×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
MartinLenggenha
Explorer
Member since: ‎06-20-2017
‎01-11-2024
Community Statistics
Posts 4
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎06-20-2017
Activity Feed
View All

Re: SonicWall Analytics: Why is the size of this l...

by in All Apps and Add-ons
‎12-27-2017 02:12 AM
‎12-27-2017 02:12 AM
Many thanks for the answer. The maintenance of files within a splunk app doesn't seem the right thing to do since you will have to deal with documentation, handover and other operational questions to let everyone know.. I have tried to handle same within the dsa app and wrote two little queries using inputlookup and outputlookup, saved them as reports and configured a monthly schedule. The first query takes the content of the sonicwall_http_session_id.csv file and outputs the same into sonicwall_http_session_id.bak.csv | inputlookup sonicwall_http_session_id.csv | outputlookup sonicwall_http_session_id.bak.csv The second query then reads the file sonicwall_http_session_id.csv, keeps the first 15'000'000 entries (about what we have for a month) and writes the content into same file again. | inputlookup sonicwall_http_session_id.csv | head 15000000 | outputlookup sonicwall_http_session_id.csv With this setup, we retain the information of this file for 2 months in the system. Optionally, you can replace the .bak. from first query with todays date and keep the rotated files on the filesystem as long as you like. Both reports are scheduled to run once a month where second is setup to run 15 minutes after the first one. This setup has done fine for us so far. Any better idea to deal with this issue is most welcome. Currently we do above rotation with the *session_id.csv only because it's the fastest growing. But a more 'standardized' way of doing it would be more favorable. ... View more

SonicWall Analytics: Why is the size of this looku...

by in All Apps and Add-ons
‎08-25-2017 05:07 AM
‎08-25-2017 05:07 AM
Hi, I can see in the savedsearch [http session id lookup] from Dell SonicWall Analytics App 1867 where the executed query looks every 60 minutes for the sessionID's that have bstrong texteen logged and matches them against the existing ones already present in the lookup file sonicwall_http_session_id.csv, appends the new one and stores everything again. index=sonicwall tid=257 app_name="General HTTPS" OR app_name="General HTTP" OR app_name="HTTP" | inputlookup sonicwall_http_session_id.csv append=t | dedup session_id | fields session_id, src_ip, dest_ip, app_name | fields - _* | outputlookup sonicwall_http_session_id.csv This ended up in having a very large lookup file with currently more than 4GB size and over 70 million records in it. Running the above search takes more than 15 minutes currently and the memory consumption is significant during this time. Anyone facing same? Or is there a recommendation around to avoid having this file growing without any limitation? Many thanks, Martin ... View more

Re: How to update many KV Store records from resul...

by in Getting Data In
‎06-28-2017 01:34 AM
1 Karma
‎06-28-2017 01:34 AM
1 Karma
Hello, I would like to update you on this question and propose a solution that I have just setup and tested. since I could not figure out how to update only two columns with the result of a search including a large number of rows, I have decided to split the KV Store into two tables. One with the "fields_list" for the new TicketID's including _key TS and Status (collection = ticket_status), and a second KV Store containing the latest update where I would feed the results from the updating Splunk search (collection = ticket_update_status). These two tables can be included in a search using inputlookup and the duration calculated where required. Here is the new config: collections.conf [ticket_status] [ticket_update_status] transforms.conf [ticket_lookup] external_type = kvstore collection = ticket_status fields_list = _key TS Status [ticket_update_lookup] external_type = kvstore collection = ticket_update_status fields_list = _key TS Status The _new and _mod is now not necessary anymore since we have the two tables separately. This does make the writing of the queries simpler too. To update the ticket_status KV Store table for new created tickets now looks like this: index=test... | eval _key = TicketID | table _key TS Status | outputlookup ticket_lookup append=true And the update with latest status after tickets are modified goes into the ticket_update_lookup KV Store table: index=test... | eval _key = TicketID | table _key TS Status | outputlookup ticket_update_lookup append=true For querying the two tables with lookup and calculate the ticket duration based on the two TS values: | inputlookup ticket_lookup | inputlookup append=t ticket_update_lookup | eval TicketID = _key | stats dc(Status) as check min(TS) as min_ts max(TS) as max_ts by TicketID | eval ticket_duration=(max_ts-min_ts)/60 | where check>1 | table TicketID check ticket_duration ... View more

How to update many KV Store records from results o...

by in Getting Data In
‎06-27-2017 08:17 AM
‎06-27-2017 08:17 AM
Hi Ninjas, I have been playing with KV Store and am wondering if anyone of you has updated table with multiple results from a search. The background is a data feed from ticketing application where I get an event into index when a new ticket gets generated. After every update, I receive another event with the updates made. In order to provide statistics of how many tickets are created for a particular date/time, how long a ticket has been idle and how Long it took from creation until closed, I would need to store the creation time into a static table and update it with a savedsearch periodically. I tried it with as little fields as possible. My transforms.conf Looks like: [ticket_lookup] external_type = kvstore collection = ticket_status fields_list = _key TS_new Status_new TS_mod Status_mod The _key is mapped to TicketID when I load the initial data (saved search) The initial data saved search fills the fields _key, TS_new, Status_new index=test... | eval _key = TicketID | table _key TS_new Status_new | outputlookup ticket_lookup append=true This updates the table just well. Now I would like to modify the table with data for TS_mod and Status_mod. For that I would run a query that would search and filter all the TicketID's and the *mod data. But just running the below, would overwrite the _new data which is not my intention. index=test... | eval _key = TicketID | table _key TS_mod Status_mod | outputlookup ticket_lookup append=true The _new data can be several months old, running a query that far in history, I would like to avoid. Also there could be several updates to *_mod until final closed status is reached. We only would write the latest status when saved search is run. Could anyone point me into a direction how I could arrange the query to update the KV Store without deleting the original *_new entries? Many thanks! Martin ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-11-2024 12:17 PM
Karma from
View All
Karma given to
View All