Activity Feed
- Karma Re: Unsuccessful in installing Splunk on Windows 2003 server for BunnyHop. 06-05-2020 12:45 AM
- Karma Re: Unsuccessful in installing Splunk on Windows 2003 server for Voltaire. 06-05-2020 12:45 AM
- Got Karma for Backup and restore of Splunk??. 06-05-2020 12:45 AM
- Got Karma for Capability to assign to user role to view and add data inputs. 06-05-2020 12:45 AM
- Got Karma for Capability to assign to user role to view and add data inputs. 06-05-2020 12:45 AM
- Got Karma for Capability to assign to user role to view and add data inputs. 06-05-2020 12:45 AM
- Got Karma for Splunk for F5 Data Input method. 06-05-2020 12:45 AM
- Got Karma for Splunk for F5 Data Input method. 06-05-2020 12:45 AM
- Got Karma for Custom Alert condition search to report on indexed volume. 06-05-2020 12:45 AM
- Got Karma for Custom Alert condition search to report on indexed volume. 06-05-2020 12:45 AM
- Got Karma for Custom Alert condition search to report on indexed volume. 06-05-2020 12:45 AM
- Got Karma for Re: Discard Windows Events and keep the rest. 06-05-2020 12:45 AM
- Posted Re: *nix possible bug in rlog.sh script on All Apps and Add-ons. 04-04-2011 03:27 AM
- Posted Re: daily indexed volume search does not report all hosts on Reporting. 09-09-2010 05:33 AM
- Posted daily indexed volume search does not report all hosts on Reporting. 09-07-2010 09:53 AM
- Tagged daily indexed volume search does not report all hosts on Reporting. 09-07-2010 09:53 AM
- Tagged daily indexed volume search does not report all hosts on Reporting. 09-07-2010 09:53 AM
- Tagged daily indexed volume search does not report all hosts on Reporting. 09-07-2010 09:53 AM
- Posted Re: splunk forwarder license on Getting Data In. 07-12-2010 03:03 AM
- Posted Re: oracle data input causing errors log in splunkd? on All Apps and Add-ons. 07-12-2010 02:57 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 2 | |||
| 0 | |||
| 3 |
04-04-2011
03:27 AM
I'm having the same issue on RHEL 4.Does anyone or splunk support have alternative solution?
... View more
09-09-2010
05:33 AM
In this case,can you please advise on a search command that will generate a list of all hosts and their indexed volume on a daily basis?
I am trying to create a report to monitor the indexed volume like this:
hosts sum(MB)
----- ------
A 10.5
B 9.5
..
..
Total 20
... View more
09-07-2010
09:53 AM
Hi,
I've noticed that using the search command below to generate daily indexed volume, it doesn't display all the hosts that is still sending data to our splunk indexer.
index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput"
| eval MB=kb/1024
| chart sum(MB) by series
| rename series AS "Host(s)"
| sort sum(MB)
| addcoltotals col=t
| fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)
For example it listed only 10 hosts out of 15 hosts which I had.
But when I do a normal search on the missing hosts, I am able to see their current latest events.
... View more
07-12-2010
03:03 AM
Thanks.This is a concern initially because if we have deploy large number of forwarders each with different expiration and violations,then we may have some problem tracking them..
... View more
07-12-2010
02:57 AM
adding DATETIME_CONFIG = current in props.conf solves it..
... View more
07-09-2010
06:44 AM
Hi,
Like to quick check on how splunk forwarder license works...
forwarder license type is displayed as Enterprise?
forwarder has a license level of 1MB?
in that case our forwarder already has some violations..what if it exceeds 3/5 violations?
it has expiration date and days remaining. so after it expires how do we obtain the new forwarder license?
... View more
07-09-2010
06:23 AM
Thx Ed.Still the same issue persist...
tried enable boot-start and it ended with the following msg:
...
pywintypes.com_error: (-2147023838, 'The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.', None, None)
Regarding permissions,domain admin has the highest privileges thus shouldn't be an issue?
... View more
07-05-2010
08:42 AM
1 Karma
Not sure if anything yet but tried shifting the configuration to the forwarder itself now as mine seems to be a heavy forwarder.
Found this link to be useful:
Where do I configure my Splunk settings?
Seems ok but am monitoring it.If it works, it solves my problem of filtering out event codes on one server but not another as well..
... View more
07-05-2010
04:09 AM
Hi,
Had installed splunk on serverA and serverB and configured both as a forwarder to forward wineventlogs to splunk indexer.
I will like to filter out certain events(eg.540) and I tried doing this on the splunk indexer itself:
/opt/splunk/etc/system/local/props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull
/opt/splunk/etc/system/local/transforms.conf
[setnull]
REGEX = (?m)^EventCode=540
DEST_KEY = queue
FORMAT = nullQueue
Apparently it still doesn't work after doing a search the events are still shown:
host="serverA" EventCode=540
1) How do I filter out event code 540? Should it be done on the forwarder itself or splunk indexer?
2) How do I filter out event code 540, only on serverA and not serverB?
Thanks.
... View more
07-05-2010
03:49 AM
No idea how to solve it..not able to restart production server now probably has to schedule it.
Anyway, the suggestions are useful in troubleshooting installation issues as well.
... View more
06-30-2010
01:54 AM
May I know what does this does?
c:\program files\splunk\bin\splunk.exe enable boot-start
Does it try re-install the services?
... View more
06-28-2010
03:35 AM
I am scheduling this search(Daily Indexed Volume):
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)
but it seems to be generating the following errors:
in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.
in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.
Any idea??
... View more
06-25-2010
06:25 AM
I am facing the same problem..
I am using domain admin to install splunk on both domain controllers running win2k3.
When installation I have checked user as "local system user" to install..
Any ideas?
... View more
06-25-2010
06:23 AM
Additional info: I am using domain admin to install splunk on both domain controllers running win2k3.
When installation I have checked user as "local system user" to install.
... View more
06-25-2010
06:18 AM
Some updates,
I am scheduling this search(Daily Indexed Volume) now:
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)
but it seems to be generating the following errors:
in splunkd.log:
06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.
in scheduler.log:
06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.
Any idea??
... View more
06-25-2010
06:10 AM
Thanks.
The line:
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
is referring to one of my scheduled search...
That aside,Im still receiving oracle logs at tcp port using the script,on and off. However I noticed during certain period of time in a day there are 0 events recorded in Splunk. This period usually from 12pm noon till 12 midnight..
I've checked the actual oracle logs and there are events during this time.Oracle doesn't seem to have any errors as well. Any idea?
... View more
06-24-2010
04:16 PM
Hi,
Have tried to install splunk on windows server 2003 and the following error occurs for splunkd and splunkweb:
Service Manager failed to open service: 'Splunkd; error = 1060
splunkd and splunkweb is not listed in services.msc
However,tried installing on another win2k3 server with same settings and it works..
Please advise...
... View more
06-24-2010
06:33 AM
Hi,
Am trying to receive oracle logs to splunk server using dbipoll script.
However,splunkd.log has the following errors since the script is scheduled to run every 60 secs,although there are still some events coming in from oracle server:
06-24-2010 14:15:56.011 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:15:58.980 INFO TcpInputProc - Hostname=1.2.3.4 closed connection
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:25.517 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:55.836 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:16:58.944 INFO TcpInputProc - Hostname=1.2.3.4 closed connection
I suspect the error lies in the script but not sure about it,as can't seem to find anything wrong with it yet. Or could it be some other issues?
... View more
06-24-2010
06:01 AM
Hi, have created new question here ->
http://answers.splunk.com/questions/3976/custom-alert-condition-search-to-report-on-indexed-volume
thanks.
... View more
06-24-2010
02:53 AM
Tried to send in logs from Firepass on udp 514 but doesn't seem to receive any yet.
... View more
Hi,
Have scheduled a search to report on total daily indexed volume for all our servers.
Will like to create Custom Alert condition search to specify if I only want to receive an email notification if the total indexed volume hit certain percent of the license limit? say eg. 350MB out of 500MB?80% out of 100%..
... View more
- Tags:
- alerts
06-23-2010
10:40 AM
2 Karma
Hi,
Have just installed SplunkForF5 app. Would like to check on the methods to configure data input for it?
... View more
- Tags:
- f5
- Splunk for F5
06-23-2010
10:10 AM
Thanks for the tip.works fine and got to display the total volume.Can advise further on the Custom Alert condition search to specify if I only want to receive an email if the total indexed volume hit 70% of the license limit?
... View more
06-22-2010
02:19 AM
Have tried restarting splunk services but still the same..
nope..no specific error as well...
... View more
06-21-2010
08:18 AM
Hi,
Currently I have a splunk server receiving logs from few servers.
I will like to do a search that is scheduled on a daily basis which will report on the total indexed volume for all servers in a day.
This command looks good but it list individual servers and their indexed size:
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search
group="per_host_thruput" | chart sum(MB) by series | sort sum(MB)
Thanks
... View more
