Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About rickymckenzie10
rickymckenzie10
Explorer
Member since:
02-27-2024
12-10-2024
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 02-27-2024 |
Activity Feed
- Posted Splunk dashboard that breaks down what index/sourcetype/source feed a particular dashboard within a Splunk app on Getting Data In. 12-10-2024 03:01 PM
- Karma Re: Rolling upgrade vs Maintenance mode commands on cluster manager and indexers for SanjayReddy. 12-10-2024 02:56 PM
- Tagged Rolling upgrade vs Maintenance mode commands on cluster manager and indexers on Getting Data In. 12-03-2024 09:46 AM
- Posted Re: Blacklist audit.log from inputs.conf on Getting Data In. 12-03-2024 08:40 AM
- Karma Re: Blacklist audit.log from inputs.conf for gcusello. 12-03-2024 08:40 AM
- Posted Rolling upgrade vs Maintenance mode commands on cluster manager and indexers on Getting Data In. 12-03-2024 08:39 AM
- Tagged Blacklist audit.log from inputs.conf on Getting Data In. 08-22-2024 02:42 PM
- Tagged Blacklist audit.log from inputs.conf on Getting Data In. 08-22-2024 02:41 PM
- Tagged Blacklist audit.log from inputs.conf on Getting Data In. 08-22-2024 02:41 PM
- Posted Blacklist audit.log from inputs.conf on Getting Data In. 08-22-2024 02:34 PM
- Posted Right number and size of hot/warm/cold buckets on Deployment Architecture. 03-19-2024 05:31 PM
- Tagged Right number and size of hot/warm/cold buckets on Deployment Architecture. 03-19-2024 05:31 PM
- Karma Re: Roll hotwarm data to cold when frozenTimePeriodInSecs is met for isoutamo. 03-19-2024 05:19 PM
- Posted Roll hotwarm data to cold when frozenTimePeriodInSecs is met on Deployment Architecture. 03-12-2024 03:54 PM
- Posted Re: How does frozenTimePeriodInSecs and maxWarmDBCount perform on Deployment Architecture. 02-28-2024 01:24 PM
- Posted How does frozenTimePeriodInSecs and maxWarmDBCount perform on Deployment Architecture. 02-27-2024 04:36 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-10-2024
03:01 PM
I want to create a Splunk dashboard that breaks down a splunk dashboard: What app does it belong too. what index or indexes feed it. what sourcetype or sourcetypes feed it. Users accessing it Any other detail you might find useful, this can be a very powerful tool for anyone, and I see to find bits and pieces of this around the community so it must mean someone either already did it, or is planning to. Something kinda this <form version="1.6" theme="dark">
<label>Custom Dashboard Usage</label>
<!--
1.1 Added line view and host info
1.2 Added sort
1.3 Added sort by in dashboard
1.4 Fixed new forma
1.5 Fixed dashboard regex by adding space and added Pie chart
1.6 Fixed missing user
-->
<search id="base_search">
<query>
index="_internal"
"data/ui/views/"
NOT "servicesNS/-"
sourcetype=splunkd_ui_access
| rex "(?<app>[^\/]+)\/data\/ui\/views\/(?<dashboard>[^? ]+)"
| rex "servicesNS\/(?<user2>[^\/]+)"
| rex mode=sed field=user2 "s/%40/@/"
| eval user=if(user="-",user2,user)
| search
app=*
host="$Host$"
user="$User$"
app="$App$"
dashboard="$Dashboard$"
| fields _time host user app dashboard
</query>
</search>
<fieldset submitButton="false">
<input type="time">
<label>Max is 30 days back</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Host">
<label>Host</label>
<search base="base_search">
<query>
| eval data=host
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="User">
<label>User</label>
<search base="base_search">
<query>
| eval data=user
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="App">
<label>Application</label>
<search base="base_search">
<query>
| eval data=app
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="Dashboard">
<label>Dashboard</label>
<search base="base_search">
<query>
| eval data=dashboard
| stats count by data
| eval info=data." (".count.")"
| sort -count
</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>info</fieldForLabel>
<fieldForValue>data</fieldForValue>
<default>*</default>
</input>
<input type="dropdown" token="Sort">
<label>Graph by</label>
<choice value="dashboard">Dashboard</choice>
<choice value="app">Application</choice>
<choice value="user">User</choice>
<choice value="host">Host</choice>
<default>dashboard</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Dashboards usage frequency by count</title>
<search base="base_search">
<query>
| timechart limit=25 useother=f count by $Sort$
</query>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option>
<option name="height">400</option>
</chart>
</panel>
<panel>
<chart>
<title>Dashboards usage frequency by percent</title>
<search base="base_search">
<query>
| stats count by $Sort$
</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.fieldColors">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</option>
<option name="height">385</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Dashboards usage frequency by time, sh-server, user & application</title>
<search base="base_search">
<query>
| sort 0 - _time
| table _time host user app dashboard
</query>
</search>
<option name="count">50</option>
<format type="color" field="host">
<colorPalette type="map">{"m-cluster-01":#55C169,"m-cluster-02":#55C169,"m-cluster-03":#55C169,"m-cluster-04":#55C169,"m-test":#D41F1F,"m-master-deploy":#FFFF00,"m-monitor":#1182F3,"m-search-tphp":#E3723A,"m-search-helsemn":#D94E17,"m-deploy":#88527D,"m-collector-01":#65778A,"p-collector-01":#65778A,"h-collector-01":#65778A}</colorPalette>
</format>
<format type="color" field="user">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="app">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
<format type="color" field="dashboard">
<colorPalette type="sharedList"></colorPalette>
<scale type="sharedCategory"></scale>
</format>
</table>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
index
-
sourcetype
12-03-2024
08:40 AM
Sure: https://community.splunk.com/t5/Getting-Data-In/Rolling-upgrade-vs-Maintenance-mode-commands-on-cluster-manager/td-p/705861 🙂
... View more
12-03-2024
08:39 AM
I’ve read the documentation on these commands, executed both in a dev environment and observed the behavior. My interpretation of the commands is that they are the same. Does someone want to take a stab, and try to better explain them from your own perspective 🙂 Please don't point me or reference to any Splunk docs, I've read them already and still can't see when is the best use case to use these. I want to read you're opinion! What is the main difference between these two commands? splunk enable maintenance-mode splunk upgrade-init cluster-peers Here is the scene: I will be upgrading a cluster of splunk cluster manager and their peers. Cluster manager Indexers I don't want to initiate a bucket fixup on each indexer (10 peers * 10TB on each peer). Which one best fits/servers my use case above?
... View more
- Tags:
- cluster
Labels
- Labels:
-
indexer
08-22-2024
02:34 PM
I want to block the audit.log file from a particular instance sending logs to splunk, is the stanza sufficient to accomplish that? Per matching a file: blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
specified regex.
* Takes precedence over the deprecated '_blacklist' setting, which functions
the same way.
* If a file matches the regexes in both the deny list and allow list settings,
the file is NOT monitored. Deny lists take precedence over allow lists.
* No default. [monitor:///logs/incoming/file.com/all-messages.log]
sourcetype = something
index = something_platform
disabled = 0
blacklist = audit.log
... View more
Labels
- Labels:
-
inputs.conf
-
syslog
-
universal forwarder
03-19-2024
05:31 PM
Here is the index stanza: [new_dex]
homePath = volume:hotwarm/new_dex/db
coldPath = volume:cold/new_dex/colddb
thawedPath = $SPLUNK_DB/new_dex/thaweddb
maxTotalDataSizeMB = 2355200
homePath.maxDataSizeMB = 2944000
maxWarmDBCount = 4294967295 // I know this is wrong, but need help setting it
frozenTimePeriodInSecs = 15552000
maxDataSize = auto_high_volume
repFactor=auto Also, any other key = pair should be added. There are 18 indexers deployed each with a 16T of size. frozenTimePeriodInSecs has been met, but data is not being moved/deleted. what configuration/details am I missing here? I needed data gone!
... View more
- Tags:
- indexer
Labels
- Labels:
-
indexer
-
indexer clustering
03-12-2024
03:54 PM
Hello, how can I ensure the data being sent to cool_index is rolled to cold when the data is 120 days old? The config I'll use [cool_index]
homePath = volume:hotwarm/cool_index/db
coldPath = volume:cold/cool_index/colddb
thawedPath = $SPLUNK_DB/cool_index/thaweddb
frozenTimePeriodInSecs = 10368000 #120 day retention
maxTotalDataSizeMB = 60000
maxDataSize=auto
repFactor=auto am I missing something?
... View more
Labels
- Labels:
-
indexer
02-28-2024
01:24 PM
@victor_menezes can you expand a little more on this: AFAIK maxWarmDBCount doesn't affect the rollover of data (but it can be storage hungry so be careful with that), it is something the frozenTimePeriodInSecs do instead Yes, I am using maxTotalDataSizeMB in each of the indexes. They all have their specific size.
... View more
02-27-2024
04:36 PM
Currently, each of my indexes is set to a specific and own frozenTimePeriodInSecs, but I am noticing they are not rolling over to cold when the frozenTimePeriodInSecs value is set. Data Age (keeps growing) vs Frozen Age (stays as what it is set in frozenTimePeriodInSecs) maxWarmDBCount is set to: maxWarmDBCount = 4294967295 Does this effect? If the value is changed, would data roll to cold?
... View more
Labels
- Labels:
-
indexer
-
indexer clustering
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-10-2024
06:21 PM
|
