Activity Feed
- Karma Re: Splunk server doesn't send emails for gcusello. 06-05-2020 12:49 AM
- Karma Re: How to rename column values when making a chart for HeinzWaescher. 06-05-2020 12:48 AM
- Posted Re: How to bundle two timecharts that are split by the same field on Dashboards & Visualizations. 01-27-2018 04:34 PM
- Posted Re: "Bad allocation" error while searching on Dashboards & Visualizations. 11-21-2017 12:25 PM
- Posted Re: "Bad allocation" error while searching on Dashboards & Visualizations. 11-17-2017 02:33 PM
- Posted "Bad allocation" error while searching on Dashboards & Visualizations. 11-14-2017 02:53 PM
- Tagged "Bad allocation" error while searching on Dashboards & Visualizations. 11-14-2017 02:53 PM
- Tagged "Bad allocation" error while searching on Dashboards & Visualizations. 11-14-2017 02:53 PM
- Posted Re: Splunk server doesn't send emails on Alerting. 08-28-2017 06:19 AM
- Posted Splunk server doesn't send emails on Alerting. 08-27-2017 03:34 AM
- Tagged Splunk server doesn't send emails on Alerting. 08-27-2017 03:34 AM
- Tagged Splunk server doesn't send emails on Alerting. 08-27-2017 03:34 AM
- Tagged Splunk server doesn't send emails on Alerting. 08-27-2017 03:34 AM
- Tagged Splunk server doesn't send emails on Alerting. 08-27-2017 03:34 AM
- Posted Re: Problem with using tabs in dashboard on Dashboards & Visualizations. 04-27-2017 12:10 PM
- Posted Problem with using tabs in dashboard on Dashboards & Visualizations. 04-25-2017 03:53 AM
- Tagged Problem with using tabs in dashboard on Dashboards & Visualizations. 04-25-2017 03:53 AM
- Tagged Problem with using tabs in dashboard on Dashboards & Visualizations. 04-25-2017 03:53 AM
- Tagged Problem with using tabs in dashboard on Dashboards & Visualizations. 04-25-2017 03:53 AM
- Tagged Problem with using tabs in dashboard on Dashboards & Visualizations. 04-25-2017 03:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-27-2018
04:34 PM
Any luck with this? I'm in a similar situation right now
... View more
11-21-2017
12:25 PM
Ok. For most of my dashboard the settings I've changed did the work. But still, for some of the dashboard that contains lots of panels the error is still there.
This are the changes I've made in the limits.conf:
[Search]
Search_process_mode = auto
Enable_memory_tracker = true
Search_process_memory_usage_percentage_threshold = 80
[Concurrency]
Batch_search_max_pipeline = 2
The changes did made most of the dashboard's searches better. I've tried tweaking the values to make all of my dashboards better, but for it didn't worked.
... View more
11-17-2017
02:33 PM
Found out that about 80% out the memory splunk consumed on my machine was used for rested input. When I have disabled all my rest requests the "bad allocation" error was gone, meaning it was after all a memory problem. The problem was that even though my server is pretty strong, splunk is only using about 50% of its memory. 60% tops. I modified some values in the limits.conf file, and now it look like my splunk server is using much more of the memory, so even with the rested input no bad allocation errors are returned.
... View more
11-14-2017
02:53 PM
Hi,
Lately I'm facing a big problem with my splunk searcher. A lot of my dashboard queries fails almost immediately after they start to run with "Bad allocation" error. I found one question in this forum about the same problem, and the the answer was to add more RAM. I've done it dome it didn't seems to work.
So here are some details:
I'm using 1 indexer server, that is also used as searcher. The server is indexing about 150g per day.
Windows server 2012
14 processors
14 ram
500g storage (350 used, about 10 indexes)
Splunk 6.2
Whenever I run any dashboard (even splunk's default dashboards) I'm facing "bad allocation" error.
When I tried reading the search.log I found that the searches failed in less than a second, and that there are at least four different sets of error logs. The most common one is this (took only the part that contains errors):
[Info] Database directory manager::bucket - use booomfilter = true
[Error] stmgr -dir='D:.....\db\hot_v1_5761' st_query failed rc=-2 warm_rc=[0,0] query [1510686487,1510688868,[ AND myfield sourcetype::maingws ]] is_exact=false
Info batchsearch - recategorizing myapp~5760~xxxxx~xxxxx~xxxxx~xxxxx~xxxxx as non-restartable for responsiveness.
This log lines are then printed several times, every time with different db directory, and then the search is shut down, and the final log is the "bad allocation".
I checked the server resourced when running the dashboard and the RAM looked fine (about 60%), the CPU peeked from 30% to 100% for a few moments and then returned to normal, but the network and diskIO looked really bad (both was about 100% for a few minutes).
Do you have any idea how to overcome this problem? What more can I check?
Would you recommend to split my data to another disk to decrease diskIO usage?
If I'll use a search head instead of using my indexer for searching, would it solve this?
Thanks
... View more
08-28-2017
06:19 AM
Hi, the email configurations was fine, but turns out the problem was with the smtp that blocked my requests.
I found that using the telnet command, as you suggested.
Thanks you!
... View more
08-27-2017
03:34 AM
hi,
I have a problem - my splunk server isn't sending any alert emails.
Here are some details:
I have 2 splunk servers. Both use splunk 6.2, and both run on windows server 2012.
there is no cluster between them, but both are supposed the be the same.
Now that's the fun part- one the the servers is sending mails, and the other one not.
I have searched the python log using this search:
index=_internal source=*python.log*
and I found this error message:
"Sendmail:348 - (421, '4.3.2 service not available, closing transmission channel') while sending mail to ...."
Google suggested that the smtp server is blocking the server's request, but I cant understand why. Both servers are requesting the same smtp server using the same default port, both are sending email to the same mail address, both servers are in the same domain.
The only thing I can think of- maybe the domain user that run splunk is different? is there anyway to check this?
Do you have any ideas how to solve this problem? There are some importent alerts that i'm missing every day because of this.
Thanks!
... View more
04-27-2017
12:10 PM
Yeah, sorry about that.
Doesn't matter now. I found that the problem was in the tabs.js file.
I don't know how, but when I copied the entire file from the example app to my app, a ">" was missing from the file. Took me a while to find the problem, but after it was fixed the tabs are working perfectly.
... View more
04-25-2017
03:53 AM
Hi there.
I have two simple dashboards, that shows pretty similar charts. I would like to combine both of the dashboards into one dashboard with tabs. Each tab for each dashboard.
I know this is achievable with sideview utils, but right now I don't have the time nor the knowledge to learn how to use it. I'm trying to keep it simple. I have found this blog post: https://www.splunk.com/blog/2015/03/30/making-a-dashboard-with-tabs-and-searches-that-run-when-clicked/
I've done everything as written. It looked promising since The tabs are there, but nothing happens when I click on them. It looks like the attribute "data-elements" doesn't recognize any change I doing in it.
Has anyone ran into this problem before? Do you have other simple way to use tabs?
Thanks
... View more
04-17-2017
03:33 AM
Hi bagarwal.
I haven't tried this myself, but I found this answer, and it looks perfect for you:
https://answers.splunk.com/answers/24861/width-adjustable-table.html
if the accepted answer does not work for you, try the last comment on the page-
... | rex field=longfield max_match=0 "(?.{0,50})"
... View more
04-16-2017
12:25 PM
Hi, thanks fro commenting.
for some reason, I had problem using the props.conf and transforms.conf .
Both file were configured to used a working regex (your regex was great, just had to tweak it so it will work on a json), yet it didn't extracted the fields.
In the splunk web page, under the fields extraction manager I saw both of the fields I tried to extract, yet when I searched they weren't extracted.
I tried also to create an extraction using the "add field extraction" in the splunk webpage, which work- well, not exactly. Instead of extracting all of the key values, it only extracted the first value.
Because of a dead line I was forced to try a fast and simple solution- I'm using rex on every search. Its not ideal, but its working.
I still need to bar chart/ column chart the two fields, but I'll try to do this my own.
thanks for your help! really appreciate that!
... View more
04-10-2017
01:43 PM
I'll try and I will update. In the meantime- thanks for commenting!
... View more
04-10-2017
08:02 AM
I want to create a basic line chart, it will only use to see the count of every name.
I'm not sure how to extract fields so I guess not
... View more
04-10-2017
07:22 AM
Hi there, I am using Splunk's REST API Modular Input to input data from Apache Solr.
Once a day a facet query is sent to Solr, and solr returns a JSON that is indexed to splunk.
The JSON contains a list of key value pair, the key is a name, and the value is a count of how many times does this name found in Solr.
the log looks like this:
"123" , "987" , "234" , "876" , "345" , "765"
What I need to do is build a timechart based on the value.
The truth is- I'm pretty lost. I searched and saw a lot of answers that suggested using regex, but i'm not sure how to use it in this case, and how to use this to build this chart.
Any help will be appreciated. Thanks
... View more
04-01-2017
06:30 AM
Try using appendcols:
... | timechart span=1d avg(eventDuration) by project | appendcols [ search ... | timechart span=1d avg(eventDuration) as TotalAverage ]
... View more
