Activity Feed
- Got Karma for Re: Why are we getting "error getting attributes of path "C:\pagefile.sys":..." on one set of Splunk forwarders?. 02-13-2023 03:30 PM
- Karma Re: How do I view daily license usage by index? for martin_mueller. 06-05-2020 12:47 AM
- Karma rsyslogd->forward into splunk via UDP - host always localhost(127.0.0.1) for besveinsson. 06-05-2020 12:47 AM
- Karma How do I turn off the "Find More Apps" button for a restricted User in 6.2 for hartfoml. 06-05-2020 12:47 AM
- Got Karma for Green background for accepted answers. 06-05-2020 12:47 AM
- Got Karma for Green background for accepted answers. 06-05-2020 12:47 AM
- Got Karma for Green background for accepted answers. 06-05-2020 12:47 AM
- Got Karma for How to configure Splunk for F5 Networks for Splunk 6.1? Dashboards are not populating data.. 06-05-2020 12:47 AM
- Karma What does this event mean? " WARN DistributedBundleReplicationManager - bundle replication to 24 peer(s) took too long" for mctester. 06-05-2020 12:46 AM
- Karma Re: What does this event mean? " WARN DistributedBundleReplicationManager - bundle replication to 24 peer(s) took too long" for RicoSuave. 06-05-2020 12:46 AM
- Karma Index restriction not working with search head and search peers for takn4granted. 06-05-2020 12:46 AM
- Karma Re: Index restriction not working with search head and search peers for dwaddle. 06-05-2020 12:46 AM
- Karma How to set the default search time in Splunk 6? for wpreston. 06-05-2020 12:46 AM
- Karma Re: How to set the default search time in Splunk 6? for ChrisG. 06-05-2020 12:46 AM
- Karma Re: How to set the default search time in Splunk 6? for mthierbel. 06-05-2020 12:46 AM
- Karma Re: What are the security risks of giving users write access to the search app? for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: How can I forward Windows events without the Splunk forwarder software? for lguinn2. 06-05-2020 12:46 AM
- Got Karma for Re: Licence to use Splunk for Unix add-on?. 06-05-2020 12:46 AM
- Posted Re: Why are we getting "error getting attributes of path "C:\pagefile.sys":..." on one set of Splunk forwarders? on Getting Data In. 02-05-2019 12:31 PM
- Posted Re: How do you visualize Cisco UCS data using the Splunk Add-on for Cisco UCS? on All Apps and Add-ons. 08-21-2015 04:21 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 |
02-05-2019
12:31 PM
1 Karma
The poster's question is clearly asking about Windows. The Linux commands you've posted in your answer are not relevant to the question.
... View more
08-21-2015
04:21 PM
The add-on only comes with prebuilt dashboard panels.
Create a new dashboard
Add a panel. The "Add Panel" dialog box slides in from the right side of the screen.
Search for "Cisco UCS" in the Add Panel dialog box, or expand the "Add Prebuild Panel" section. You will then see the UCS visualizations.
... View more
08-06-2015
03:21 PM
thanks, but I already looked at those and they didn't help.
... View more
08-06-2015
03:05 PM
I want to view what Splunk sees as the running config for my universal forwarder. I read on http://blogs.splunk.com/2012/10/02/tips-and-tricks-for-the-new-guy/ that I can run ./splunk cmd btool list but that shows me the help page. The blog also says that the command takes a config file parameter, but I don't know what the options are for the config files. Besides, I want to see all of the config info, not just one piece.
How do I tell Splunk to show me all of the config?
... View more
05-19-2015
12:55 PM
Interesting. It works for answers, but not for the question. When I clicked the button to submit the original question, I briefly saw something like "gt;" appear where the greater than symbol was. Maybe there's some javascript that's trying to sanitize the input and it's clobbering the greater than symbol.
... View more
05-19-2015
12:51 PM
Another test.
Blockquote
... View more
05-19-2015
08:50 AM
Dear Splunk,
When typing a question on this site, the editor says I can blockquote by using a greater than symbol before the text. In fact, there's a button for it in the editor's toolbar.
> This text should be blockquoted.
I can see the blockquoted text in my editing preview. However, when I post the question the blockquoted part is no longer blockquoted. Instead, the greater than symbols are displayed.
It'd be great if you could fix this bug.
... View more
- Tags:
- bug
05-19-2015
08:46 AM
I have some input stanzas that look like this:
[monitor:///opt/app/master_proc*/logs/*]
[monitor:///opt/app/backup_proc*/logs/*]
[monitor:///opt/app/simulator*/logs/*]
All three of those inputs are going to a "qa" index. There are log files in other directories in the same location which I want to send to a "development" index.
I was reading http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories and saw a paragraph that said,
> "Monitor inputs may overlap. So long as the stanza names are different, Splunk Enterprise treats them as independent stanzas and files matching the most specific stanza will be treated in accordance with its settings."
Does that mean I can add a stanza after the ones above that looks like this:
[monitor:///opt/app/*/logs/*]
And it will match any files that do not match the ones above? My understanding from the documentation is that it will since it's less specific than the other three.
... View more
- Tags:
- inputs
12-12-2014
02:32 PM
@smolcj, the app named Infa-Session is the one generating those queries. Disable the app to stop the searches.
... View more
09-25-2014
06:33 PM
1 Karma
Is anyone successfully using the "Splunk for F5 Networks" app on Splunk 6.1? If so, would you be kind enough to share how to set it up?
I've installed this app on my search head and my forwarder. My network administrator configured the F5 according to the instructions in the app and has the syslog data forwarding to my Splunk forwarder. I can see the log files in the F5 index in Splunk. However, nothing appears in the "Splunk for F5 Networks" dashboards when I open it.
My knowledge of Splunk is limited. I only see a sourcetype of syslog in my F5 index. It looks like the app is expecting a sourcetype of syslog and then transforms it to one of F5:AFM:Syslog, F5:iRule:WebAccess, or F5:LTM:Syslog. Is this correct? If so, do I need a heavy forward for such a transformation to occur?
I'm unsure of how I would debug this problem. I would appreciate any guidance.
... View more
- Tags:
- F5 Networks - LTM
09-24-2014
10:59 PM
What version of rsyslog are you using?
... View more
09-20-2014
04:42 PM
3 Karma
There's been a recent change to the site to display accepted answers with green text on green background. I'm finding that color scheme very hard to read. Could you change it back to black text on white background?
... View more
- Tags:
- answers-site
09-14-2014
12:04 PM
Thanks. Adding limit=0 to the timechart command produced exactly the result I was looking for.
... View more
09-12-2014
12:03 PM
Splunk 6.1's license usage reporting will let me view my license usage by index for the last 30 days, but the graph only shows 10 indexes. The rest are presumably in the entry titled "OTHER". How do I get a report that lists all of my indexes? I opened the search for the graph and viewed it in the Statistics tab, but I still have a column called "OTHER".
Here's the search that I'm using. I don't see where it's combining indexes into "OTHER".
index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
| fields - "stack size"
... View more
- Tags:
- license-usage
09-11-2014
03:03 PM
@jconger, so if I understand correctly, when using a stanza like that described in tollops' question above, I can safely omit the source line since I am explicitly specifying the sourcetype. Is that correct? If so, I believe that will fix tollops' problem since source and host_segment don't work together in this instance.
... View more
09-11-2014
01:51 PM
@jconger, what's the purpose of setting source = cisco:asa in the stanza?
... View more
05-18-2014
01:13 PM
Anyone here got some recommendations for forwarding Windows event logs to Splunk without installing the Splunk forwarder software? Is there a good tool to send Windows event logs as syslog events? Our other servers and devices send their syslog data to dedicated Splunk forwarder servers. That works great so my company wants to do the same with our Windows servers.
Before anyone asks: The universal forwarder started eating up 6GB+ RAM out of 8GB on our domain controllers. It's not the first time, so it's gone and it's not coming back. So please no responses telling me to install the splunk forwarder software on the Windows servers.
Thanks.
... View more
- Tags:
- tag
04-08-2014
04:38 PM
Duplicate of http://answers.splunk.com/answers/37891/can-deployment-server-upgrade-universal-forwarders-yet
... View more
04-08-2014
03:56 PM
1 Karma
It looks like you are using the free license for Splunk since I don't see your login name in the top of the Splunk window. Splunk's free license limits some features and it's possible that the app is trying to use those features and throwing the error when it can't access them.
I didn't see anything in the app's release notes about limitations when using the free license. You might want to email support@splunk.com and ask them if they know why their app isn't working on your server. It looks like a bug with the add-on to me.
... View more
04-08-2014
03:15 PM
In what way is it preventing you from using the app? What error message do you see?
... View more
04-08-2014
03:12 PM
Splunk DB Connect supports Postgres. See here: http://answers.splunk.com/answers/54210/connect-to-postgresql-database/54213
... View more
