cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
brettw10
Explorer
Member since: ‎11-21-2011
‎06-05-2020
Community Statistics
Posts 9
Solutions 1
Karma Given 0
Karma Received 3
Member Since ‎11-21-2011
Activity Feed
View All

Re: Universal Forwarder buffering during Indexer o...

by in Getting Data In
‎08-28-2013 06:10 PM
‎08-28-2013 06:10 PM
If you use useACK=true in outputs.conf you can configure the buffer as you need. useACK is used to verify that data sent to the indexer is received by the indexer. If the forwarder does not get an ACK, the the forwarder will resend the data when the indexer comes back on-line. You will need to configure the buffer to suit your needs, because when the buffer is full, then the forwarder will stop and wait - so you would loose logs that have both not been buffered and rotated. The problem with useACK=true is that if the ACK message is lost (from the indexer to the forwarder) then the forwarder will resend the event, which will result in a duplicate of an event. Note: Everytime the forwarder resends the event it will record a 'possible duplication of event' entry in the splunkd log. ... View more

Re: multikv extraction fails when table contains e...

by in All Apps and Add-ons
‎08-03-2015 03:29 AM
‎08-03-2015 03:29 AM
Hi Is there any workaround in multikv.conf, column with missing values are being assigned values from next header with values.. Subsystem/Job User Number User Type Pool Pty CPU Int Rsp AuxIO CPU% Function Status Threads JDENET_K ONEWORLD 01267 ONEWORLD BCI 8 20 15884.2 1 1.9 jvmStart DEQW 33 QSRVERR QUSER 00129 ONEWORLD PJ 2 20 18277.8 3832 .9 CNDW 1 Int & Rsp are blank & get values of AuxIO & CPU% respectively ... View more

Re: streamstats sum() by not functioning as expec...

by SplunkTrust in Splunk Search
‎05-06-2015 05:27 PM
‎05-06-2015 05:27 PM
I would get out of multivalue-land for this, even if you go back into multivalue fields at the end. For example: sourcetype="syslog-stats" | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed If you need to fold it back up the way it was at the end, then do this: sourcetype="syslog-stats" | streamstats count as rowId | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed | stats values(*) as * by rowId ... View more

Re: Extracting multiple occurrences of a field fro...

by in Getting Data In
‎02-25-2013 04:36 PM
‎02-25-2013 04:36 PM
Hi, It actually turns out that I had forgotten to set the right sourcetype in props.conf. Here is the correct props.conf: [syslog] KV_MODE = auto REPORT-syslog_host = syslog-ng_host REPORT-syslog_host_drops = syslog-ng_drops Rgds, Brett. ... View more

Re: Fronting indexer with load balancer for HA in ...

by in Deployment Architecture
‎04-17-2012 10:18 PM
‎04-17-2012 10:18 PM
Hey gkanapathy, Thanks for the response.I guess that I have two options for the server-side SSL connection then: 1.Import the load balancer's default key into the indexer as the trusted key; or 2.Load the search head's key into the load balancer (server side SSL config) and the indexer, so that the LB can present this to the indexer on behalf of the search head. Which approach would be considered "best practice"? Rgds, Brett. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All