About texascj

texascj · ‎10-09-2024

I am, admittedly, quite new to Splunk...but the requirement as posted is just a picture. Are you asking if Splunk is capable of providing dashboards for each of the categories and what those search queries would look like? Or do you already have that and you just want to use DS to create that clickable picture to display the associated dashboards? Just wondering...

texascj · ‎09-19-2024

Update While this works : | inputlookup servers | dedup host | sort host | table host host The issue I have here is I need to use the token to shrink the returned list. As noted above, this DOES NOT work: | inputlookup servers where environment = $token$ | dedup host | sort host | table host host ...this returns NOTHING and I've spent several hours going bald trying to figure this out. Then I found it. The issue is the WHERE clause. Apparently, you cannot do an inputlookup to return 1 field while doing the comparision on another field. Who knew? So if the query is returning both the host AND the environment...then it works. What I ended up with is: | inputlook servers | table host, environment | where environment = "$token$" | fields - environment ...and now it's happy. Thanks to all as I wouldn't haven't this far w/o getting the answers to my stupid questions! 🙂

texascj · ‎09-18-2024

texascj · ‎09-18-2024

Finally got what I wanted. | inputlookup servers | dedup host | sort host | table host host ...this gives me the delineated list of servers that are individually selectable. Now I need to add my parameter tokens to trim the list down based on the first 3 LOVs. Thanks all!

texascj · ‎09-18-2024

Okay...almost there. Adding the "as host" evidently forces the column / field name to read as "host" which must match the property setting of the UI. Simple enough. However, the query is returning a string rather than several strings. So, my expected result for the field would be to see Server001 Server004 Server007 ...but what I get is Server001Server004Server007 Is it possible to get these to be individual choices?

texascj · ‎09-18-2024

Okay, if I understand the two of you correctly then I'm in a pickle...not a fan of swimming in the brine so to speak. There was no "architecting" or "engineering" or "questioning" involved so I suspect the Splunk Admin presumed we knew what we wanted. I walked into this cold and after the fact w/ a "make it work" directive. Keep in mind, two weeks ago I could spell "Splunk" but had never used it. I find it quite complicated. Soooooooo, if I were to start over what would be the needed requirement one must address w/ respect to having the index(es) built? From the above I can see we should have addressed : 1. Data Retention period by Dev/Test/Prod 2. Access restrictions (if any) by the same 3. What are you wanting to measure? (implies "knowing" the data) 4. Age / staleness of data allowed 5. Volume size of the ingested logs per server that are used to build the index(es) Would there happen to be a "best practice" approach that should be used, or should have been used, regarding the initial build of the environment? Thanks all!

texascj · ‎09-18-2024

At the moment the query reads as : | inputlookup my_servers | stats values(host) Obviously there is no token at the moment to restrict the list so I should get a rather long list of servers to select from. The source for the XML frame or block is <input type="multiselect" token="SERVERS"> <label>SERVERS</label> <search> <query> | inputlookup servers | stats values(host)</query> </search> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <delimiter> </delimiter> </input>

texascj · ‎09-17-2024

That is how I understood it should work. However, when I create the list input and go to the Dynamic Option and create the query...it returns nothing...it just says "Populating" so I know the query ran. If I click on the link to run the query in a search window, I can see results.

texascj · ‎09-17-2024

Well....I suppose "best-practice" would have been a better tag. Go figure...

texascj · ‎09-17-2024

Imagine, if you will, table view lookup that has been setup to pull the Host name, the environment (Dev/Test/Prod) and the Server type (Database, Web App, SSO, etc...) and the application the server supports. I have 4 Input field LOVs setup. 1. Enclave...lets me choose Dev / Test / Prod, those are the only 3 options and the token name is "enclave" 2. Type...shows Database, Web App, SSO, Other ... again those are the only options, token name is "type" 3. Application...say HR, Payroll, Order Entry and HealthCare ... again, 4 options, token name is "app" 4. This should be a DYNAMIC LOV that shows only the servers in the table view lookup that meet the condition set by the first 3 LOVs. ...example Enclave set to Dev, Type set to Web App, Application set to HR. My table view clearly shows there are 2 web app server names so the 4th LOV should show Server003, Server007, All. The token would then be set based on the choice (003 or 007) and if "All" were picked the token would be Server003, Server007. This would drive the panel searches. Is this possible? I can get the 4th LOV to run but it doesn't give me a list.

texascj · ‎09-17-2024

I have about 100 servers. These are a mix of different Oracle servers, Databases, Web Apps Servers, Data Warehouse servers, SSO Servers and OBIEE servers. Of these, there is also the standard Dev/Test/Prod environments and this is all supporting 5 different development / sustainment projects. A request was made to our Splunk Admin in the form of the Server name and all of the log files our engineer could think of at the time. It appears the Splunk Admin just crammed everything into a single index. Literally hundreds of log files as each server appeared to have 10-15 log files identified. Given the servers do different things, the request didn't necessarily have the same log files identified for every server. I would have "expected" the request would have been vetted to answer "What do you really need?" rather than "HERE YOU GO!" Maybe I've done Software Development too long, it could be me. Anyway, was this the right way to go? Would it have made more sense to have 1 index for the Database Servers, 1 index for the Web App Servers, 1 index for the Data Warehouse, etc...? Or, perhaps 1 index for the Production assets and 1 for Test and 1 for Dev? There doesn't appear to be a "best practice" that I can find...and what I have is ONE FREAKING HUGE index. If you read this far, thanks. If you have a cogent answer that makes sense to me, even better!

texascj · ‎09-09-2024

This is much more helpful. Running: index=<name> | fieldsummary Gives me 2.4 million+ events and 261 Statistics. I presume then the 261 would be the sum total of disparate fields available to any of my queries. Should that be true then I need only investigate each one to see what the heck they are and figure out if they are of any use. Not a small task, but I know more now than I did 30 minutes ago. 😕

texascj · ‎09-09-2024

TY 4 that...when I run that first command it returns just north of 2.5 million events and 17 statistics. So I see bandwidth, cpu, df, df_metric, exec, interfaces, iostat, lsof, netstat, openPorts, package, protocol, ps, top, uptime, vmstat, and who. For all of these, the sourcetype = source with one exception. Exec is broken out to 3 .sh files in a splunkforwarder folder structure. I do not know if this is correct or not. For instance, I discovered there is a fields link within Settings and I can get to Field Alisases, trim the list to "oracle" and I see stuff reporting from Oracle Audit, Oracle Database, Oracle Listener, Oracle Instance, Oracle Session, Oracle SysPerf, etc... My understanding is the Splunk Index (this is a file?) is used by Splunk in searching for Keywords (are these fields?). Thus, if the index contains ONLY the source / sourcetype information, then I'm gold and I simply need to define what those 17 stats are actually from/ for. However, I also know that cannot be true as I can search on a Host=<something> which is not in that list. I do hope that makes sense.

texascj · ‎09-09-2024

My apologies for such a noob question. I literally got dropped into a Splunk environment and I know little to nothing about it. I have an index (foo as an example) and I'm told it's based on Oracle audit logs. However, the index was built for us by the Admin and all I get is blank looks when I asked what exactly is IN the index. So my question is...how can I interrogate the index to find out what is in it? I ran across these commands : | metadata type=sourcetypes index="foo" | metadata type=hosts index="foo" This is a start, so now I have some sourcetype "keywords" (is that right?) and I can see some hosts. But I suspect that's just the tip of the iceberg as it were given the index itself is pretty darn big. I'm an Oracle guy and if I wanted to get familiar w/ an Oracle structure I would start w/ looking at the table structures, note the fields in all the tables, get a diagram if one was available. I don't have that option here. I don't have the rights to "manage" the index or even create my own. So I have an index and no real clue as to what is in it...

Posts	14
Solutions	1
Karma Given	3
Karma Received	0
Member Since	‎09-09-2024

Online Status	Offline
Date Last Visited	‎10-09-2024 10:11 AM

Classic Dashboard Input Dynamic Options

Indexes and Server types

How to document what is present in the index

Re: Need to create a Software Stack dasboard in Sp...

Re: Classic Dashboard Input Dynamic Options

Re: Classic Dashboard Input Dynamic Options

Re: Classic Dashboard Input Dynamic Options

Re: Classic Dashboard Input Dynamic Options

Re: Indexes and Server types

Re: Classic Dashboard Input Dynamic Options

Re: Classic Dashboard Input Dynamic Options

Re: Indexes and Server types

Classic Dashboard Input Dynamic Options

Indexes and Server types

Re: How to document what is present in the index

Re: How to document what is present in the index

How to document what is present in the index

Are you a member of the Splunk Community?