Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vikas_gopal
vikas_gopal
Builder
Member since:
12-03-2013
09-14-2022
Community Statistics
| Posts | 239 |
| Solutions | 20 |
| Karma Given | 56 |
| Karma Received | 36 |
| Member Since | 12-03-2013 |
Activity Feed
- Posted Re: Splunkd crashed with memory allocation error on Getting Data In. 09-14-2022 02:18 PM
- Posted How do I prevent Splunkd crashing with memory allocation error? on Getting Data In. 09-14-2022 01:39 PM
- Posted Re: trigger alert if host is missing reporting based on lookup tabel for source=WinEventLog:Security on Alerting. 07-21-2022 11:56 AM
- Posted How to trigger alert if host is missing reporting based on lookup tabel for source=WinEventLog:Security? on Alerting. 07-21-2022 11:28 AM
- Got Karma for Re: trigger alert if license utilization by an index is increased by 50GB comparing to last day. 10-02-2021 05:19 AM
- Posted Re: trigger alert if license utilization by an index is increased by 50GB comparing to last day on Alerting. 10-01-2021 05:51 PM
- Posted trigger alert if license utilization by an index is increased by 50GB comparing to last day on Alerting. 10-01-2021 03:50 PM
- Posted Re: Microsoft Azure Add-on for Splunk - Not loading on All Apps and Add-ons. 05-18-2021 11:25 AM
- Posted Re: Microsoft Azure Add-on for Splunk - Not loading on All Apps and Add-ons. 05-17-2021 08:58 PM
- Got Karma for Splunk App for Web Analytics data model acceleration is not completing. 04-01-2021 06:41 AM
- Posted Re: grouping events based on start and end on Splunk Search. 02-15-2021 03:30 PM
- Karma Re: How to join and get stats from same index? for anmolpatel. 06-05-2020 12:51 AM
- Karma Re: I am setting up parallel Splunk environment of my existing setup what is best approach for data backup? for jkat54. 06-05-2020 12:51 AM
- Got Karma for How to join and get stats from same index?. 06-05-2020 12:51 AM
- Got Karma for Re: How to get original sourcetype name for a notable events ?. 06-05-2020 12:50 AM
- Got Karma for Re: How to get original sourcetype name for a notable events ?. 06-05-2020 12:50 AM
- Got Karma for Re: How to get original sourcetype name for a notable events ?. 06-05-2020 12:50 AM
- Got Karma for Re: Dashboards not populating when website monitor on heavy forwarders. 06-05-2020 12:50 AM
- Karma Re: How to use props and transform.conf in splunk for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to hide single value panel based on a drop-down condition? for niketn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-14-2022
02:18 PM
I will file it but wanted check with the community is anyone else is also facing the same issue ?
... View more
09-14-2022
01:39 PM
Hello Splunk ES experts ,
My Splunkd is crashing frequently with below error in crash logs
C++ exception: exception_addr=0x7ff2c2c3c620 typeinfo=0x556c38241c48, name=St9bad_alloc Exception indicates memory allocation failure
This started after ES app installation . I have checked with free command I have plenty of memory on the system 32GB and 16 CPU
total used free shared buff/cache available Mem: 32750180 1764936 19979208 17744 11006036 31040488 Swap: 4169724 0 4169724
Below are my ulimit settings
splunk soft nofile 65535 splunk hard nofile 65535 splunk soft nproc 65535 splunk hard nproc 65535
Any suggestions please
... View more
- Tags:
- splunk ES
Labels
- Labels:
-
Linux
07-21-2022
11:56 AM
Thank you so much , logic works .
... View more
07-21-2022
11:28 AM
Hi Experts,
I want to trigger an alert when a particular host for source=WinEventLog:Security is not reporting to splunk from last 1 hour. I have a list of 30 critical hosts and for those I have created a csv lookup as shown below
DC_Machines.csv
host source abc WinEventLog:Security bcd WinEventLog:Security xyz WinEventLog:Security
What I have achieved so far
| inputlookup DC_Machines.csv | join type=left host [metadata type=hosts index=os_windows index=os_windows_dc ] | fillnull recentTime | where recentTime < relative_time(now(), "-1h") | fields host,recentTime,source
above gave me a host from lookup table which is not reporting at all(fine) but how about those hosts which are reporting except source=WinEventLog:Security
What I want above query should only return those host which is missing only one source=WinEventLog:Security
My approach might be completely wrong or may be I am missing on something .I tried to add filter on source which is not working in above logic.
Any suggestions please .
Thank you in advance
... View more
Labels
- Labels:
-
alert condition
10-01-2021
05:51 PM
1 Karma
Well I have achieved this with below search query , hope this will help someone Run this from LM index=_internal sourcetype=splunkd source=*license_usage.log type=usage earliest=-2d@d latest=@d | eval day=if(_time>relative_time(now(),"-1d@d"),"Yesterday","Day_Before_Yesterday") | chart sum(b) as usage by idx day | eval Yesterday=round(Yesterday/1024/1024/1024,2) | eval Day_Before_Yesterday=round(Day_Before_Yesterday/1024/1024/1024,2) | eval diff=round((Yesterday-Day_Before_Yesterday),2)|where diff>20
... View more
10-01-2021
03:50 PM
HI Experts , I want to rigger an alert based on below scenario 1) Get license utilization in GB for yesterday and day before yesterday . 2) Show difference in GB and if the difference is increased by 40GB then trigger an alert Something like below , I want to trigger alert only for line 2 that is for database index_name yesterday day_before_yesterday diff application 20GB 10GB 10GB database 30GB 70GB 40GB security 40GB 20GB 20GB
... View more
Labels
- Labels:
-
alert condition
05-18-2021
11:25 AM
If this was helpful please mark this as complete and accept the answer
... View more
05-17-2021
08:58 PM
Well There could be multiple reasons 1) If you have upgraded this app directly from 2.1.1 to 3.1.1 then as per doc for this app you will definitely see issues and there are no clear answer and explanation why . 2) Microsoft vendor generally cause a lock generated if an incorrect credentials is keyed in. I would recommend to remove below files from local directory but take a backup before and then restart splunkd inputs.conf ta_ms_aad_settings.conf ta_ms_aad_account.conf passwords.conf 3) If you upgraded Splunk to 8.x old app will not work because of incompatibility of the app with 7.x . You will see below error. Unable to initialize modular input "azure_virtual_network" defined in the app "TA-MS-AAD": Introspecting scheme=azure_virtual_network: script running failed (exited with code 1).. The frustrating part is this app is not supported by splunk and even now you cannot download older versions as it says "This version has not passed Splunk AppInspect." If option 2 is not helping then the only option we are left with install fresh app 3.1.1and create inputs again with correct passwords . 4) Last but not the least Event hub input is deprecated in the new release , though it is still working but it is not a reliable option as doc says it is deprecated . If you have event hub inputs then better user "Splunk add-on for Microsoft cloud service" Hope this helps
... View more
02-15-2021
03:30 PM
One way is with transaction sourcetype="csv" |transaction jobid startswith=eval(Messge_text="processstart") endswith=eval(Messge_text="processends") |eval duration= tostring(duration,"duration") |table Orginaldate,jobid,Messge_text,duration Because we know transaction command is a little expansive command so we can use fields as well to only focus on respective fields sourcetype="csv" |fields Orginaldate,jobid,Messge_text|transaction jobid startswith=eval(Messge_text="processstart") endswith=eval(Messge_text="processends") |eval duration= tostring(duration,"duration") |table Orginaldate,jobid,Messge_text,duration In case you are extracting message from a fields as a new field then you can use below sourcetype="csv" |rex field=Messge_text "(?<actual_message>processstart)" |rex field=Messge_text "(?<actual_message>processends)"|transaction jobid |eval duration= tostring(duration,"duration") |sort Orginaldate|table Orginaldate,actual_message,jobid,duration
... View more
05-10-2020
05:49 PM
1 Karma
HI Experts,
I am sure someone must have faced this issue with
Web Analytics 2.2.1 Splunk 7.2.5 (SHC, Index Cluster
as I have seen similar posts but no concrete Answer . I am aware that when we install this app we will get Web data model.Because i already have CIM so I have cloned this data model and named it "Web Analytics" . I can see the data as it is properly tagged (tag=web), this gives me the results as expected. I have accelerated this data model for summary range 1 day. Till 99.98% it completed in 30 min but then it stuck for like 48 hours now , as shown below . I tried rebuilding it still same status
MODEL
Datasets
3 Events, 1 Search Event Edit
Permissions
Shared Globally. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
99.98% Completed
Access Count
0. Last Access: -
Size on Disk
1.91 GB
Summary Range
86400 second(s)
Buckets
1006
Updated
5/10/20 7:04:00.000 PM"
I do not know if because of this dashboards like (Analytics Center,Audience,Acquisition,Behavior Overview) are blank . Couple of other observations Below query does not produce any results as Web.eventtype=pageview produce no results
| tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=`datamodel` WHERE Web.site="*" Web.eventtype=pageview GROUPBY Web.http_session,Web.ua_mobile
_time span=1d | timechart span=1d dc(Web.http_session) by Web.ua_mobile | rename Web.ua_mobile AS "Mobile Device " | fields - VALUE
I have also checked Document link in the app itself and can see below
Web Server Log Data check (tag=web | head 5) check completed
Website Configuration check --table is showing results
Lookup check --(Sessions,Pages) ---check completed
Data Model Acceleration check --98.99%
Any help will be highly appreciated.
| tstats summariesonly=t prestats=t count FROM datamodel=WebAnalytics --> Produce no Result | tstats count FROM datamodel=WebAnalytics --> Produced results
VG
... View more
Labels
- Labels:
-
data model
-
summary indexing
05-07-2020
01:49 PM
Thanks for the answer Rich,
Here I have one concer , Where this app go I mean i know this will be on SH but on which cloud instance on Europe or USA splunk Cloud . Or you are saying I need to setup on prim SH like a hybrid SH and then Install this app there and it will pull details from both the Cloud instances ?
... View more
05-07-2020
01:04 PM
yeah something similar , see customer is asking how both cloud setups can be seen from single pane of glass . But we know from Splunk prespective this mean common SH which can search both the Cloud instances indexers and prepare common dashboards .
... View more
05-07-2020
12:21 PM
It is pure play Splunk Cloud managed by Splunk . The only thing that I can manage is HF,UF , DS etc and both are not connected as of now . That is what the requirement is to show both on common SH layer.
... View more
05-07-2020
11:59 AM
Hi Experts,
I have 2 Splunk cloud setup one for Europe and other is for USA . How can I give a common layer (SH) in this case ?
Regards
VG
... View more
- Tags:
- cloud
- hybrid-search
05-07-2020
06:51 AM
Worked like Charm the mistake I was doing was is values(date) . That did a trick . Thanks
... View more
05-06-2020
08:51 PM
1 Karma
Hi Experts,
I have data set like below from same index but from different sourcetype, common field on which I can join is aapid, app_id. I want to only show those app id which take more than 20 min time for approval .
Sourcetye=created
date,status,appid
18/Oct/2018 05:05:02,created,1234
18/Oct/2018 05:06:02,created,12345
18/Oct/2018 05:07:02,created,123456
Sourcetye=approved
date,status,app_id
18/Oct/2018 05:25:02,approved,1234
18/Oct/2018 05:40:02,approved,12345
On the above sample data set I am expacting a table like below.
Appid,Created time , Approved time ,totoal_time
12345,18/Oct/2018 05:06:02,18/Oct/2018 05:40:02,34min
Regards
VG
... View more
03-04-2020
12:37 PM
Never mind Got the answer on splunk Doc
Delete an app from the peer nodes
To delete an app that you previously distributed to the peers, remove its directory from the configuration bundle. When you next push the bundle, the app will be deleted from each peer.
... View more
03-04-2020
12:35 PM
Hi Experts ,
I have pushed a props.conf to all the indexers from CM using "splunk apply cluster-bundle" command . Now i want to delete this app on all the peer nods via CM only so that it gets deleted from all indexers in one shot . Can i achieve this because I do not think so rollback option works because I do not have any previou version for this app .
If I push blank props, for same sourcetype will that work ? Not sure
Regards
Vg
... View more
03-03-2020
04:21 PM
Thank you for the quick response but the only concern is via DS how I can manage this as a single stenza . That is why I was planing to use host_segment . So does this mean I have to create sepparate app per host ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-14-2022
07:53 PM
|
Karma given to
