cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kevintelford
Path Finder
Member since: ‎05-05-2010
‎06-05-2020
Community Statistics
Posts 38
Solutions 3
Karma Given 10
Karma Received 28
Member Since ‎05-05-2010
Activity Feed
Topics I've Started
View All

LMStackMgr - resetting slave warnings for master s...

by in Installation
‎10-28-2011 06:42 AM
1 Karma
‎10-28-2011 06:42 AM
1 Karma
I was looking at my splunkd.log file and noticed that this line was being written to the log file once per second. What is the cause of this? I assume it's not normal behavior. Also every few seconds I see a message about "LMSlaveInfo - Detected that masterTimeFromSlave < lastRolloverTime, meaning that the master has already rolled over. Ignoring slave persisted usage." Splunk4Life! ... View more

Re: Reassign (or keep) variable in eval's IF state...

by in Splunk Search
‎07-29-2011 10:51 AM
‎07-29-2011 10:51 AM
Cool deal, too bad it doesn't work with if as well, but this will do just fine. Thanks! ... View more

Reassign (or keep) variable in eval's IF statement

by in Splunk Search
‎07-29-2011 10:03 AM
2 Karma
‎07-29-2011 10:03 AM
2 Karma
I have two variables and based on one would like to possible change the value of the other: .. | eval a="foo" | eval b="some value" | eval a=if(match(b, "kittens"), "bar", a) So if b contains 'kittens' make a's value equal 'bar', otherwise keep it 'foo'. Is this possible? As it stands now a only ever has a value when b contains 'kittens'. Thanks, Kevin ... View more

oneshot POST message body

by in Getting Data In
‎07-14-2011 11:09 AM
2 Karma
‎07-14-2011 11:09 AM
2 Karma
Is there a way to specify parameters in a POST to the oneshot endpoint? I can successfully add files - curl -k -u admin:changeme -d 'name=/path/to/my/file' https://localhost:8089/services/data/input/oneshot But I am not able to add any other optional parameters such as host, index, etc. I've also tried doing a JSON POST with no luck. Anytime I add additional parameters it complains about not having a regular file. Thanks, Kevin ... View more

Re: Change/disable 4.2 Help link

by in Splunk Search
‎04-12-2011 02:42 PM
‎04-12-2011 02:42 PM
Thank you much. ... View more

Change/disable 4.2 Help link

by in Splunk Search
‎04-11-2011 04:02 PM
4 Karma
‎04-11-2011 04:02 PM
4 Karma
We're using Splunk on a network that is cordoned off from the interwebs. Is there a way that we could either disable or change the url that the ?Help link points to for all apps? Thanks, Kevin ... View more

Re: Re-send data with universal forwarder?

by in Getting Data In
‎04-07-2011 03:51 PM
‎04-07-2011 03:51 PM
Submitted: Case # 57213 ... View more

Re: Changes in timechart useother functionality in...

by in Splunk Search
‎04-07-2011 03:29 PM
‎04-07-2011 03:29 PM
Thank you Stephen 🙂 useother=f used to work, just not sure if it was intended to do what I wanted. Either way, limit=100 works perfectly, thank you sir. ... View more

Re-send data with universal forwarder?

by in Getting Data In
‎04-06-2011 08:31 PM
4 Karma
‎04-06-2011 08:31 PM
4 Karma
When using a lightweight-forwarder we were able to clean the fishbucket (eventdata) so that we could re-forward data. Trying this on the new universal forwarder yields the message "ERROR: Cleaning eventdata is not supported on this version." Is there a new way to do this? Thanks, Kevin ... View more

Changes in timechart useother functionality in 4.2...

by in Splunk Search
‎04-06-2011 08:21 PM
‎04-06-2011 08:21 PM
We used to have a dashboard driven by a simple query that would show a value per hour for all of our index servers. * | timechart span=1h count by splunk_server useother=f Before we upgraded to 4.2 this would work as we had come to expect it, but now it only shows the top 10 servers. If we drop useother=f it will then show an "other" column along with the top 10, but we want all splunk_server values. Is there a new way to do this? Thanks, Kevin ... View more

Re: Filtering queries by large lookup

by in Splunk Search
‎03-30-2011 06:40 PM
‎03-30-2011 06:40 PM
GO TEAM NOVII!! ... View more

Re: What is the impact of an instance forwarding t...

by in Getting Data In
‎03-29-2011 06:12 PM
‎03-29-2011 06:12 PM
This can now be accomplished by installing the Splunk universal forwarder along side Splunk itself. The only change to the forwarder that is required is the splunkd port it binds to. To do this add a web.conf to $SPLUNK_FORWARDER_HOME/ect/system/local/ that says [settings] mgmtHostPort = <SERVERIP:newPort> Boom. Boots upside yo head. ... View more

Re: Filtering queries by large lookup

by in Splunk Search
‎03-21-2011 05:38 PM
‎03-21-2011 05:38 PM
So I've become a liar. 2 issues. In a distributed setup, it will not work unless the lookup is on the search head. Is there a way to tell it to look locally? When I did put this file on the search head I got the error "Error in 'UnifiedSearch': Unable to parse 'The specified file is too large..." ... View more

Re: Filtering queries by large lookup

by in Splunk Search
‎03-21-2011 04:57 PM
‎03-21-2011 04:57 PM
Did I ever tell you you're my hero? You're everything, everything I wish I could be. Thanks dude, works swell! ... View more

Filtering queries by large lookup

by in Splunk Search
‎03-21-2011 02:57 PM
1 Karma
‎03-21-2011 02:57 PM
1 Karma
I have a large lookup full of bad domains. The lookup is simply a domain name per line. I would like to search through a section of logs and return events where the bad domain exists. My domain list looks like baddomain baddomain1.com baddomain2.com ... And the query I'm attempting to write looks like index=myindex | append [ inputlookup domains.csv | fields baddomain ] | where domain=baddomain | ... If I run just the inputlookup portion of the query I'm seeing my results, but they do not seem to be getting appended. Thanks, Kevin ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
Karma given to