>"), "Transaction" ) | stats count by type
No errors...but no output..all it says 16 events..shows number of events..16 events (before 12/16/13 11:25:23.000 AM ) but no output in Statistics tab
And 16 is total events including events that has tags which i wanted to filter..so this query is really not doing anything..
... View more
12-15-2013
06:29 PM
Check access roles permission for the user logged in and check if the user has permission to use this index
... View more
12-15-2013
05:03 PM
my event records are xml based as shown below coming in from one file, one sourcetype-
12 ........
..... // inside transaction tag i can contain anything
.....
.....
.....
.....
.....
.....
I am able to extract child tags inside each one - thats not an issue.
But how do i count how many records were of type Transaction and how many were of type Error.
... View more
- Tags:
- search-help
- searching
12-12-2013
12:23 PM
Just confirming my understanding based on your example:
If i have 2 windows forwarders and first one is supposed to monitor perfformance and c:\test1 folder and second one is supposed to monitor performance, registry and c:\test2 folder (note c:\test2) does not exist on machine 1..
then i will have the following:
server1 app - containing common configs for both machines
server2 app - containing registry config and c:\test1 inputs - client will be machine1 only
server3 class app containing config to monitor c:\test2 only and client = second machine
is this correct assumption?
... View more
12-12-2013
11:32 AM
Is it possible to create 2 server classes -
one server class contains input.conf file with only stanza A and stanza B
second server class contains input.conf file with only stanza C
and a client is a member of both these server classes.
So when i push the changes using forward manager console - i will push it sequentially using these 2 server classes. And at client side i expect all three stanzas in inputs.conf file..
Is this possible?
... View more
- Tags:
- deploymentserver
12-12-2013
11:15 AM
Is it possible to update only one stanza of a conf file (e.g inputs.conf) and not touch other parts of configuration.
What i understand is when i push the conf file through deployment server, entire file will get replaced with the new file from the server..
... View more
- Tags:
- deploymentserver
