Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About harryvdtol
harryvdtol
Path Finder
Member since:
12-10-2021
4 weeks ago
Community Statistics
| Posts | 26 |
| Solutions | 3 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-10-2021 |
Activity Feed
- Posted Re: Daylight Saving issue column on Getting Data In. a month ago
- Posted Daylight Saving issue column on Getting Data In. a month ago
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 05-28-2025 09:54 AM
- Posted Re: JSON array not onbaording as expected on Getting Data In. 03-03-2025 10:02 PM
- Posted Re: JSON array not onbaording as expected on Getting Data In. 02-25-2025 08:07 AM
- Posted JSON array not onbaording as expected on Getting Data In. 02-25-2025 06:13 AM
- Posted Re: Link to open PDF on a other website on Dashboards & Visualizations. 02-20-2025 11:13 PM
- Posted Link to open PDF on a other website on Dashboards & Visualizations. 02-20-2025 09:46 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 09-18-2024 02:25 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-08-2024 06:46 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-05-2024 11:30 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 08-01-2024 07:17 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-31-2024 09:52 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-30-2024 09:49 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-29-2024 11:03 PM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-04-2024 06:29 AM
- Posted Re: systemctl stop Splunkd hangs on Splunk Enterprise. 07-03-2024 10:32 PM
- Posted systemctl stop Splunkd hangs on Splunk Enterprise. 06-26-2024 11:49 PM
- Posted Re: Does search inspect exist in Dashboard Studio? on Dashboards & Visualizations. 05-15-2023 08:24 AM
- Posted Does search inspect exist in Dashboard Studio? on Dashboards & Visualizations. 05-10-2023 12:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a month ago
Hi all, I think i have manged your's input I have made two examples and they do what i want | makeresults | eval tz="Summer" | eval PlanDate="15-06-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch | makeresults | eval tz="Winter" | eval PlanDate="31-10-2025T20:10:30" | eval PlanDate_utc=PlanDate . "Z" | eval PlanDate_utc_epoch=strptime(PlanDate_utc, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_utc_noepoch=strftime(PlanDate_utc_epoch, "%d-%m-%YT%H:%M:%S%Z") | eval PlanDate_epoch=strptime(PlanDate, "%d-%m-%YT%H:%M:%S") | eval diff=PlanDate_utc_epoch-PlanDate_epoch | eval PlanDate_my_tz=PlanDate_epoch+diff | eval PlanDate_my_tz=strftime(PlanDate_my_tz, "%d-%m-%YT%H:%M:%S") | table tz PlanDate PlanDate_epoch PlanDate_utc_noepoch PlanDate_utc_epoch PlanDate_my_tz diff PlanDate_utc_noepoch Regards, Harry
... View more
a month ago
Hello, I have search for some old posting, but i did not find the proper answers. In Splunk i have a column date field that is named PlanDate and looks like this. 31-10-2025T20:10:30 The format is this: DD-MM-YYYYTHH:MM:SS But this field is in the wrong timezone. My timezone is Amsterdam. When summertime starts i need to add 2 hours to this field and in wintertime one hour. How do i do this? Can this be done at search time, or do i need to do this on index-time? I was thinking of making a lookup with daylight saving days for the next years, but i was hoping for a better solution Regards, Harry
... View more
Labels
- Labels:
-
field extraction
-
props.conf
05-28-2025
09:54 AM
Hello, Hereby a new update on this case Some weeks ago we have upgraded Splunk to 941. After the upgrade we receive erros when executing Splunk commands like splunk show .. or btool Failed to calculate cpu count from cgroup location="V2:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:/sys/fs/cgroup:/user.slice/user-570057916.slice/session-9.scope:" Because the Splunk version 941 added support for cgroups V2, we removed the workaround. Since then the original issue is back: adhoc hanging of systemctl If anyone has the issue, i really would like to know. Regards, Harry
... View more
03-03-2025
10:02 PM
Hello, I decided to let go on JSON file In stead i receive a simple txt file now, whcih works better Thank you for you help. Harry
... View more
02-25-2025
08:07 AM
Hi WIl, For the confirmation On UF - inputs.conf [monitor://C:\beheer\SCCM\abc*.txt] index=main sourcetype=Windows:SCCM:KBNummers ON Index-cluster - props.conf [Windows:SCCM:KBNummers] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured - Input file [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2K5 4020-30-30 31:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] Reagrds, Harry
... View more
02-25-2025
06:13 AM
Hello, I am having trouble onboaring json array data. I read many contributions , but i still having troubles This is the json array input [{"Type":"SUGUpdates","SiteCode":"DS","SUGName":"Microsoft-W2KX-2025 2025-10-14 23:05:36","ArticleID":"5049994"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050008"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5002674"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"},{"Type":"SUGUpdates","SiteCode":"CSA","SUGName":"Microsoft-W2KX-2025 2025-01-14 23:05:36","ArticleID":"5050525"}] - My first attempt: i put a props.conf on the UF DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false category=Structured The data was nicely split into separte json events, but the table command doubled the data. Like this issues https://community.splunk.com/t5/Splunk-Cloud-Platform/Why-does-json-data-get-duplicated-after-tabling-the-events/m-p/587724 https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-with-INDEXED/td-p/188551?_ga=2.153916656.937356172.1646061092-893813366.1631658459 - Then i moved the props.conf into the index-cluster Now the _raw event is the same as the input array, and not splitted ito separated json events, like this I have to use spath commad during search as workaround. So I can workaround the issue, but I 'd rather import the data correctly Where do i go wrong? Any help is appreciated. Reagrds, Harry
... View more
Labels
- Labels:
-
props.conf
02-20-2025
11:13 PM
Hello, I am sorry. I tried many ways, but i was completly looking at examples that did not helped me This indeed solved the question. Thank you for your help. Harry
... View more
02-20-2025
09:46 AM
Hello, Please help me with the following request I have a table output of several url's to PDF files For example this one https://janenpiet.domain.nl/sites/conten_sites/BOT/Parts%20%20documents/ADFM/Phonesrv/Highg%20Volume%20Phiones/ABCD%20Capture/60.%20Hardware/01.%20Scanners/Amsterdam/30/2025-01-20.pdf My request is as follows. When a user click on a link, it should open a new window that opens the PDF file. I notice that a simple drilldown does not work. Does anybody know how to do this? Reagrds, Harry
... View more
Labels
- Labels:
-
Classic dashboard
09-18-2024
02:25 AM
Hello everybody I want to confirm that the fix to Enable cgroup v2 on RHEL8 has solved the issue for us as well Regard, Harry
... View more
08-08-2024
06:46 AM
Hi AndrewBurnett, Thank you for keeping me updated. I have send the link to our Linux colleagues, and will hear what they think of it. Harry
... View more
07-30-2024
09:49 PM
If you have any news, please update this post. We made a support call to Red Hat without any luck Hopefully its works for you
... View more
07-29-2024
11:03 PM
Thank you , Good to hear that we are not the only one What Linux version are you running?
... View more
07-04-2024
06:29 AM
Thanks fort the tips. As a workaround i made an override for the Splunk service, to receive a timeout after 4 minutes in stead of the default 6. We run it as root user, but concerning the sudoers file: this is something for me to investigate. Maybe it has something to do with rights, because other application on Linux do not have this behaviour
... View more
07-03-2024
10:32 PM
Hi, Thank you for the response I am very sure that we fulfil these requirements. No ingestion takes palace, because there are no Splunk processes running. So to be clear, it is not Splunk that hangs, but the systemctl command to stop Splunkd.service. The Splunk processes has been stopped. But the systemtl command does not comes back in the prompt. I can see in splunkd.log that Splunk has stopped. "ps -ef splunk" : no splunk processes Regards, Harry
... View more
06-26-2024
11:49 PM
Hello, Since a few months we are facing an issue with stopping Splunk on Red Hat Linux-rel8. We do "systemctl stop Splunkd" to stop the Splunk proces. In most cases Splunks stops and the systemctl prompts comes back. But sometimes (let say 1 out of 10) Splunk stops, but the systemctl prompt does not comes back. Then, after 6 minues (the timeout in the Splunkd.service) systemctl comes back In /var/log/messages i see this after 6 minutes. Splunkd.service: Failed with result 'timeout'. Stopped Systemd service file for Splunk, generated by 'splunk enable boot-start'. In the splunkd.log i can see that Splunk has stopped. No Splunk proces is running. With "ps -ef | grep splunk" i can see that there a no Splunk processes running. "ps -ef | grep systemctl" i can see that systemctl is still running. It happens on Search cluster, index cluster, Heavy Forwarders etc. Splunk support says is it an Red Hat Linux issue and Red Hat points to Splunk. I wonder if we are the only one who is having this issue. Any remarks are appreciated. Regards, Harry
... View more
Labels
05-15-2023
08:24 AM
Thank you Jeffland, Regards, Harry
... View more
05-10-2023
12:42 PM
Hello,
In the classic Dashboard you have the option to see the Job Inspector in the panels.
I miss this option in Dashboard Studio.
Does anybody know of this exist? I cannot find it.
Regards,,
Harry
... View more
- Tags:
- inspect
Labels
- Labels:
-
Dashboard Studio
05-02-2023
04:27 AM
Hi,
I have application data on a Windows node that sends data to a log file. The data is formatted as json. On the Windows node i have a UF running (9.0.4)
I want to send this data to a metrics index, but i do not know if this is possible and how to format the inputs.conf For far i am unable to find any documentaion about this.
Does anyone know if this is possble ?
Regards, Harry
... View more
Labels
- Labels:
-
universal forwarder
02-02-2023
09:43 AM
Hello,
I have installed the SCOM app (version 430) on my Splunk Heavy Forwarder (903)
The Windows SCOM infrastructure exists of one managementgroup with 2 management servers. managementgroup = SC-PROD consisting of 2 management SC-PRD1 and SC-PRD2 The reason for this, is when server 1 is down, data is still collected thru the second node.
I have configured the managemt servers in the Splunk SCOM app. I have only to option to connect to the management servers and not to a group. I connect with a URL , with a Service acount that exist on the server
My problem is that i get double data, from both managemtn servers.
I am looking for a smart way to connect, like a cluster
Has anybody experience and advise in this scenario?
Any advise is appriceated Regards, Harry
... View more
Labels
- Labels:
-
configuration
09-19-2022
03:28 AM
Yes thank you for your help. This is what i made of it. ..
| stats first(hst) as host by code type
| eventstats c as total by code
| where (type="master") OR (total=1 and type="host")
| table host code type
... View more
09-19-2022
01:39 AM
Hello,
I have a search that outputs table data that looks like this:
hst code type
hosta 01 master
hosta 02 master
hostb 01 host
hostb 03 host
hostc 02 host
hostd 04 host
hoste 05 master
hoste 06 master
hostf 06 host
hostg 08 host
etc.etc...
I am trying to filter events but i am unable to do.
My goal is to filter events based on this condition: If the code on a master also exist on the host, then the host rows should be removed
So, my desired output should look like this:
hst code type
hosta 01 master
hosta 02 master
hostb 03 host
hostd 04 host
hoste 05 master
hoste 06 master
hostg 08 host
I hope someone can help me. Thanks in advance.
Regards,
Harry
... View more
01-19-2022
05:19 AM
Very impressive and educational. Thank you. Regards, Harry
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4 weeks ago
|
