Activity Feed
- Posted Re: How to find difference of the time in days and hours respectively between Event time of the data and current time? on Splunk Search. 06-19-2024 09:18 PM
- Posted How to find difference of the time in days and hours respectively between Event time of the data and current time? on Splunk Search. 06-18-2024 04:09 AM
- Posted Re: Issue with monitoring log file monitoring on Getting Data In. 06-10-2022 04:13 AM
- Posted Re: Issue with monitoring log file monitoring on Getting Data In. 06-10-2022 03:34 AM
- Posted Why is there an issue with monitoring log file monitoring? on Getting Data In. 06-09-2022 09:52 AM
- Posted Why does the email alert says ERROR occurred while generating the PDF? on Splunk Enterprise. 05-18-2022 01:32 AM
- Posted Re: Why is UF agent unable to send data for a csv file? on Splunk Enterprise. 05-16-2022 07:15 AM
- Posted Re: Scripted input not showing up in search results, but is running fine in server on Splunk Enterprise. 05-05-2022 09:53 AM
- Posted Re: Uf agent unable to send data for a csv file on Splunk Enterprise. 05-05-2022 09:49 AM
- Tagged Re: Uf agent unable to send data for a csv file on Splunk Enterprise. 05-05-2022 09:49 AM
- Posted A script is running fine in the UF agent but is not sending data to indexer on Splunk Enterprise. 05-05-2022 09:48 AM
- Posted Re: Why is UF agent unable to send data for a csv file? on Splunk Enterprise. 05-05-2022 09:45 AM
- Posted Why is UF agent unable to send data for a csv file? on Splunk Enterprise. 05-05-2022 02:06 AM
- Posted Why is scripted input not showing up in search results, but is running fine in server? on Splunk Enterprise. 04-01-2022 08:03 AM
- Tagged Why is scripted input not showing up in search results, but is running fine in server? on Splunk Enterprise. 04-01-2022 08:03 AM
- Tagged Why is scripted input not showing up in search results, but is running fine in server? on Splunk Enterprise. 04-01-2022 08:03 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-19-2024
09:18 PM
@gcusello Thanks for your response this helps. I am getting diff in the string format example 00:01:12 --> This say 1 hour and 12 mins 30+03:46:11--> This say 30 days and 3 hours 46 mins I want to convert this diff to number of hours and compare it with a threshold(is a numeric value like 24) when I am trying this it is not giving me correct value. I understand this is due to the fact that "diff" is in string format. Shall I first take the diff in epoch and find the diff and then convert it using strf function? Please assist me on the same. trying query
| eval
currentEventTime=strftime(_time,"%Y-%m-%d %H:%M:%S"),
currentTimeintheServer=strftime(now(),"%Y-%m-%d %H:%M:%S"),
test_now=now(), test_time=_time, diff_of_epochtime=(now()-_time),
diff=strftime(diff_of_epochtime,"%Y-%m-%d %H:%M:%S"),
difforg=tostring(round(diff), "duration")
... View more
06-18-2024
04:09 AM
How to find difference of the time in days and hours respectively between Event time of the data and current time? Format of the Time i.e _time is below 6/18/24 10:17:15.000 AM I tried utilizing the below query which is giving me current event time and current server time in correctly but I need help in finding the difference.
index=testdata sourcetype=testmydata
| eval currentEventTime=strftime(_time,"%+")
|eval currentTimeintheServer= strftime(now(),"%+")
| eval diff=round(('currentTimeintheServer'-'currentEventTime') / 60)
| eval diff = tostring(diff, "duration")
|table currentEventTime currentTimeintheServer diff index _raw
Please assist.
... View more
Labels
06-10-2022
04:13 AM
If I am say adding a text "hello world" to test_new.html and saving it I am getting data in splunk. However if I am doing vi test_new.html and saving the file I am not getting any data in splunk. It seems to be weird issue .
... View more
06-10-2022
03:34 AM
Hi , Thanks for your response. Yes I have restarted UF agent multiple times. I have check the logs index=_intenal host="uf_agent" source=splunkd I have not seen any ERROR. I tested it again as I added a line to the test_new.html I can see the data immediately.
... View more
06-09-2022
09:52 AM
The test_new.html is getting update every 4 hours.The html file may or maynot have same number of lines.
The data is only coming immediately when I am adding say test data into the html file. That means the data flow is not an issue.
I am expecting it to send me data as and when timestamp of the file changes. Need your suggestions on the same.
I have done below configuration
In UF agent I have added inputs.conf as
[monitor:///root/splunkstorage/test_new.html] disabled = false index = test_normal sourcetype = test:global:testnew:html crcSalt = <SOURCE> In the indexer I have props.conf [test:global:testnew:html] DATETIME_CONFIG = CURRENT CHECK_METHOD = modtime LINE_BREAKER = (<html><body>) NO_BINARY_CHECK = true SEDCMD-addvalues = s/<head>/<html><body>\n<head>/g TRUNCATE = 0 category = Custom disabled = false pulldown_type = true
... View more
- Tags:
- log-file
- monitoring
Labels
- Labels:
-
universal forwarder
05-18-2022
01:32 AM
The email alert says ERROR occurred while generating the PDF. Please see pyhton.log for details. As it is older issue unable to locate the logs in splunk.
what could be issue here?
... View more
- Tags:
- error
- splunk-search
Labels
- Labels:
-
troubleshooting
05-16-2022
07:15 AM
Hi @richgalloway Thanks for your response. When I run the command ./splunk list monitor in my uf I am able to see the input i.e. I get the expected file path. few steps that I tried from my end. I appended the files at same location for AMER,APAC and Emea-non-ngdc, I can see the appended changes reflecting in the splunk sh but still not getting data from Emea-non-ngdc.
... View more
05-05-2022
09:53 AM
The script is producing output when i run the script located at /opt/splunkforwarder/etc/apps/custom_app/bin in UF but it is not sending data to HF. UF is configured in a way that it forwards data to HF and then to IDXer.
... View more
05-05-2022
09:49 AM
Please find the details requested by you. Inputs.conf [monitor:///directoryname/region_202*] disabled = 0 index = custom_normal sourcetype = custom_test permissions for this file -rw-r--r-- 1 nobody nobody 1388 May 1 20:50 no error in splunkd.log wrt to this application. Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?
... View more
- Tags:
- Splunk Enterprise
05-05-2022
09:48 AM
A script is running fine in the UF agent but is not sending data to indexer.
The UF agent is forwarding data to HF then to IDX.
... View more
Labels
- Labels:
-
using Splunk Enterprise
05-05-2022
09:45 AM
Pease find the details requested by you. Inputs.conf [monitor:///directoryname/region_202*] disabled = 0 index = custom_normal sourcetype = custom_test permissions for this file -rw-r--r-- 1 nobody nobody 1388 May 1 20:50 no error in splunkd.log wrt to this application. Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?
... View more
05-05-2022
02:06 AM
The csv files are getting forwarded from a linux UF agent to splunk as and when it is created ie. 2:50 CET time. For a file getting created at 2:50 CET time on the same uf agent is not reflecting in the splunk.
The inputs.conf file of the app is not having any intervals configured.
... View more
- Tags:
- universal-forwarder
Labels
- Labels:
-
troubleshooting
04-01-2022
08:03 AM
Scripted input not showing up in search results, but is running fine in server
... View more
Labels
- Labels:
-
troubleshooting
