Activity Feed
- Got Karma for Universal Forwarder buffering during Indexer outage?. 06-05-2020 12:46 AM
- Got Karma for multikv extraction fails when table contains empty fields. 06-05-2020 12:46 AM
- Got Karma for multikv extraction fails when table contains empty fields. 06-05-2020 12:46 AM
- Posted Universal Forwarder buffering during Indexer outage? on Getting Data In. 08-28-2013 05:16 PM
- Tagged Universal Forwarder buffering during Indexer outage? on Getting Data In. 08-28-2013 05:16 PM
- Tagged Universal Forwarder buffering during Indexer outage? on Getting Data In. 08-28-2013 05:16 PM
- Tagged Universal Forwarder buffering during Indexer outage? on Getting Data In. 08-28-2013 05:16 PM
- Posted Re: multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-17-2013 06:44 PM
- Posted Re: multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-17-2013 06:43 PM
- Posted multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-16-2013 11:43 PM
- Tagged multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-16-2013 11:43 PM
- Tagged multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-16-2013 11:43 PM
- Tagged multikv extraction fails when table contains empty fields on All Apps and Add-ons. 07-16-2013 11:43 PM
- Posted streamstats sum() by not functioning as expected on Splunk Search. 07-04-2013 09:12 PM
- Tagged streamstats sum() by not functioning as expected on Splunk Search. 07-04-2013 09:12 PM
- Tagged streamstats sum() by not functioning as expected on Splunk Search. 07-04-2013 09:12 PM
- Tagged streamstats sum() by not functioning as expected on Splunk Search. 07-04-2013 09:12 PM
- Posted Re: Extracting multiple occurrences of a field from a syslog-ng statistics message. on Getting Data In. 02-25-2013 04:36 PM
- Posted Extracting multiple occurrences of a field from a syslog-ng statistics message. on Getting Data In. 02-24-2013 07:01 PM
- Tagged Extracting multiple occurrences of a field from a syslog-ng statistics message. on Getting Data In. 02-24-2013 07:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
08-28-2013
06:10 PM
If you use useACK=true in outputs.conf you can configure the buffer as you need.
useACK is used to verify that data sent to the indexer is received by the indexer. If the forwarder does not get an ACK, the the forwarder will resend the data when the indexer comes back on-line. You will need to configure the buffer to suit your needs, because when the buffer is full, then the forwarder will stop and wait - so you would loose logs that have both not been buffered and rotated.
The problem with useACK=true is that if the ACK message is lost (from the indexer to the forwarder) then the forwarder will resend the event, which will result in a duplicate of an event. Note: Everytime the forwarder resends the event it will record a 'possible duplication of event' entry in the splunkd log.
... View more
08-03-2015
03:29 AM
Hi
Is there any workaround in multikv.conf, column with missing values are being assigned values from next header with values..
Subsystem/Job User Number User Type Pool Pty CPU Int Rsp AuxIO CPU% Function Status Threads
JDENET_K ONEWORLD 01267 ONEWORLD BCI 8 20 15884.2 1 1.9 jvmStart DEQW 33
QSRVERR QUSER 00129 ONEWORLD PJ 2 20 18277.8 3832 .9 CNDW 1
Int & Rsp are blank & get values of AuxIO & CPU% respectively
... View more
05-06-2015
05:27 PM
I would get out of multivalue-land for this, even if you go back into multivalue fields at the end.
For example:
sourcetype="syslog-stats" | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
If you need to fold it back up the way it was at the end, then do this:
sourcetype="syslog-stats" | streamstats count as rowId | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed | stats values(*) as * by rowId
... View more
02-25-2013
04:36 PM
Hi,
It actually turns out that I had forgotten to set the right sourcetype in props.conf. Here is the correct props.conf:
[syslog]
KV_MODE = auto
REPORT-syslog_host = syslog-ng_host
REPORT-syslog_host_drops = syslog-ng_drops
Rgds,
Brett.
... View more
04-17-2012
10:18 PM
Hey gkanapathy,
Thanks for the response.I guess that I have two options for the server-side SSL connection then:
1.Import the load balancer's default key into the indexer as the trusted key; or
2.Load the search head's key into the load balancer (server side SSL config) and the indexer, so that the LB can present this to the indexer on behalf of the search head.
Which approach would be considered "best practice"?
Rgds,
Brett.
... View more
