Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jayannah
jayannah
Builder
Member since:
03-29-2013
05-11-2021
Community Statistics
| Posts | 131 |
| Solutions | 21 |
| Karma Given | 35 |
| Karma Received | 89 |
| Member Since | 03-29-2013 |
Activity Feed
- Got Karma for Re: how many clients can one deployment server manage?. 03-09-2021 02:03 AM
- Karma Re: How can i change the permissions of dynamically created Tags through REST API ? for kartik13. 06-05-2020 12:48 AM
- Karma how to mask data in data model? for viswanathsd. 06-05-2020 12:47 AM
- Karma Search for event field that can 'potentially' contain NULL values for kenth213. 06-05-2020 12:47 AM
- Karma Re: Why is the "map" command not working in dashboard and the corresponding panel displays "Waiting for inputs"? for wpreston. 06-05-2020 12:47 AM
- Karma Re: Should we have Splunk deployment server and cluster master on the same instance? Recommendations please! for mahamed_splunk. 06-05-2020 12:47 AM
- Karma Re: rex expression without resorting to mode=sed for somesoni2. 06-05-2020 12:47 AM
- Karma Re: EventStats count Function for tom_frotscher. 06-05-2020 12:47 AM
- Karma Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"? for mwilson788. 06-05-2020 12:47 AM
- Karma Re: Unable to view the field created using rex for richgalloway. 06-05-2020 12:47 AM
- Karma Re: Search Head Clustering - Deployer can't contact license master for dflodstrom. 06-05-2020 12:47 AM
- Karma Re: Why am I getting different results between these 2 searches? for MuS. 06-05-2020 12:47 AM
- Karma Re: Splunk query filtering on lookup table csv for Ayn. 06-05-2020 12:47 AM
- Karma Re: When to use prestats command in tstats and its uses? for pedromvieira. 06-05-2020 12:47 AM
- Karma Re: Calculate a value based on multiple events for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Why are larger events are truncated (10000 bytes)? for yannK. 06-05-2020 12:47 AM
- Karma Using Splunk DB Connect 2 in a search head cluster, should database inputs originally set on the deployer be set to disabled or enabled? for sim_tcr. 06-05-2020 12:47 AM
- Karma Re: What is tstats and why is so much faster than stats? for ppablo. 06-05-2020 12:47 AM
- Karma Re: How to include an app name as a part of the search query? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: can multiple sourcetypes stanza's in a props.conf - point to one single report extract (see below) for lguinn2. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 5 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 |
12-17-2017
02:32 PM
Yes, you can do in multiple ways
Configure logstash send the data over to Splunk using tcp output plugin and create tcp input on Splunk
On logstash use http output plugin to send to Splunk
Config logstash to write the events to log file and have Splunk forwards to read and send to Splunk indexes
... View more
04-04-2016
06:03 PM
Hi
You will find answers for your queries in the below URLs..
https://answers.splunk.com/answers/345286/change-tag-permission-via-rest-api-curl.html
https://answers.splunk.com/answers/13189/setting-tag-values-through-rest-api.html
Also, if you want to change permission of any other object, check the below URL for details & examples.
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTUM/RESTusing#Access_Control_List
... View more
02-01-2016
10:26 AM
In my current project, the deployment server is able to handle 5000+ clients in AWS .. But we face lot of slowness while adding new server class, clients etc. Otherwise, its fine. We are planning to deploy more deployment servers to handle 1000 clients per Deployment server.
In the enterprise infra, the deployment server is able to handle ~800 clients without any issues and no slowness aswell.
CPU load is always < 1 .. And the poll interval set to 300 seconds
[default]
phoneHomeIntervalInSecs=300
... View more
02-01-2016
10:23 AM
1 Karma
In my current project, the deployment server is able to handle 5000+ clients in AWS .. But we face lot of slowness while adding new server class, clients etc. Otherwise, its fine. We are planning to deploy more deployment servers to handle 1000 clients per Deployment server.
In the enterprise infra, the deployment server is able to handle ~800 clients without any issues and no slowness aswell.
CPU load is always < 1 .. And the poll interval set to 300 seconds
[default]
phoneHomeIntervalInSecs=300
... View more
12-18-2015
01:59 PM
You disable at App level instead of individual inputs.
If we leave it disabled - next time when there is a need to set up a new input, before pushing the new input to search heads, we have to enable all previous inputs, else all the previous inputs go to disabled state on search heads.
I was able to delete the inputs successfully.
does any one have issues deleing an existing input created on the DB Connect 2 app from the GUI?
... View more
12-18-2015
01:31 PM
As long as the load/job of Deployment Server & cluster Master instance is less, its fine to have all in 3 in one. Offcourse having them in separate instances better incase if there's going to be more Forwarders or Indexers planned for near future which will increase the load on Deployment Server and Cluster Master.
... View more
05-08-2015
10:27 AM
Editor's note: 2014 below. 2016 version here: https://www.splunk.com/pdfs/technical-briefs/splunk-deploying-vmware-tech-brief.pdf
Check out this URL..
https://www.splunk.com/web_assets/pdfs/secure/Splunk_and_VMware_VMs_Tech_Brief.pdf
... View more
04-08-2015
09:07 AM
Thanks for the response.
I agree with you for schedule search ttl.
But, in my case I can see the jobs in dispatch directory which are older than 2-4 days even though those are scheduled to run for every 1 min or 2 min.
Also, I see the jobs id older than 2-4 days exists in dispatch dir for the searches ran manually .
I checked the splunkd.log file, there is no information about failure in deleteing these jobs.
So I'm wondering whether the dispatcher is trying to delete or not.
... View more
04-08-2015
06:03 AM
3 Karma
I see the error "Too many search jobs found in the dispatch directory error" many time. I know to clean the directory using clean-dispatch command and I could see lots of answers on how to clean the dispatch directory.
But I couldn't find the answer why the old jobs are not getting deleted.
I could see the many jobs older than 1 day. We have not changed any default settings job's ttl. The issue is also not consistent.
Any root cause why the jobs older than 1 day are not deleted? I think the jobs were suppose to delete for 10m.
... View more
02-10-2015
08:58 PM
If your requirement is to send alert if there are no event received on particular index from particular sources, then you can use the following search command
| metadata type=hosts index=myindex
Above command returns the list of hosts sending data to the index "myindex" and when was the last event received. If the last event received timestamp is 15 min earlier to the current time, then you can create the alert.
Hope this information is useful.
... View more
02-03-2015
07:24 AM
Just change the regex and try
[cisco_wsa_pacfile_drop]
REGEX = pacfile-splunk
DEST_KEY = queue
FORMAT = nullQueue
... View more
02-02-2015
02:56 PM
You know the country code is always 1 (if present)
1?(?<ph_num>\d{10}) ==> This should return 10 digit irrespective whether country code 1 is prefix or not.
\d*(?<ph_num>\d{10}) ==> This return last 10 digits from phone number irrespective of whether the country code is 1 or 22 or 100 or not prefixed.
... View more
02-02-2015
02:51 PM
4 Karma
You need put configuration similar to below in props.conf against the sourcetype
props.conf
[sourcetype]
SHOULD_LINEMERGE=TRUE
BREAK_ONLY_BEFORE = Entering:
TIME_FORMAT = %Y-%m-%d %H:%M:%S %3N
MAX_TIMESTAMP_LOOKAHEAD = 500
TIME_PREFIX = StartTime:
Note: I have not tested it and it should work fine.
The above configure merges the multi lines event into single line and break the individual event at "Entering:"
... View more
01-30-2015
06:18 AM
@the_wolverine - tscollect information are stored in Indexers.
... View more
01-29-2015
09:13 PM
1 Karma
If namespace is provided, the tsidx files are written to a directory of that name under the main tsidxstats directory (that is, within $SPLUNK_DB/tsidxstats). These namespaces can be written to multiple times to add new data. If namespace is not provided, the files are written to a directory within the job directory of that search, and will live as long as the job does. This namespace location is also configurable in indexes.conf, with the attribute tsidxStatsHomePath.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Tscollect
... View more
01-29-2015
07:47 PM
I dont think you can put such condition in rex itself. But you can do with fillnull.
E.g:
To fill all fields those doesn't value with "nil"
index=aaaa | rex *************** | fillnull value=nil
To fill field1 & field2 value with "nil" when value for these fields not present
index=aaaa | rex *************** | fillnull value=nil field1 field2
Hope this helps.
... View more
01-29-2015
04:20 PM
useother=null will not club the hosts into OTHERS
Basically you need 3 values in the table, i,e _time, count, and stats for each host. So, you want all hosts name as row and not as column. Update the query in the main answer..
Regarding your original question, you can add columns using eval, eventstats, streamstats..etc
... View more
01-29-2015
04:13 PM
Need more clarification... your query, sample output and what you want pass would help us to provide the answer correctly.
... View more
01-29-2015
04:04 PM
3 Karma
Your join syntax is incorrect
it should be
... | join eventid [search index=ap...... ]
So finally your query looks like:
index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" |rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid | join eventid [search index=app_sec_prod sourcetype="mcafee:emailgateway:file" host="portal4.visa.com" "Quarantined by Content Filtering" | rex "(?i)^(?:[^\|]*\|){2}(?P[^\|]+)" | fields eventid ]
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-11-2021
04:26 PM
|
Karma from
