Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MasterOogway
MasterOogway
Communicator
Member since:
05-07-2010
06-05-2020
Community Statistics
| Posts | 86 |
| Solutions | 0 |
| Karma Given | 13 |
| Karma Received | 28 |
| Member Since | 05-07-2010 |
Activity Feed
- Got Karma for Re: My Search Is Faster the Second and "X" times I run it. Does Splunk Hold Data In Memory or Cache It? Or is it a Disk Thing?. 06-05-2020 12:51 AM
- Got Karma for Re: My Search Is Faster the Second and "X" times I run it. Does Splunk Hold Data In Memory or Cache It? Or is it a Disk Thing?. 06-05-2020 12:51 AM
- Got Karma for My Search Is Faster the Second and "X" times I run it. Does Splunk Hold Data In Memory or Cache It? Or is it a Disk Thing?. 06-05-2020 12:51 AM
- Got Karma for My Search Is Faster the Second and "X" times I run it. Does Splunk Hold Data In Memory or Cache It? Or is it a Disk Thing?. 06-05-2020 12:51 AM
- Got Karma for My Search Is Faster the Second and "X" times I run it. Does Splunk Hold Data In Memory or Cache It? Or is it a Disk Thing?. 06-05-2020 12:51 AM
- Karma Re: How do I get a count of applications deployed to forwarders? for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: How do I get a count of applications deployed to forwarders? for gcusello. 06-05-2020 12:50 AM
- Karma Re: Is there a way to search which heavy forwarder sent a log to the indexer? for jlanders. 06-05-2020 12:47 AM
- Karma Re: Multiple REX from single search for richgalloway. 06-05-2020 12:46 AM
- Karma Re: What would cause the dm_backfill_factory.py to run? for dart. 06-05-2020 12:46 AM
- Karma Re: Install Windows Deployment Client WITHOUT DEPLOYMENT_SERVER flag. Can it work?? for dmaislin_splunk. 06-05-2020 12:46 AM
- Karma Re: Run "splunk test" in Windows command line for myli12. 06-05-2020 12:46 AM
- Karma Re: One client Server needs access to two separate Deployment Servers - Is it possible? for yannK. 06-05-2020 12:46 AM
- Karma Re: SoS : "server to query" pulldown not listing search peers for hexx. 06-05-2020 12:46 AM
- Karma Re: chart the history of daily runs of a single-value search result for Damien_Dallimor. 06-05-2020 12:46 AM
- Got Karma for Re: Can I put splunk installation on NAS?. 06-05-2020 12:46 AM
- Got Karma for Re: Can I put splunk installation on NAS?. 06-05-2020 12:46 AM
- Got Karma for Re: Can I put splunk installation on NAS?. 06-05-2020 12:46 AM
- Got Karma for Re: Can I put splunk installation on NAS?. 06-05-2020 12:46 AM
- Got Karma for Re: Can I put splunk installation on NAS?. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
03-03-2020
06:57 AM
Excellent! Runs straight out without any changes.
This gives you a table view listing each server, OS, Apps installed, and what Serverclass they belong to.
Not sure if it's possible, but it doesn't take into account if any server is 'Blacklist' in an App. THAT would be nice to know too.
Already saved it as a Report. Thank you.
... View more
03-03-2020
06:50 AM
@harsmarvania57 - spot on search. Saweeet!
Run this on your Deployment Server.
I substituted the last lines 'hostname' and dropped in 'applications' and got a count of servers that have downloaded the Apps.
... View more
01-14-2020
10:09 AM
No. It didn't take zero time to execute.
First/Original run: 6,273,099 events in 142.291 seconds
Second run: 6,273,099 events in 56.79 seconds.
... View more
01-14-2020
10:06 AM
Using the exact same time range: earliest=1/14/2019:00:00:00 latest=01/13/2020:24:00:00
From your note, I would be seeing the effect of the OS caching tsidx files from the onPRem cluster.
... View more
01-14-2020
09:21 AM
1 Karma
Which it is/was. Identical search run repeatedly produced different execution times.
... View more
01-14-2020
09:15 AM
Unfortunately, I'm unable to upload an image from my desktop to share.
It's ok. With the answers, I understand.
... View more
01-14-2020
08:29 AM
@martin_mueller
This also helps complete my question. Your link to the dashboard caching mechanism will help others as well. You too get an 'Accept', but I can only give out one. But in my heart you deserve one.
... View more
01-14-2020
08:27 AM
1 Karma
Thanks, @wmyersas
That's what I was looking to confirm. Appreciate your guidance and sharing the link for others to read up on.
... View more
01-13-2020
06:53 AM
3 Karma
When I ran a search spanning an entire year it took 241 seconds. If I immediately rerun the search the time plummets to ~60 seconds. Why? Is this a Splunk or Disk optimization?
Background: hot/warm sit on fast disk. coldlib resides on not as fast, bigger disk.
Regardless of the search I run, when the data is polled the first time it's always a slower reply. When the I rerun the same exact search over the same exact disks the times drop considerably. Who's responsible? (who can I thank?) Splunk or Disks....and is it that easy, or is it more complex? I understand that searching back onto colddb disks will require a slower retrieval vs. warm/hotdb. The question is more of a lower level, backend one. But one I want to share with my user base when I advise them how to tune their searches and what will happen when they rerun the search.
I've looked through a lot of the Answers and on Splunk's site but can't really find the answer. This group is outstanding, so I'm leaning on you. Any insight is appreciated.
pstein
... View more
Labels
- Labels:
-
search performance
09-06-2012
12:38 PM
I disabled the script in the ../local/inputs.conf file.
... View more
09-06-2012
12:33 PM
1 Karma
Found it in the inputs.conf
[script:///emat/splunk/etc/apps/SplunkDeploymentMonitor/bin/scripted_inputs/dm_backfill_factory.py]
disabled = false
interval = 15
passAuth = admin
Turning to disabled = true
... View more
09-06-2012
12:31 PM
I am trying to find a way to disable the script but haven't found a way yet.
I disabled the dm_backfill.conf - disabled=1 but that failed.
33d22d46-a353-4972-9682-3cf55625e013]
dedup = 0
earliest = 1340776800.0
latest = 1341986400.0
maxjobs = 1
namespace = SplunkDeploymentMonitor
reverse = 1
saved_search = All indexers - regenerator
seed = 1342017493.05
status = 2
totaljobs = None
disabled = 1
....followed by a restart of Splunk, but it is still running. I want to have the Deployment Monitor running, just not this script, so I need to leave this enabled in the app.conf. Nothing to turn it off in the UI.
Any other thoughts on turning this script off short of uninstalling and reinstalling?
... View more
09-06-2012
12:11 PM
I have been seeing terrible search time results of late and found Splunk to be running
SplunkDeploymentMonitor/bin/scripted_inputs/dm_backfill_factory.py
Continuously which in turn chews up resources. When comparing this installation against a "like" install the other install does not run this Python script. What is the reason this might be running? I am looking for a good reason to turn it off without interrupting anything else within Splunk.
So far I have come up empty on what is causing it to run.
Thoughts?
... View more
- Tags:
- how-to
08-22-2012
10:44 AM
...more data has come out after my initial posting. It turns out our Asset Management tool is supplying the hosts for the LOOKUP Table in "short names" while the syslog is being indexed as FQDN AND short names. When the lookup table tries to match a FQDN it fails and produces an "unknown" status. Once I figure out how to strip off FQDN to short names my searches should be successful.
... View more
08-15-2012
08:38 AM
I have an issue with mixed hostnames being defined as FQDN and Shortnames when indexed from syslog on port 514. I require all hostnames to be Short. I am trying to define a transforms (or another method) to take only the shortname from the HOST field but have stumbled on how this is accomplished given the hostname is defined NOT from within the event string, but from the forwarding host. So there is nothing to build a Transforms around/against.
Is there a simple method to define a shortname (and not at seach time) as the data is indexed from syslog?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma given to
