Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About neltonk
neltonk
Path Finder
Member since:
08-18-2017
06-05-2020
Community Statistics
| Posts | 34 |
| Solutions | 1 |
| Karma Given | 6 |
| Karma Received | 6 |
| Member Since | 08-18-2017 |
Activity Feed
- Karma Re: How to change _time data for whrg. 06-05-2020 12:50 AM
- Karma Re: Using Universal forwarder to send data from files in a folder to Splunk Enterprise for mayurr98. 06-05-2020 12:49 AM
- Karma Re: Extract value for host field from log file path using the parameter host_regex in inputs.conf for gcusello. 06-05-2020 12:49 AM
- Karma Re: What are the steps to remove data from an indexer cluster? for adonio. 06-05-2020 12:49 AM
- Karma Re: In a Splunk cluster, is it good practice to have indexer peers to be as search peers? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Where to perform field extraction in Splunk cluster for FrankVl. 06-05-2020 12:49 AM
- Got Karma for Can I configure universal forwarder to listen to a TCP port?. 06-05-2020 12:49 AM
- Got Karma for Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data. 06-05-2020 12:49 AM
- Got Karma for Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data. 06-05-2020 12:49 AM
- Got Karma for Re: Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data. 06-05-2020 12:49 AM
- Got Karma for App created in Master and deployed to indexers not visible in searchhead. 06-05-2020 12:49 AM
- Got Karma for Where to perform field extraction in Splunk cluster. 06-05-2020 12:49 AM
- Posted Re: How to change _time data on All Apps and Add-ons. 12-18-2018 02:39 AM
- Posted Re: How to change _time data on All Apps and Add-ons. 12-17-2018 09:11 AM
- Posted Re: How to change _time data on All Apps and Add-ons. 12-17-2018 04:51 AM
- Posted Re: Users who are logged in right now on Splunk Search. 10-12-2018 03:04 AM
- Posted Re: Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data on All Apps and Add-ons. 08-14-2018 01:51 AM
- Posted Re: Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data on All Apps and Add-ons. 08-09-2018 05:46 PM
- Posted Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data on All Apps and Add-ons. 08-08-2018 10:03 PM
- Tagged Using Splunk DB Connect to join splunk index to a table in sql server and fetch relevant data on All Apps and Add-ons. 08-08-2018 10:03 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-17-2018
09:11 AM
Hi,
I have tried to apply this in non-prod before applying in PROD. I have few questions... Please help.
As shown in the image, the rule is being applied to the first row with the headers, how to ignore the rule for the first row?
The date is being picked up however, it is adding 1 hour to the time. Now sure what is wrong here...
Thanks a lot for your help.
Best regards,
Nelton
... View more
12-17-2018
04:51 AM
Hi
Thanks for your response.
We are absolutely new to Splunk, please help...
We have a 5 node splunk cluster - 3 indexers, 1 master and 1 search head. We have ingested the data from meinberg clocks as illustrated above by my colleague. The data is exactly as represented above, nothing is masked.
The data is updated at source once a day and splunk is picking up the _time value as the splunk ingestion time. We want to change this to pick the time in the last column.
Do we need to delete the existing data in Splunk for this change.
The inputs.conf for universal forwarder is :
[monitor://\\ldn\dfs01\PTPLogs\DomainTime\MeinbergClocks]
host_regex = Clocks\(\w+).mrs
disabled = false
sourcetype = clocktimesynclogs
index = indexclocktimesynclogs
Should we add your suggested config to the end of the inputs.conf:
DATETIME_CONFIG =
1. NO_BINARY_CHECK = true
2. SHOULD_LINEMERGE = false
3. TIME_FORMAT = %Y%m%d/%H:%M:%S/%Z
4. TIME_PREFIX = ([^\s]+\s+){9}
5. category = Custom
6. pulldown_type = true
Thanks a lot for your help.
Best regards,
Nelton
... View more
10-12-2018
03:04 AM
index=_audit NOT user="n/a" NOT user="splunk-system-user" NOT "schedulernobody_search" | stats max(timestamp) by user
... View more
08-14-2018
01:51 AM
1 Karma
fixed the query myself...
index=indexwintimesynclogs NOT (ServerName=UAT OR ServerName=DEV)|eval ServerName=replace(ServerName, ".+?(\/)",""), offset=Delta|where (offset>0.0001 OR offset<-0.0001) | stats max(offset) as offset, count(offset) as violations by ServerName, TimeSource|sort -offset
| dbxlookup connection="CMDB" query="SELECT upper([T0].[COMPUTERNAME]) As 'Server',
[T0].AD_DOMAINNAME,
[T0].[COMPUTERENVIRONMENT] As 'Environnement',
[T0].[OSNAME] As 'OS',
[T0].[Id_location] AS 'Location',
[T2].[APPLICATIONNAME] As 'ApplicationName',
[T2].[APPLICATIONCODE] As 'ApplicationCode',
[T2].ID_MANAGEMENTTEAM As 'Management team (Application)'
FROM [Publishing].[dbo].INFRASTRUCTURE_Server AS T0 with (nolock)
JOIN [Publishing].[dbo].GENERAL_Relations AS T1 with (nolock) ON T0.ID_SERVER = T1.ID_PARENT AND T1.CIT_PARENT = 'Server' AND LINKTYPE = 'CST_APP2SRV'
JOIN [Publishing].[dbo].APPLICATION_Application AS T2 with (nolock) ON T2.ID_APPLICATION = T1.ID_CHILD AND T1.CIT_CHILD = 'Application'
LEFT JOIN [Publishing].[dbo].ORGANIZATION_BusinessLine AS T3 with (nolock) ON T2.ID_BUSINESSLINE_OWNER = T3.ID_BUSINESSLINE
WHERE T0.AM_ASSIGNMENT='0' and T0.COMPUTERENVIRONMENT = 'PROD' and T1.CRSTATE = 'In Service'" Server as ServerName OUTPUT OS AS OS, ApplicationName AS Application
... View more
08-09-2018
05:46 PM
Please assist... I am unable to setup a Lookup using DBConnect? Is DBConnect Lookup the solution for my requirement?
... View more
08-08-2018
10:03 PM
2 Karma
Hi,
I am new to SPL and Splunk. I use the following query to find PTP violations per server
index=indexwintimesynclogs|eval offset=Delta|where offset>0.0001 and like(ServerName,"%PRD%") | stats max(offset) as offset, count(offset) as violations by ServerName, TimeSource|sort -offset
Now I want to join the results of this query to the CMDB database and get the OS and Application details for each server reported by the above query.
What I have done so far?
- I have wrote the SQL query that is required to fetch data from CMDB
- Installed the App DB Connect and configured connection to CMDB
- Tested the connectivity and DB query -> Splunk DB Connect->Data Lab -> SQL Explorer
- I tried using dbxlookup to join:
index=indexwintimesynclogs|eval offset=Delta|where offset>0.0001 and like(ServerName,"%PRD%") | stats max(offset) as offset, count(offset) as violations by ServerName, TimeSource|sort -offset
| dbxlookup connection="CMDB" query="SELECT [T0].[COMPUTERNAME] As 'Server',
[T0].AD_DOMAINNAME,
[T0].[COMPUTERENVIRONMENT] As 'Environnement',
[T0].[OSNAME] As 'OS',
[T0].[Id_location] AS 'Location',
[T2].[APPLICATIONNAME] As 'ApplicationName',
[T2].[APPLICATIONCODE] As 'ApplicationCode',
[T2].ID_MANAGEMENTTEAM As 'Management team (Application)'
FROM [Publishing].[dbo].INFRASTRUCTURE_Server AS T0
JOIN [Publishing].[dbo].GENERAL_Relations AS T1 ON T0.ID_SERVER = T1.ID_PARENT AND T1.CIT_PARENT = 'Server' AND LINKTYPE = 'CST_APP2SRV'
JOIN [Publishing].[dbo].APPLICATION_Application AS T2 ON T2.ID_APPLICATION = T1.ID_CHILD AND T1.CIT_CHILD = 'Application'
LEFT JOIN [Publishing].[dbo].ORGANIZATION_BusinessLine AS T3 ON T2.ID_BUSINESSLINE_OWNER = T3.ID_BUSINESSLINE
WHERE T0.AM_ASSIGNMENT='0' and T0.COMPUTERENVIRONMENT = 'PROD' and T1.CRSTATE = 'In Service' ORDER BY T0.COMPUTERNAME" Server as ServerName OUTPUT OS AS OS, ApplicationName AS ApplicationIt does not work...
I tried creating a lookup under - Splunk DB Connect->Data Lab->Lookups
The query gets stuck at the first step - "Set Reference Search"
index=indexwintimesynclogs|eval offset=Delta|where offset>0.0001 and like(ServerName,"%PRD%") | stats max(offset) as offset, count(offset) as violations by ServerName, TimeSource|sort -offset
Search hangs with message - No fields found, forget to run the search?
Please help me...
... View more
07-31-2018
10:47 PM
Thanks a lot... That worked
... View more
07-31-2018
05:06 PM
Hi,
I am new to Splunk, could you please help?
I have a Splunk cluster - 1 Master(also the license master), 3 node indexer cluster, 1 search head. I want to delete data in a specific index
Could you please verify if the following steps are correct to delete event data?
On the Master Node : put cluster in maintenance mode
stop indexers - splunk stop on each indexer
remove data using the command splunk clean eventdate -index xyz - where do I run this command - on each indexer node ?
start indexers - splunk start on each indexer
On Master Node : disable Maintenance node
... View more
07-31-2018
05:03 PM
New to splunk please help...
I have a splunk cluster - 1 Master(also the license master), 3 node indexer cluster, 1 search head. I want to delete data in a specifi index
Could you please verify if the following steps are correct to delete event data?
On the Master Node : put cluster in maintenance mode
stop indexers - splunk stop on each indexer
remove data using the command splunk clean eventdate -index xyz - where do I run this command - on each indexer node ?
start indexers - splunk start on each indexer
On Master Node : disable Maintenance node
... View more
07-20-2018
03:32 AM
And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton
... View more
07-20-2018
03:31 AM
Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.
... View more
07-20-2018
03:14 AM
1 Karma
Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?
Please advice...
Thanks,
Nelton
... View more
07-05-2018
08:00 AM
This i done... when i click Distributed Environment -> Indexer clustering on the search head. I see the node listed as Search Head. The Cluster Master is listed under the section Clusters searched.
... View more
07-05-2018
07:46 AM
Hi I have created a splunk cluster with the following configuration:
1 * Master (also the licensing master) - indexing turned off
3 * Inders peers
1 * Standalone search head - index turned off
I have created a basic configuration bundle - a folder for myapp1 under in master-apps on the master node:
$SPLUNK_HOME/etc/master-apps/
_cluster/
default/
local/
/ indexes.conf
I validated the bundle and on success applied to cluster. This created the index and app on the indexers. I have uploaded some data into the index. It is all green on the cluster dashboard but I cannot see the indexes on the searchhead. What should be done to view the indexes on the searchead. I am new to Splunk, have been asked to provision a splunk cluster... Please help.
Thanks,
Nelton
... View more
07-05-2018
04:35 AM
And also I have disabled indexing on my search head, but the packaged app file will have the indexes.conf; will this be ignored?
... View more
07-05-2018
02:39 AM
Thanks a lot for your reply. If I package the app folder under master-apps on the master node. But this folder only has the indexes.conf and not the app.conf. is that ok?
... View more
07-05-2018
02:36 AM
Thanks a lot for all your patient replies
It is standalone implementation. I only configured the clustering for indexers according to splunk documentation. I have packaged the app folder from the indexer node and deployed to the SH but this only has app.conf . I restarted splunk on SH and the app is visible.
Is this correct?
or should I package the app folder under master-apps on the master node(as Woodcock suggested). But this folder only has the indexes.conf and not the app.conf
... View more
07-04-2018
08:49 AM
How can I deploy the app that I created manually with an index to the standalone search head? is it possible that the app and the associated indexes be visible to the user on the search head? I am a bit confused after reading about deployer component of splunk. Should I be packaging the app to deploy to search head or use the deployer?
... View more
07-04-2018
08:19 AM
Hi Giuseppe,
Thanks for the quick reply. How can I deploy the app that I created manually to the standalone search head? Will the app and the associated indexes be visible to the user on the search head?
regards,
Nelton
... View more
07-04-2018
07:42 AM
1 Karma
Hi, I have recently installed a Splunk cluster. My configuration is supposed to be 1 Master(also the licensing master) , 3 indexer peers, *1 search head : indexing turned off *. I have created a basic configuration bundle - a folder for myapp1 under in master-apps on the master node:
$SPLUNK_HOME/etc/master-apps/
_cluster/
default/
local/
/
indexes.conf
validated the bundle and on success applied to cluster. This created the index and app on the indexers. I had to make the app visible on the indexers however I don't see the app on the search head. How do I make sure the app is visible to users who will only login to the search head. is there another procedure for this? Please help.
Thanks,
Nelton
... View more
06-20-2018
09:28 PM
Thanks a lot for the quick response. I can now proceed with the next steps...
... View more
06-20-2018
09:26 PM
Thanks a lot for the quick response
... View more
06-20-2018
11:05 AM
Hi, I have just installed a Splunk cluster. My configuration is supposed to be 1 Master(also the licensing master) , 3 peers, 1 search head.
However after installation in the cluster dashboard on the master, I see two search heads.
In the search heads tab in the clustering dashboard of the master, I see two search heads listed. I dont see any option to remove the master node.
The master node has automatically assigned it self as search head? is this correct? if no, how do I correct this situation?
The Search Head dashboard, I see the cluster Master listed correctly. Under Search peers in Distributed Search, I see the 3 indexer peers listed as search peers. the master node is not listed as search peer. It does not reflect the master node dashboard. is it a good practice to have indexer peers to be as search peers? I am confused here and need some help.
I am new to splunk and have not attended the clustering training yet, so please I need help.
... View more
02-07-2018
03:19 AM
I am working with clock sync log files. The top 3 lines have the ip address -> MAC address mapping... The rest of the lines have the offset and sync-delay details of each host with the MAC address. (format shown below). Is it possible to extract the ip address from the first three lines and map it to each log entry in my offset report.
{ "node": {"port-id": "000f:53ff:fe59:f640.1", "domain": 3, "address": "10.0.0.1" } }
{ "node": {"port-id": "000f:53ff:fe59:f720.1", "domain": 1, "address": "10.0.0.2" } }
{ "node": {"port-id": "000f:53ff:fe59:f620.2", "domain": 0, "address": "10.0.0.3" } }
{ "rx-event": {"monitor-seq-id": 0, "monitor-timestamp": "2018-01-02 03:24:08.454728", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18218, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863478.454504073 } }
{ "rx-event": {"monitor-seq-id": 1, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18219, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863479.454501525 } }
{ "rx-event": {"monitor-seq-id": 2, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18220, "offset-from-master": -11.000000, "mean-path-delay": 1771.000000, "sync-ingress-timestamp": 1514863480.454500265 } }
{ "rx-event": {"monitor-seq-id": 3, "monitor-timestamp": "2018-01-02 03:24:08.454730", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18221, "offset-from-master": -13.000000, "mean-path-delay": 1773.000000, "sync-ingress-timestamp": 1514863481.454496428 } }
{ "rx-event": {"monitor-seq-id": 4, "monitor-timestamp": "2018-01-02 03:24:08.454731", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18222, "offset-from-master": 20.000000, "mean-path-delay": 1781.000000, "sync-ingress-timestamp": 1514863482.454495132 } }
{ "rx-event": {"monitor-seq-id": 5, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18223, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863483.454491258 } }
{ "rx-event": {"monitor-seq-id": 6, "monitor-timestamp": "2018-01-02 03:24:08.454732", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18224, "offset-from-master": 13.500000, "mean-path-delay": 1774.500000, "sync-ingress-timestamp": 1514863484.454488702 } }
{ "rx-event": {"monitor-seq-id": 7, "monitor-timestamp": "2018-01-02 03:24:08.454733", "node": "000f:53ff:fe59:f640.1", "parent-port": "ec46:70ff:fe00:be6d.1", "sync-seq": 18225, "offset-from-master": 15.500000, "mean-path-delay": 1767.500000, "sync-ingress-timestamp": 1514863485.454487436 } }
{ "rx-event": {"monitor-seq-id": 8, "monitor-timestamp": "2018-01-02 03:24:08.788909", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47448, "offset-from-master": 26.500000, "mean-path-delay": 1894.500000, "sync-ingress-timestamp": 1514863478.788863443 } }
{ "rx-event": {"monitor-seq-id": 9, "monitor-timestamp": "2018-01-02 03:24:08.788910", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47449, "offset-from-master": 9.000000, "mean-path-delay": 1897.000000, "sync-ingress-timestamp": 1514863479.788860880 } }
{ "rx-event": {"monitor-seq-id": 10, "monitor-timestamp": "2018-01-02 03:24:08.788911", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47450, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863480.788858317 } }
{ "rx-event": {"monitor-seq-id": 11, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47451, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863481.788857043 } }
{ "rx-event": {"monitor-seq-id": 12, "monitor-timestamp": "2018-01-02 03:24:08.788912", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47452, "offset-from-master": 8.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863482.788853191 } }
{ "rx-event": {"monitor-seq-id": 13, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47453, "offset-from-master": -1.000000, "mean-path-delay": 1896.000000, "sync-ingress-timestamp": 1514863483.788851917 } }
{ "rx-event": {"monitor-seq-id": 14, "monitor-timestamp": "2018-01-02 03:24:08.788913", "node": "000f:53ff:fe59:f720.1", "parent-port": "ec46:70ff:fe00:be68.1", "sync-seq": 47454, "offset-from-master": -3.500000, "mean-path-delay": 1893.500000, "sync-ingress-timestamp": 1514863484.788848072 } }
I am new to Splunk and regex... please help.
... View more
