Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About naydenk
naydenk
Path Finder
Member since:
01-03-2012
06-05-2020
Community Statistics
| Posts | 32 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 7 |
| Member Since | 01-03-2012 |
Activity Feed
- Karma Re: Timechart of two perf counters values' product for bmacias84. 06-05-2020 12:46 AM
- Karma Re: Reporting on or displaying local PerfMon data for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Field Extraction in Message field of Windows Event Log for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: How to subtract 30 minutes from now() using eval for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Upgrading from 4.3.3 to 4.3.4 for sowings. 06-05-2020 12:46 AM
- Karma Re: Percentile Implementation for steveyz. 06-05-2020 12:46 AM
- Karma Re: Indexing and extracting fields from IIS 7.5 logs for richnavis. 06-05-2020 12:46 AM
- Got Karma for Using rex to extract one or two character digit from string. 06-05-2020 12:46 AM
- Got Karma for IIS logs and timezone. 06-05-2020 12:46 AM
- Got Karma for Universal Forwarder queue size. 06-05-2020 12:46 AM
- Got Karma for Re: Universal Forwarder queue size. 06-05-2020 12:46 AM
- Got Karma for UniversalForwarder fails to connect with "No connection could be made because the target machine actively refused it". 06-05-2020 12:46 AM
- Got Karma for UniversalForwarder fails to connect with "No connection could be made because the target machine actively refused it". 06-05-2020 12:46 AM
- Got Karma for UniversalForwarder fails to connect with "No connection could be made because the target machine actively refused it". 06-05-2020 12:46 AM
- Karma Re: index and alert on any host by total count for David. 06-05-2020 12:45 AM
- Karma Re: Updating Splunk instances for Genti. 06-05-2020 12:45 AM
- Posted Re: IIS Logs & WebIntelligence on Getting Data In. 01-14-2013 05:55 AM
- Posted Re: IIS Logs & WebIntelligence on Getting Data In. 01-10-2013 12:38 PM
- Posted Re: Timechart of two perf counters values' product on Splunk Search. 11-16-2012 12:36 PM
- Posted Re: Timechart of two perf counters values' product on Splunk Search. 11-16-2012 12:12 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 3 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 |
01-14-2013
05:55 AM
I am not familiar with that app, so I can't say for sure... The summary index may get fed by something you have to enable in the app configuration. If you see the data from your logs get into the index called webintelligence (do a simple search 'index=webintelligence' for the past 24 hours or whatever you think is good to see data), then your data is flowing into Splunk OK. The app may have special filters and queries that expect data certain way - you can either look at its configs and try to see what it expects, post them here or maybe contact Splunk Support, depending on your comfort level.
... View more
01-10-2013
12:38 PM
The only difference with mine is that in my props.conf on the indexer, I have these two set (differently than yours):
CHECK_FOR_HEADER = False
TZ = UTC
I also have this entry in the props.conf on the client UF, but I think it is not needed/used:
[source::(?i)...\\inetpub\\logs\\u*.log]
... View more
11-16-2012
12:36 PM
That was perfect! The self join was definitely necessary. And thank you for breaking it down - it helps understand how to build it myself next time (taught me how to fish... 🙂 )
... View more
11-16-2012
12:12 PM
I had tried that too, without success.
I just tried removing the last piped command (| timechart max(FailureRatio) by host) and changing the fields command to "fields _time, host, QueriesTotal, QueryFailureTimeout, FailureRatio" - it looks like the calculation may not be working because (I am theorizing) it is trying to do the calculation between values logged at the same exact _time. Since the counters will very rarely have the same timestamp, the calculation fails. If this theory is correct, how do I get it to do the division using numbers from the same minute?
... View more
11-16-2012
11:08 AM
Hello
I need some help with the following scenario:
I am collecting two perf counters, CounterA and CounterB, from multiple hosts. I want to be able to timechart the following:
Ratio = CounterA / CounterB * 100
per host. I tried this:
index=perfmon object="Core DataAccess" instance="_total" counter="Query Failures - Timeout" | eval QueryFailureTimeout=Value | appendpipe [search index=perfmon object="Core DataAccess" counter="Queries" | eval QueriesTotal=Value] | eval FailureRatio=(QueryFailureTimeout/QueriesTotal*100) | fields _time, host, FailureRatio | timechart max(FailureRatio) by host
but it does not seem to work - it looks like the FalureRatio is not getting calculated...
Thank you in advance!
... View more
11-09-2012
01:30 PM
OK, I will try typeperf and post back. Thanks!
... View more
11-09-2012
01:29 PM
one last thing, when the CUF connections get dropped from ESTABLISHED to CLOSE_WAIT the splunkd.log has these:
11-09-2012 16:09:59.416 -0500 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
11-09-2012 16:11:09.547 -0500 INFO TailingProcessor - ...continuing.
11-09-2012 16:11:19.565 -0500 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
I will keep digging and post back any resolution.
... View more
11-09-2012
01:27 PM
vCPUs - the Ready counter was at ~150ms with 4 vCPUs. I dropped the CPUs to 2, which dropped it to ~50ms (so I guess an approx 25ms improvement). Then I isolated the box onto its own host - a beefy box (2 physical 12-core CPUs, 96 GB RAM). Being the single guest on the host the Ready counter dropped to ~30ms. Not sure if this is a good value. The other IUF (handling 600 CUFs) shows a Ready value of 45 with 4 vCPUs, so it id definitely a little better, but I dont think that would explain it.
I am still leaning toward something with either splunkd config or TCP tunning needed due to the latency
... View more
11-09-2012
01:20 PM
Thanks bmacias84, these are definitely helpful suggestions. Here is what I have done so far:
Port exchaustion - I don't think this is the case - at any given time I have less than 1000 ports used, between ESTABLISHED, CLOSE_WAIT and TIME_WAIT states. The server is supposed to get ~300 clients connecting to it, which fail over to the remote IUF, and that one handles the total ~600 without issues (and as I mentioned both UFs are identically built). I will have to look into your TCB/SYN attack suggestions a little further.
I will continue in the next comment...
... View more
11-09-2012
07:56 AM
Yes, it is a VM and it is Windows 2008 R2 Enterprise SP1, 8GB RAM 4 vCPUs. It is the exact same config as the IUF in the datacenter closer to the indexer, by the way (and that IUF is not showing issues).
The CUFs are setup to LB between the two IUFs (initially I had them only pointing to the closer one). Total count between the two datacenters is approx 500, split evenly between the two.
... View more
11-09-2012
07:19 AM
Nothing has been changed on the intermediary UFs, all default settings.
The IUF that is having the issue is in a remote datacenter, ~70 ms away from the indexer. It did not used to have the issue when it was just a few (<50) client UFs forwarding to it. It could be the latency, because the IUF that is in the same datacenter as the indexer does not exhibit this behavior, but... But there has to be a way around this - I can't imagine I am the only person forwarding splunk data across WANs...
... View more
11-09-2012
07:03 AM
I have a case open with Splunk Support. They are trying to figure it out. I will post my findings and their reponse as soon as I get anything good.
... View more
10-31-2012
12:00 PM
Thank you! Now that I see it, it makes sense... 🙂 I am relatively new to regex and it looks like I still need to learn some key concepts, including how it is used in splunk. Your answer helped clear some things up, in addition to working perfectly, thank you!
... View more
10-31-2012
09:06 AM
1 Karma
Hello
I am trying to extract some digits from a string and I can't seem to get the regex to work. Here is an example of my strings:
ABC-F1KLMNOP7
ABC-F12KLMNOP8
ABC-F2KLMNOP55
ABC-F14KLMNOP66
I want to be able to extract the 1 or 2 digits, depending on whether there is a single digit or 2, starting at the 6th character (in effect pulling just the 6th, or 6th and 7th). In the strings above, I would expect my rex to match 1, 12, 2 and 14.
What I tried is this:
rex field=host .(?<Farm>(\d{1}))
rex field=host .(?<Farm>(\d{2}))
rex field=host .(?<Farm>(\d{1,2}))
The first one works, but returns only the first character (resulting in 1,1,2,1, in the above example) - this is expected. The second works, but returns a value consisting of 2 digits, missing the ones that have a single digit (resulting in 12, 14 in the above example) - this is also expected. The last rex does not work at all - this is not expected. If I understand correctly, {1,2} means the \d should be matched one or two times. Apparently I am wrong...
I suppose I could also do it with a regex matching the 6th and/or 7th character, but that seems like it would be more complex, and not exactly 'ideal'.
... View more
- Tags:
- rex
10-30-2012
01:48 PM
OK, I added the files to the .\Splunk\etc\system\local directory of the indexer/search head and it is working! I wish I had asked this earlier... 🙂 Thank you!
... View more
10-30-2012
12:58 PM
That makes sense... 🙂 Which directory should I place them in?
... View more
10-30-2012
12:51 PM
To clarify the path of the logs in my above post - it is:
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default
... View more
10-30-2012
12:49 PM
Hello
I am having a difficult time getting Splunk to recognize fields from my IIS 7.5 logs. I know that there are many, many posts in splunk-base regarding this - I have looked through many of them and tried the suggested answers in at least 8-10 different posts. None of them have worked for me, eventhough I don't have a custom config - just a standard IIS server with logging enabled and default fields selected. The files get indexed, but the fields are not recognized (i.e. I cannot simply search for "time-taken > 50" within the data indexed from these logs)
Here is my full config:
Splunk versions:
Client UF: 4.3.3
Intermediary UF: 4.3.3
Indexer: 4.3.4
Client UF sends data to intermediary UF, which sends it to the indexer.
My config current config (and last attempt to make this work) on the Client UF is:
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\inputs.conf
[monitor://C:\inetpub\logs]
disabled = false
followTail = 0
sourcetype = iisw3c
index = testindex
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\props.conf
[iisw3c]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iisw3cfields = iisw3cfields
TRANSFORMS-removecomments = removecomments
C:\Program Files\SplunkUniversalForwarder\etc\apps\app_A\default\transforms.conf
[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue
[iisw3cfields]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
What I am doing wrong?
Thanks in advance!
... View more
10-02-2012
12:56 PM
1 Karma
Thank you MuS! It turns out the queue referred to as "splunktcpin" in the metrics.log is actually the splunk listener on port 9997, defined by .\etc\system\local\inputs.conf with this stanza
[splunktcp://9997]
queueSize = 10MB #<-- this is my change
The other one I had issues with, parsingQueue (which alacercogitatus helped me with), is defined in a different conf file - .\etc\system\local\server.conf, with:
[queue=parsingQueue]
maxSize = 30MB #<-- this is my change
A little confusing... 😞
Thank you both!
... View more
10-02-2012
04:50 AM
3 Karma
Hello
I have multiple client UFs sending to an intermediary UF, which then forwards to an indexer. Sporadically, the client UFs will log the messages below:
10-02-2012 07:31:58.403 -0400 WARN TcpOutputProc - Cooked connection to ip=10.x.y.60:9997 timed out
10-02-2012 07:32:28.389 -0400 WARN TcpOutputProc - Cooked connection to ip=10.x.y.60:9997 timed out
10-02-2012 07:32:39.389 -0400 WARN TcpOutputFd - Connect to 10.x.y.60:9997 failed. No connection could be made because the target machine actively refused it.
10-02-2012 07:32:39.389 -0400 ERROR TcpOutputFd - Connection to host=10.x.y.60:9997 failed
10-02-2012 07:32:39.389 -0400 WARN TcpOutputProc - Applying quarantine to idx=10.x.y.60:9997 numberOfFailures=2
Also, when I check the port, the intermediary UF is indeed NOT listening (as seen from the client UF side):
c:\Program Files\SplunkUniversalForwarder\bin>portqry -n 10.x.y.60 -e 9997 -i
Querying target system called:
10.x.y.60
TCP port 9997 (unknown service): NOT LISTENING
A couple of seconds later, the same command will show it LISTENING. In addition, the client UF and intermediary UF are on the same LAN, so latency between them is <1ms.
At the same time, the intermediary UF logs this:
10-02-2012 07:32:26.235 -0400 WARN PipelineInputChannel - channel "source::C:\Logs\BI-msg.txt20120915|host::MYHOST2|BI-msg-2|remoteport::64024" ended without a done-key
10-02-2012 07:32:33.735 -0400 WARN PipelineInputChannel - channel "source::C:\Logs\AppLog.txt|host::MYHOST1|AppLog|remoteport::62340" ended without a done-key
10-02-2012 07:32:33.735 -0400 WARN PipelineInputChannel - channel "source::C:\Logs\AppLog.txt.4|host::MYHOST1|AppLog|remoteport::62340" ended without a done-key
10-02-2012 07:32:51.736 -0400 WARN PipelineInputChannel - channel "source::C:\Logs\AppLog.txt|host::MYHOST1|AppLog|remoteport::62339" ended without a done-key
and splunkd on the intermediary has not crashed. The metrics.log file on the intermediary UF does not show blocked queues either.
Some of the data Splunk is supposed to index on the client is not making it to the indexer, I am guessing because of all this flapping... Any ideas why this is?
... View more
09-29-2012
01:13 PM
Thank you alacercogitatus - parsingQueue seems to have done the trick for that queue (I guess in the metrics.log the case is not correct). The only other one that I see still getting blocked relatively frequently is the splunktcpin, which also does not seem to get affected by the global [queue] stanza. I tried splunkTcpIn - that does not seem to be it. Any suggestions on what the case for this one would be? I can't seem to find documentation on that (other than all lower case)
... View more
09-29-2012
03:52 AM
1 Karma
Hello
I have a Universal Forwarder that acts as an intermediary forwarder between about 200 other UFs and the Indexer. Data from the client UFs gets delayed or not sent at all and digging through the logs, I noticed this:
On the client UF:
09-29-2012 05:42:07.620 -0400 WARN TcpOutputFd - Connect to 10.xx.xx.60:9997 failed. No connection could be made because the target machine actively refused it.
09-29-2012 05:42:07.620 -0400 ERROR TcpOutputFd - Connection to host=10.xx.xx.60:9997 failed
09-29-2012 05:42:07.620 -0400 WARN TcpOutputProc - Applying quarantine to idx=10.xx.xx.60:9997 numberOfFailures=52
On the intermediary UF:
splunkd.log:
09-29-2012 06:35:48.722 -0400 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
09-29-2012 06:35:49.504 -0400 INFO TailingProcessor - ...continuing.
metrics.log:
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=fschangemanager_queue, max_size_kb=5120, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=indexqueue, max_size_kb=10240, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=nullqueue, max_size_kb=10240, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=parsingqueue, blocked=true, max_size_kb=512, current_size_kb=511, current_size=409, largest_size=445, smallest_size=163
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=splunktcpin, max_size_kb=500, current_size_kb=423, current_size=218, largest_size=442, smallest_size=152
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=tcpin_queue, max_size_kb=10240, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
09-29-2012 06:27:24.509 -0400 INFO Metrics - group=queue, name=winparsing, max_size_kb=10240, current_size_kb=0, current_size=0, largest_size=1, smallest_size=0
I already updated the etc\system\local\server.conf on the intermediary UF adding this:
[queue]
maxSize = 10MB
[queue=parsingqueue]
maxSize = 10MB
[queue=splunktcpin]
maxSize = 10MB
however, as you can see from the log, those two queues are the only ones that seem to not get affected, showing max_size_kb to be 500-512 KB, instead of the 10 MB I set. Any idea why? Or am I not even on the right track?
... View more
09-02-2012
08:59 AM
Thanks yannK. I see the role (can_delete) but I also have a user, 'delete_admin', that has the role 'can_delete'. It sounds like it may be something that was created during install? If that is the case, my guess would be it has a default password of some sort, which would be a good idea to reset. Any ideas?
... View more
09-01-2012
08:35 AM
What is the default password for delete_admin? Is it safe to reset it from the admin interface?
... View more
