Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About g_prez
g_prez
Path Finder
Member since:
04-20-2010
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 5 |
| Member Since | 04-20-2010 |
Activity Feed
- Got Karma for index performance issue high latency. 06-05-2020 12:46 AM
- Got Karma for index performance issue high latency. 06-05-2020 12:46 AM
- Karma Re: regex and rex issue advise for extraction of http headers for David. 06-05-2020 12:45 AM
- Got Karma for IPv6 subnets and splunk searchs. 06-05-2020 12:45 AM
- Got Karma for IPv6 subnets and splunk searchs. 06-05-2020 12:45 AM
- Got Karma for IPv6 subnets and splunk searchs. 06-05-2020 12:45 AM
- Posted Re: How to use the extract command for a field extraction of key value pairs? on Splunk Search. 12-01-2014 10:29 AM
- Posted Re: How to use the extract command for a field extraction of key value pairs? on Splunk Search. 12-01-2014 08:23 AM
- Posted How to use the extract command for a field extraction of key value pairs? on Splunk Search. 11-26-2014 09:21 AM
- Tagged How to use the extract command for a field extraction of key value pairs? on Splunk Search. 11-26-2014 09:21 AM
- Tagged How to use the extract command for a field extraction of key value pairs? on Splunk Search. 11-26-2014 09:21 AM
- Tagged How to use the extract command for a field extraction of key value pairs? on Splunk Search. 11-26-2014 09:21 AM
- Posted Re: index performance issue high latency on Getting Data In. 09-26-2011 01:36 PM
- Posted Re: index performance issue high latency on Getting Data In. 09-26-2011 01:25 AM
- Posted Re: index performance issue high latency on Getting Data In. 09-26-2011 01:14 AM
- Posted index performance issue high latency on Getting Data In. 09-24-2011 09:41 PM
- Tagged index performance issue high latency on Getting Data In. 09-24-2011 09:41 PM
- Tagged index performance issue high latency on Getting Data In. 09-24-2011 09:41 PM
- Tagged index performance issue high latency on Getting Data In. 09-24-2011 09:41 PM
- Tagged index performance issue high latency on Getting Data In. 09-24-2011 09:41 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 3 |
12-01-2014
10:29 AM
Correct .. rex would be good for this but of course the issue is that the fields can change order from time to time so rex is no good .. nor is doing this in a transforms etc.
I have already reached out to the vendor and said to them and stated ..
" somehow you have broken splunks parser with your wacky log format " 😉
Lucky the vendor is in early stages of the product development so there is hope they will update at the log format .. it has many many issues other than the quotes around the values.
... View more
12-01-2014
08:23 AM
Yes tried this combo already .. backward and forwards ie extract kvdelim=":", pairdelim=";" and extract kvdelim=";", pairdelim=":" just to see if I was just crazy or something ..
Have used the kv / extract command before in the past for doing field extracting and I am guessing ( again ) that it the the quotes around the value set that is throwing the extract command off .. as the command or the indexer is thinking that ... oh this stuff in the quotes is a part of value pair so let just skip over anything that is inbetwen the quotes ?
... View more
11-26-2014
09:21 AM
having some time trying to extract fields automaticaly from the message below.
really wanted to test out the xtract before putting into a transforms / props etc.
So tried to use the extract command on the event below ** extract kvdelim=; pairdelim=: ** and this one ** extract kvdelim=; pairdelim=": " **
As most of the KV are framed with ; and the values are noted by : but no luck at all
I think it is due to the the KV pairs are enclosed in quotes and it looks that this throws off the extractor ...
Nov 26 12:02:51 172.255.255.253 Verdict-Clean: "File Name:ie6.0sp1-kb958869-windows2000-x; Job ID:1417021278808146; SHA256:73a0db29059f81adbbe1c620c132bec58b6fe7efd8c0ce973595ac6ea346a8e6; Rating:Clean; Scan Time: 90 (seconds); Malware Name:N/A; Source IP:172.23.98.229; Destination IP:8.254.230.174; Send Over:HTTP; Device:FG100D3G14800455(FG100D3G14800455:root); "
Also tried to do a rex to pull out the fields .. and that seems to work but as the KV can change postions the name never line up correctly so thus losing the KV pairs?
So was thinking that you could run a extract command on a field ... i.e. use rex to extract the quoted
extracted_field = "File Name:ie6.0sp1-kb958869-windows2000-x; Job ID:1417021278808146; SHA256:73a0db29059f81adbbe1c620c132bec58b6fe7efd8c0ce973595ac6ea346a8e6; Rating:Clean; Scan Time: 90 (seconds); Malware Name:N/A; Source IP:172.23.98.229; Destination IP:8.254.230.174; Send Over:HTTP; Device:FG100D3G14800455(FG100D3G14800455:root); "
and then try to to a extract on the extraced field. But it seems you can not run extract on a field .. or can you ?
Need some insight on this one ...
... View more
09-26-2011
01:36 PM
Yep the indexer is getting blocked .. and like SOS was saying most are syslog soruces and syslog is being sent to a file ...
So I am not seeing IO issues on the box and one would think that if the indexer is being blocked it due to IO issue .. what would cause an indexer to be blocked ... volume ? yes if that is the case then the volume we are running is rather low for the hardware we have in place
... View more
09-26-2011
01:25 AM
to add .. looking at the splunk reports on indexer activity splunk
the "CPU utilization by index-time processor in the last 1 hour"
chart shows a peek cpu load of 0.016% on the indexer process and that is the highest of the all the "splunk" processes.
Also I was way off on the indexer volume it is in the 8 gig per day range.
... View more
09-26-2011
01:14 AM
standard opp ... syslogd dumping to the messages file and splunk montoring the messages file.
We also have about 5 heavy forwarders
Also this was a recent event .. the high latency .. furthermore .. only some of hosts in syslog have high latency some host do not .. it is strange. As stated it does not seem to be an io or sizing issue ... but will check the manual for sizing info just in case we missed something.
And finally the indexer is running about 15 gig per day
... View more
09-24-2011
09:41 PM
2 Karma
Question:
I am seeing high latency on a lot of my source types in splunk
By high latency we are seeing it takes over 24 hours to index some events.
The SoS ( splunk on spunk ) app shows that most if not all the host sending messages to the syslog message file have high latency.
the server hosting splunk seems ok as it has 10 cpu and running on avg 5-10% usr processes and 1.8 io .
Does splunk multi thread indexing ? Or .my real question ... how do I get the latency on my events down to something more reasonable ... and not in the 24 hour range.
... View more
07-15-2011
02:14 PM
yep that did the trick and I did not have to escape the < !
... View more
07-13-2011
04:51 AM
Trying to do an inline regex on the snip of log below.
The item that I am trying to extract is the hostname admin.testweb.com or at least that Host: field
The regex that I came up with was "Host:\s(?P )<013>
But what I am getting out of that regex is "admin.testweb.com<013><010>Content-Length: 797"
What I am trying to get out of the extraction is .. admin.testweb.com
Help ?
Accept-Language: en-us<013><010>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)<013><010>Content-Type: application/x-www-form-urlencoded<013><010>Accept-Encoding: gzip, deflate<013><010>Host: admin.testweb.com<013><010>Content-Length: 797<013><010>Connection:
... View more
02-03-2011
12:22 AM
opps was a bit off this FFFF:FFFF in the that post that address should be 2001:54FF:0000:ffff:ffff:ffff:ffff:ffff
got tired of typing ffff I guess.
... View more
02-02-2011
07:00 PM
3 Karma
Splunk today is IPv4 subnet aware so that if you do a search with something like ip_address = 10.0.0.0/24 .. splunk knows to look for items 10.0.0.0 thru 10.0.0.255 ... NICE !
Now what about IPV6 ... I think the answer is No. my question is when or how can this be done
example IPv6_ADDR = 2001:54FF::/48 would look for a whole lot of stuff but something like
2001:54FF:: to 2001:54FF:0000:FFFF:FFFF
And this gets instresting as you can show the first part of the IPV6 address as
2001:54FF:0000:0000
or
2001:54ff::
or
2001:54ff:0000::
It depends on what the system sending the log spits out ...
... View more
- Tags:
- ipv6
06-02-2010
06:18 PM
Jacki posted this question for me ...
This was the inner search [search earliest=5/3/2010:17:55:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10 | eval last_time= _time | eval last_host= host | eval start_time = last_time - 36000 | fields last_time, last_host, start_time]
The above search will return back the time windows and host that I want to do the outer search on ..
search * host=last_host earliest=last_time latest=start_time ...
I get back nothing .. from the outer search ... but the inner search return the results !
Help ... I am not to sure how to get splunk to read the values from the inter search as variables for the search time window and host.
gprez
... View more
