Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About driekhof
driekhof
Path Finder
Member since:
03-07-2017
05-17-2022
Community Statistics
| Posts | 16 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 03-07-2017 |
Activity Feed
- Posted Re: Searching data from hadoop data roll on HDFS with Hive? on Knowledge Management. 05-17-2022 10:49 AM
- Posted Searching data from hadoop data roll on HDFS with Hive? on Knowledge Management. 05-17-2022 10:42 AM
- Got Karma for Re: KV Store - audit trail?. 06-05-2020 12:50 AM
- Karma Re: How to use eval to sum a large set of fields with field name matching a pattern? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: Which of these searches is the best way to filter (by index, by source, or both)? for pradeepkumarg. 06-05-2020 12:48 AM
- Karma Re: Which of these searches is the best way to filter (by index, by source, or both)? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: How to make a search case-sensitive? for cyue_splunk. 06-05-2020 12:45 AM
- Posted flume http sink to Splunk HEC? on Splunk Dev. 11-12-2019 11:16 AM
- Tagged flume http sink to Splunk HEC? on Splunk Dev. 11-12-2019 11:16 AM
- Posted Re: KV Store - audit trail? on Splunk Enterprise Security. 10-21-2019 09:03 AM
- Posted KV Store - audit trail? on Splunk Enterprise Security. 10-18-2019 11:51 AM
- Tagged KV Store - audit trail? on Splunk Enterprise Security. 10-18-2019 11:51 AM
- Tagged KV Store - audit trail? on Splunk Enterprise Security. 10-18-2019 11:51 AM
- Tagged KV Store - audit trail? on Splunk Enterprise Security. 10-18-2019 11:51 AM
- Posted Re: How to configure Hunk to read Sequence files? on All Apps and Add-ons. 03-23-2017 08:38 AM
- Posted How to configure Hunk to read Sequence files? on All Apps and Add-ons. 03-22-2017 03:51 PM
- Tagged How to configure Hunk to read Sequence files? on All Apps and Add-ons. 03-22-2017 03:51 PM
- Tagged How to configure Hunk to read Sequence files? on All Apps and Add-ons. 03-22-2017 03:51 PM
- Posted Re: Which of these searches is the best way to filter (by index, by source, or both)? on Splunk Search. 03-14-2017 08:53 AM
- Posted Re: Which of these searches is the best way to filter (by index, by source, or both)? on Splunk Search. 03-13-2017 05:17 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-17-2022
10:49 AM
Forgot to mention, another really annoying error: Splunk frequently submits jobs to our standby resource manager instead of the active one even though we've configured the HA stuff in Splunk.
... View more
05-17-2022
10:42 AM
We use the Splunk Hadoop Data Roll to move our frozen data over to our Hadoop cluster. The writing of the data to HDFS seems to work pretty well, but the searching of it through Splunk doesn't work well at all. We get lots of different errors from the query not parsing correctly (some problem with how splunk translates the parenthesis) or some mysterious error happens in the MR job on Hadoop. We use Cloudera, and would like to be able to query the data there through Hue/Hive as an alternative to our terrible experience trying to query the hadoop data through Splunk. Can anyone offer guidance on how to query the 'rolled' data on a Cloudera Hadoop cluster without going through Splunk search?
... View more
Labels
- Labels:
-
other
11-12-2019
11:16 AM
How to set the the HEC token value in the flume http sink configuration?
flume http sink has the following header props, but neither look like the right thing:
acceptHeader
contentTypeHeader
Anyone had successful experience sinking data from flume into Splunk in some other way?
... View more
- Tags:
- splunk-enterprise
10-18-2019
11:51 AM
We're writing an app that allows users to input some asset lookup data into a KV Store. Occasionally these KV Store records need to be modified or deleted. We're thinking of adding a status field (Active, Inactive, Deleted) and always creating a new KV Store record when these things occur.
Any examples around of doing something like this with a KV Store? Is there a way to allow users to modify a custom status field but not modify any other part of the record and not delete a record?
Know of a better way to do this?
... View more
03-23-2017
08:38 AM
I found the problem -- in the virtual index provider tab, there is a setting for a regex to match sequence files:
vix.splunk.search.recordreader.sequence.regex
Our files didn't match the default setting ".seq$". I changed it to match our files, and now it works.
... View more
03-22-2017
03:51 PM
Our Hadoop data is in sequence file format (Lz4 compression).
I've configured Hunk on a Cloudera Quickstart VM, and pointed a virtual index to an HDFS parent directory of our data. The data is in sequence file format.
It looks like it it's trying to parse out events, it just does it incorrectly. The events come back as HEX gibberish mostly, with a few readable words.
How do I configure Hunk so it knows these are sequence files??
... View more
03-14-2017
08:53 AM
Ok, makes sense. I was just being paranoid about writing the shortest, clearest most concise query possible. And wanted to make sure specifying both source and index wouldn't cause Splunk to do extra work.
... View more
03-13-2017
05:17 PM
That still isn't clear to me whether specifying both helps any over just specifying the most specific which would be source in my case. I was thinking Splunk might already know that this source is only in this index and optimize it, or already index the sources. I guess I'd have to profile using just the source vs the index and the source to be sure. But thanks for the info.
... View more
03-13-2017
02:05 PM
Which of these would be the most efficient/fast/best way to start filtering for a search?
index=foo | ...
or
source="/var/log/bar/baz.log" | ...
or
index=foo source="/var/log/bar/baz.log" | ...
We're going to have an index that will have several **/*.log sources, each with similar but unique data formats. We'll always know the data source and index for these queries. I'm wondering the best way start my queries.
... View more
03-09-2017
01:12 PM
I also noticed that when I'm trying to sum a large number of fields with eval, I get erroneous values. For example, the total is correct as long as I'm summing 2 or 3 fields, but as I try to sum more and more the total starts missing some fields, and eventually around 20 fields the total becomes less that some individual fields.
... View more
03-09-2017
01:10 PM
Thanks. I'm trying to get that to feed into a timechart, but not having any luck so far. I've got events coming in every second, and I'd like to sum them over 1 minute spans.
... View more
03-09-2017
01:00 PM
I tried this but nothing is returned for totalDomainResults. Am I supposed to substitute something for FIELD?
... View more
03-09-2017
10:13 AM
I have several fields like this:
types.events.1
types.events.2
types.events.3
etc
I can use eval to sum them like this
eval totalDomainEvents = 'types.events.1' + 'types.events.2' + 'types.events.3' + etc
But I have a lot of these fields. Is there a way to do something like this?
eval totalDomainEvents = sum('types.events.*')
That doesn't work, but hopefully conveys the idea. I'd like to avoid including every field I want included in the eval if possible by just using some kind of wildcard matching to indicate the fields to include in the eval.
... View more
03-07-2017
09:49 AM
I did find a solution (I think) from searching other answers, it looks something like this:
source="/var/log/mylog/my.log.0" | rex max_match=0 field=_raw "(?[^\n]+)" | mvexpand lineData | eval _raw=lineData | sort consumerTstamp
That works but seems a little verbose for something so basic. Is there a better way?
... View more
03-07-2017
09:10 AM
Our Splunk forwarder is sending events that looks something like this:
{"consumerTstamp":1488853092650,"metric":"EvTot.byDomain","types":{"events":{}}}
{"consumerTstamp":1488853093650,"metric":"EvTot.byDomain","types":{"events":{}}}
{"consumerTstamp":1488853094650,"metric":"EvTot.byDomain","types":{"events":{}}}
This is obviously 3 events, but Splunk sees it as one. I've been looking at how to get Splunk to separate on newline in a search, but have only found things about setting some property in the configuration. How would I do this in a search?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-17-2022
04:04 PM
|
