×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
YuriSpirin
Explorer
Member since: ‎06-15-2021
‎04-11-2025
Community Statistics
Posts 6
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎06-15-2021
Activity Feed
View All

Re: How to get ID of splunkd process executing sav...

by in Splunk Search
‎05-31-2024 02:55 AM
‎05-31-2024 02:55 AM
Thanks, that was helpful! ... View more

How to get ID of splunkd process executing saved s...

by in Splunk Search
‎05-28-2024 07:10 AM
‎05-28-2024 07:10 AM
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Search Head I have a PIDs of reaped splunkd processes and the question is how to get PID of splunkd for particular saved search from _internal index. Scheduler events have SID field like this: sid="scheduler_aS5zLnNva29sb3Y_czdfc2llbV9uZXR3b3Jr__RMD58313482a27867d57_at_1716903900_27923" Is the last part of SID (27923) a Linux process ID? Or maybe I can get PID from some other source? ... View more

Re: Do time-based lookups work only after event-ge...

by in Splunk Search
‎02-29-2024 03:39 AM
‎02-29-2024 03:39 AM
Hi, @yuanliu! Thanks for your reply and clue. I have no spare instance right now but I've exported contents of this KV Store time-based lookup into CSV file, reconfigured lookup definition to use that CSV - and now it works. Looks like the problem is related only to KV Store time-based lookups. So this particular problem is solved but I'd like to know if such behavior is expected with KV Store lookups or it is some bug or my misconfiguration. My deployment is Splunk Enterprise 7.2.6 with MongoDB. ... View more

Do time-based lookups work only after event-genera...

by in Splunk Search
‎02-28-2024 08:27 AM
‎02-28-2024 08:27 AM
Hi, I have a KV time-based lookup generated from DHCP logs with content like this: time,ip,hostname,mac 1709093697,10.223.5.43,host-43,aa:bb:cc:dd:ee:ff and transforms.conf for it: [dhcp_timebased_lookup] collection = dhcp_timebased_collection external_type = kvstore fields_list = _key,time,ip,hostname,mac max_offset_secs = 691200 min_offset_secs = 0 time_field = time time_format = %s Lookup works well when I run search which pulls events from index: index=test source=timebased | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname | table _time dest_ip hostname Hostname is there: _time dest_ip hostname 1709093697 10.223.5.43 host-43   But when I use this lookup after non-event-generating commands it does not work: index=test source=timebased | table _time dest_ip | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR index=test source=timebased | stats count BY _time dest_ip | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR | makeresults | eval dest_ip = "10.223.5.43", _time = 1709093697 | lookup dhcp_timebased_lookup ip AS dest_ip OUTPUT hostname OR | tstats from datamodel=SomeDM count BY _time SomeDM.dest_ip span=1s | lookup dhcp_timebased_lookup ip AS "SomeDM.dest_ip" OUTPUT hostname Hostname doesn't show up. If I turn time-based setting for this lookup off it outputs hostnames for all searches above. It makes me think there is some difference between _time field in events' metadata and _time field in statistics. Is it so? And is there solution besides "join with inputlookup and addinfo" workaround? ... View more
Labels

Splunk Stream and EDNS

by in All Apps and Add-ons
‎08-16-2021 07:24 AM
‎08-16-2021 07:24 AM
Hello! Is it possible to extract EDNS fields from DNS packets using Splunk Stream? In particular, I mean CSUBNET (option 8, see image).   ... View more
Labels

streamfwd high memory usage on Linux

by in All Apps and Add-ons
‎06-15-2021 10:50 AM
‎06-15-2021 10:50 AM
Hello! I'm setting up Stream Forwarders on Linux DNS servers to index DNS traffic. Splunk_TA_Stream is deployed to Universal Forwarders by Splunk Deployment Server with all relevant configs and is working correctly except one thing: streamfwd process consumes 800-1000 MB of RAM which I think is a huge overhead for DNS servers with 1,5-2 GB RAM. Configuring queue sizes, bandwidth limits and so on in streamfwd.conf makes no difference. I see such behavior both on heavy loaded DNS servers (stream:dns traffic around 8-10 MBps) and on idle test servers - memory usage by streamfwd is +- the same. So I have 2 questions: 1. Is there a way to limit streamfwd memory usage somehow by config settings? 2. How is streamfwd launched? I mean where is the line of code in Stream scripts or elsewhere by which /opt/splunkforwarder/etc/apps/Splunk_TA_Stream/bin/linux_x86_x64/streamfwd executable is run? I think of experiment by prepending this command line with ulimit or similar Linux command to set memory restrictions. Or, maybe, such memory consumption is not a bug or misconfiguration but is by design? Splunk Enterprise 7.2.6, Splunk_TA_Stream 7.2.0, Oracle Linux Server release 7.8. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-11-2025 03:58 AM
Karma given to