Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rob_jordan1
rob_jordan1
Motivator
Member since:
03-19-2013
3 weeks ago
Community Statistics
| Posts | 384 |
| Solutions | 16 |
| Karma Given | 314 |
| Karma Received | 391 |
| Member Since | 03-19-2013 |
Activity Feed
- Got Karma for Re: How to list my Splunk users and their email addresses?. Tuesday
- Karma Re: How to parse my JSON data with spath and table the data? for chlima. 3 weeks ago
- Got Karma for Re: When will be able to migrate to Splunk v8 with Splunk Add-on for NetApp Data ONTAP. 07-09-2020 11:11 AM
- Got Karma for Re: how to create a live up or down Dahboard view. 07-07-2020 08:56 AM
- Got Karma for Re: how to create a live up or down Dahboard view. 07-07-2020 08:56 AM
- Posted Re: how to create a live up or down Dahboard view on Getting Data In. 07-06-2020 10:31 AM
- Posted Re: how to create a live up or down Dahboard view on Getting Data In. 07-06-2020 08:11 AM
- Posted Re: how to create a live up or down Dahboard view on Getting Data In. 07-06-2020 07:55 AM
- Karma Search Help: This could be the answer for twesty. 06-11-2020 01:45 PM
- Posted Re: What happened to Answers? The change is for the worse on Feedback. 06-11-2020 12:47 PM
- Got Karma for Re: Ingesting same Windows log with two different input stanzas. 06-05-2020 12:51 AM
- Got Karma for Re: Alert on a new source file?. 06-05-2020 12:51 AM
- Got Karma for Re: Alert on a new source file?. 06-05-2020 12:51 AM
- Got Karma for Re: How to create ad-hoc reports on a new server. 06-05-2020 12:51 AM
- Karma Re: Splunk Cloud HEC (http event collector) - Does it run on Splunk Cloud indexers or Splunk Cloud heavy forwarders? for amiracle. 06-05-2020 12:50 AM
- Karma Re: Splunk Cloud HEC (http event collector) - Does it run on Splunk Cloud indexers or Splunk Cloud heavy forwarders? for amiracle. 06-05-2020 12:50 AM
- Karma Splunk AWS Best Practices & Naming Conventions for thomastaylor. 06-05-2020 12:50 AM
- Karma What are best practices for deploying an add-on with slightly different configurations? for sloshburch. 06-05-2020 12:50 AM
- Karma Re: What are best practices for deploying an add-on with slightly different configurations? for sloshburch. 06-05-2020 12:50 AM
- Karma Splunk Cloud Gateway - Where is the Android app? for elsiehart0. 06-05-2020 12:50 AM
07-06-2020
10:31 AM
1 Karma
Ok, I would first start with verifying that either the "RUNNING"/"NOT RUNNING" values (I'm assuming there is an inverse value to RUNNING) are recognized by Splunk as a field. You can check apps.splunk.com to see if there is an addon that will parse your sourcetype into key/value pairs or you may have to write regex to capture the value of the run state into a field. Once it's in a field you can run statistic commands against that field such as | top state by host example inline regex command to extract the state | rex "(?<state>(RUNNING|DOWN))" If you are getting overwhelmed, you may want to start with one of the free classes which will cover fields in Splunk https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html I also noticed you are running a script from crontab. You could modify the format of your log to log in key-pair values. i.e. process_status="RUNNING" or process_status="UP" or process_status="DOWN" etc. When Splunk encounters key/pair values it will auto extract fields which should make this task much simpler. https://dev.splunk.com/enterprise/docs/developapps/logging/loggingbestpractices/
... View more
07-06-2020
08:11 AM
1 Karma
I'm not familiar with your specific dataset, however you would want to come up with a base query that matches the events in Splunk that have the states you are trying to track. i.e. index=myindex sourcetype=mysourcetype host IN (host1,host2,host3) service IN (service1,service2,service3) note: you can wildcard parts of the host or service filters with * as well. If wanting all hosts and services, you probably don't need to add a host or service constraint.
... View more
07-06-2020
07:55 AM
your base query | dedup host application | chart values(state) over host by application note: modify fields names to match your dataset then you can color code in a table or single value chart using trellis option
... View more
06-11-2020
12:47 PM
My Karma points went down as I believe they have a new scoring system, however, my relative ranking is about the same.
... View more
06-04-2020
08:22 AM
Thanks @anthonymelita - @vnguyen46 - it seems it gets broken when I try to export the code from the simple xml source code and post here as code. I appologize for the incovenience.
Sample of query
Sample of source code
... View more
03-10-2020
10:45 AM
Try something like this for yesterday
index="yourindexhere" EventCode="*"
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
You can also filter for specific codes like this using the IN command with a list of codes or patterns
index="yourindexhere" EventCode="" EventCode IN(515,462*,40962)
| eval bytes=len(_raw)
| bucket _time span=1d
| stats count sum(bytes) as bytes by _time sourcetype EventCode
| eval KB=round(bytes/1024,0)
| eval MB=round(bytes/1024/1024,0)
| eval GB=round(bytes/1024/1024/1024,2)
| table _time sourcetype EventCode count bytes KB MB GB
| sort -bytes
I haven't tried getting an exact match, however you may have to search all time and use _indextime as constraint. _indextime being the time the indexer see the event. That's the time that should match with the ingest volume.
... View more
03-09-2020
11:54 AM
If you're looking estimate license volume for specific events, you can use the length of an event in bytes and then convert to MB/GB.
index=your index here your search constraints here
| eval bytes=len(_raw)
| timechart sum(bytes) as bytes
| eval KB=bytes/1024
| eval MB=bytes/1024/1024
| eval GB=bytes/1024/1024/1024
... View more
03-08-2020
04:02 PM
Also consider that timestamps and index time can factor into this calculation as well.
If you add a new input on to a forwarder, you could potentially ingest data today that is more than a day old.
The license counts against data ingested in the current day regardless of whether the event timestamp is in the past or the future.
tstats will use what Splunk considers the event time (time) in count not the index time (indextime)
... View more
03-06-2020
05:28 AM
1 Karma
Spitballing...
Possibly two forwarders on the same host and put one rule on each forwarder?
https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html
Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7 https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples
Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html
... View more
02-17-2020
09:16 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:14 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
09:13 AM
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-17-2020
08:00 AM
1 Karma
Shared datamodels are available as of Splunk 8x https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Sharedatamodelsummaries
... View more
02-12-2020
09:06 PM
Example query of calculating steptime by adding stepoffset_ms to the _time field
source="graphics.log" host="splunk_lab" sourcetype="display_log"
| rex "(?<step_offset_ms>\d+(\.)?\d+)\s(?<step_description>.+)"
| eval epoch_time=_time
| eval step_time=epoch_time+step_offset_ms
| convert ctime(step_time)
| table _time step_offset_ms step_time step_description
| sort _time step_time
... View more
02-09-2020
03:22 PM
I'm also looking into this as I have the use case of migrating apps that were created by internal users using the Splunk UI to Splunk Cloud. If we just package up the app as is and try to upload to Splunk Cloud, it gets rejected due to some config files being under local. Apps with a lot of objects can be very time consuming to merge manually.
One of my colleges Mittal came up with the creative solution of just taring up the app, copying it over to our test deployer, and deploying the app to the test search cluster. During that process, the deployer does the merge of local and default to default for you. Then your merged version is under SPLUNK_HOME/etc/apps on the search cluster member.
... View more
01-29-2020
09:38 PM
You can can use netcat (nc) command to test sending messages to either TCP or UDP 514 or other ports on the Linux command line.
Example commands (replace localhost with your ip or fqdn) if not testing directly on the same server which hosts the syslog service.
udp test to localhost
echo -n "<14>mytesthost This is a syslog ***UDP 514*** Test" | nc -u -w5 -v localhost 514
tcp test to localhost
echo -n "<14>mytesthost This is a syslog ***TCP 514*** Test" | nc -w5 -v localhost 514
I also like this free testing tool for Windows (Essential NetTools) https://www.tamos.com/download/main/
... View more
01-29-2020
08:27 PM
You could install a Universal Forwarder on the same host as the indexer and have it take over the monitoring/forwarding of Splunk indexer logs to all destinations.
I don't have your exact use case, however, I do run Universal Forwarders on my indexers and search heads to monitor things like CPU and OS metrics, without having to worry about restarting the indexers. That way I can restart the universal forwarders on my indexers at any time without impacting the indexer if I want to make changes to what I'm collecting or collection intervals, etc.
... View more
01-29-2020
08:03 PM
1 Karma
Not a direct fix for your issue, however, possibly a workaround. Sounds like you are having a collision between the version of VMware and NetApp technical addons on the same heavy forwarder? Assuming you are running on Linux you can stack multiple instances of Splunk and just offset the port numbers. Most of my heavy forwarder servers have 2-5 Splunk heavy forwarder instances hosting different tecnical addons to limit blast radius due to upgrades and different version requirements, etc. I have DB connect hosted by itself and the Splunk addon for AWS hosted by itself. I tend to group smaller, less important and/or similar apps together such as Web URL or API checking addons. Anything more important, needing more resources, or that has special requirements, I host in its own instance.
I run my heavy forwarders in a directory structure like the following with offset ports.
/opt/spl/hf01/splunk port 8000/8089 (netapp here)
/opt/spl/hf02/splunk port 8001/8090 (vmware here)
/opt/spl/hf03/splunk port 8002/8091 (one more addons here)
/opt/spl/hf04/splunk port 8003/8092 (one ore more addons here)
...
... View more
01-29-2020
05:08 PM
1 Karma
Check out the Splunk App for Infrastructure https://splunkbase.splunk.com/app/3975/#/details
And Splidgets - SearchFu! for Splunk (a large repository of common Splunk queries)
https://splunkbase.splunk.com/app/3648/
... View more
01-28-2020
08:52 PM
You might also tinker with the transaction command using startswith and endswith
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma given to
