Activity Feed
- Karma Re: How to use server.conf delivered to a series of UFs with mix of FQDM and short hostnames Linux 8.2.9? for scelikok. 02-13-2023 07:06 AM
- Posted How to use server.conf delivered to a series of UFs with mix of FQDM and short hostnames Linux 8.2.9? on Installation. 02-08-2023 09:00 AM
- Karma Re: Difference between outputlookup and outputcsv for alacercogitatus. 11-22-2022 02:19 PM
- Posted Is metadata/local.meta deployed by the shc deployer? on Deployment Architecture. 10-25-2022 05:18 AM
- Posted Re: How to deploy and configure the Monitoring of Java Virtual Machines for JMX app in a search head clustering environm on All Apps and Add-ons. 07-28-2022 02:49 PM
- Karma Re: Indexer Cluster and Search Head Cluster with Datamodel Acceleration for mikaelbje. 07-20-2022 09:18 AM
- Karma Re: Uniqueness Requirement of Deployment Client Names? for nickhills. 12-13-2020 02:36 PM
- Karma Re: How to change password using CLI in splunk for adonio. 12-10-2020 02:01 PM
- Karma Re: http event collector truncates event to 10,000 characters for livehybrid. 11-24-2020 01:46 PM
- Posted Re: Splunk App for *nix - all dashboards show "no results found", but definitely ingesting from UF on All Apps and Add-ons. 07-23-2020 06:34 AM
- Got Karma for Linux monitoring ps.sh for cpu usage > 100% is normalized to 0. 06-05-2020 12:49 AM
- Posted Linux monitoring ps.sh for cpu usage > 100% is normalized to 0 on All Apps and Add-ons. 08-08-2018 11:06 AM
- Tagged Linux monitoring ps.sh for cpu usage > 100% is normalized to 0 on All Apps and Add-ons. 08-08-2018 11:06 AM
- Tagged Linux monitoring ps.sh for cpu usage > 100% is normalized to 0 on All Apps and Add-ons. 08-08-2018 11:06 AM
- Posted Re: Jenkins data indexing into Splunk, dashboards all blank on All Apps and Add-ons. 07-03-2018 10:37 AM
- Posted Re: Include an environmental variable in search results or as part of an alert email subject on Reporting. 06-12-2017 07:33 AM
- Posted Re: Include an environmental variable in search results or as part of an alert email subject on Reporting. 06-08-2017 12:56 PM
- Posted Include an environmental variable in search results or as part of an alert email subject on Reporting. 06-06-2017 04:10 PM
- Tagged Include an environmental variable in search results or as part of an alert email subject on Reporting. 06-06-2017 04:10 PM
- Tagged Include an environmental variable in search results or as part of an alert email subject on Reporting. 06-06-2017 04:10 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
1 | |||
0 |
02-08-2023
09:00 AM
Good day All!
UF version 8.2.9 on a series of Linux machines.
I've an application containing local/server.conf deploying to a series of Linux machines.
The machines have a mixed configuration of short and fqdn as the hostname. For consistence, want to use the short name.
Each instance environment contains a variable called HOST_EXTERNAL which is the short name.
The documentation states:
* Can contain environment variables.
* After any environment variables are expanded, the server name
(if not an IPv6 address) can only contain letters, numbers, underscores,
dots, and dashes. The server name must start with a letter, number, or an
underscore.
ERROR: serverName must start with a letter, number, or underscore. You have: $HOST_EXTERNAL ServerName is only set in the apps/app-name/local and system/default/server.conf.
system/default/server.conf:serverName=$HOSTNAME
app-name/local/server.conf:serverName = $HOST_EXTERNAL
Googling, doesn't produce any examples of using an environment variable other than $HOSTNAME. What am I missing on attempting to use $HOST_EXTERNAL as serverName in server.conf
Thoughts?
... View more
Labels
- Labels:
-
app
-
Linux
-
universal forwarder
10-25-2022
05:18 AM
Made changes to search/metadata/local.meta that need deployed to search heads.
search/local/app.conf contains [shclustering] deployer_push_mode = local_only
When I stage/send from the shc deployer, after a rolling restart on the sh captain search/metadata/local.meta remains the same as before the push. Does the SHC deploy metadata/local.meta?
Splunk Enterprise 8.2.3 running on Redhat Linux. 8 Node Search Head Cluster. Permission changes made to
From: [] access = read : [ * ], write : [ admin, power ] export = system version = 8.2.3.2 modtime = 1666399466.315512000 To: [] access = read : [ admin, number_of_roles_here, user, user_ad_user ], write : [ admin, power ] owner = admin export = none version = 8.2.3.2 modtime = 1666381189.171483000
... View more
Labels
- Labels:
-
deployer
-
search head clustering
07-28-2022
02:49 PM
Any new information on this? Moving the Splunk Add-on for Java Management Extensions from a single search head to a cluster. Very low confidence it'll work.
... View more
07-23-2020
06:34 AM
Recently had the same issue. In my case the forwarders were sending results to the main index instead of os index. I had to add index = os to ALL the inputs in inputs.conf deployed on the UF: apps/Splunk_TA_nix/local/inputs.conf ################################################ ############### Event Inputs ################### ################################################ [script://./bin/vmstat.sh] interval = 60 disabled = false index = os [script://./bin/iostat.sh] interval = 60 disabled = false index = os [script://./bin/nfsiostat.sh] interval = 60 disabled = false index = os Then verified the index in Settings/Your Data. You'll need to have an account with admin to "save" changes. I restarted my search head and forwarders after the changes to verify. If using a deployment server, make the UF changes in the Splunk_TA_nix deployment app. Splunk 7.5.2 UF 7.3.1+ Splunk_TA_nix 8.1.0 Splunk App for Unix 6.0.0
... View more
08-08-2018
11:06 AM
1 Karma
I've the Splunk_TA_nix add-on installed to monitor Linux systems (all VMs). Researching a recent server issue there's a process running at %500 CPU usage. This is only possible because it's a VM.
What's I've noticed is sourcetype=top collects the CPU usage correctly however sourcetype=ps normalizes the CPU usage with a condition if the usage is under 0 or over 100, usage is set to 0.
From ps.sh:
NORMALIZE='(NR>1) {if ($4<0 || $4>100) $4=0; if ($6<0 || $6>100) $6=0}'
In this case it's a java container, to figure out which container, I need to look at the ARGS which is collected by ps, not top. So now instead of just using results from ps, need to combine both top and ps to see the history on CPU usage.
Is there's a reason for fixing the CPU usages when greater than 100 to 0?
... View more
07-03-2018
10:37 AM
Was this resolved? I'm running into the same issues.
I've a heavy forwarder collecting the events, forwarding to two load balanced indexers.
The events are indexed however not parsed as json in the search head. Only the basic fields are shown.
Search head and Indexers are v.6.5.2 - Yes they've been restarted after installing. the props.conf is on the indexers.
This query returns no results
index=jenkins_statistics (host="sea1l1esbfb01" ) event_tag=job_event (type=started OR type=completed) | dedup host build_url sortby -_time | eval job_result=if(type="started", "INPROGRESS", job_result) | timechart count by job_result
However this query does
index=jenkins_statistics (host="sea1l1esbfb01" ) | spath | search event_tag=job_event (type=started OR type=completed) | dedup host build_url sortby -_time | eval job_result=if(type="started", "INPROGRESS", job_result) | timechart count by job_result
... View more
eval DVA_ENV=[ |rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment | **eval DVA_ENV="\"".deployment_environment."\""** | return $DVA_ENV ]
Found how to make it work.
Thanks!
... View more
Good suggestion!
The below statement works when I execute just:
|rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment AS DVA_ENV
the lookup works as expected.
Created a macro called get_deploy_env using
eval DVA_ENV=[ |rest/services/authentication/users splunk_server=local | dedup splunk_server | table splunk_server | lookup splunk_server_info server as splunk_server OUTPUT deployment_environment AS DVA_ENV | return $DVA_ENV]
However when the macro is included in a search the value for DVA_ENV is not returned:
index=myidx | `get_deploy_env splunk_server` | table host splunk_server DVA_ENV
... View more
Splunk version 6.5.3
Building a series of alerts in a Development system that include sending an email.
Part of the subject line needs to include the current environment, such as Dev, Test, Prod. My goal is use a variable for the environment value so the code can move between Dev, Test and Prod without modification.
On the search-head in etc/splunk-launch.conf I included:
DVA_ENV=Dev
(restarted the search-head)
splunk envvars shows the environment settings.
However I've not found the syntax to either include environment variable in the search results and or use in an alert email subject.
Is it possible to access the an environment variable? If so, what's the syntax?
Is there a better way to approach this problem?
... View more