Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About eallanjr
eallanjr
Explorer
Member since:
01-11-2012
06-05-2020
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 4 |
| Member Since | 01-11-2012 |
Activity Feed
- Got Karma for Re: searching for linux audit events?. 08-14-2020 06:23 AM
- Got Karma for Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder?. 06-05-2020 12:47 AM
- Got Karma for Re: Reliability of Cisco eStreamer App. 06-05-2020 12:47 AM
- Got Karma for Re: tiered deployment server says deployment apps aren't installing. 06-05-2020 12:46 AM
- Karma Re: Tiered Deployment Servers, is it possible? for gr. 06-05-2020 12:45 AM
- Posted Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Tagged Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Tagged Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Tagged Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Tagged Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Tagged Why is a monitored file behaving like a batch file on a Splunk 6.2.1 Universal forwarder? on Getting Data In. 04-27-2015 07:33 AM
- Posted Re: How to prevent search head from searching peer by default? on Deployment Architecture. 08-18-2014 12:53 PM
- Posted Re: Reliability of Cisco eStreamer App on All Apps and Add-ons. 08-18-2014 12:35 PM
- Posted How to prevent search head from searching peer by default? on Deployment Architecture. 08-18-2014 12:06 PM
- Tagged How to prevent search head from searching peer by default? on Deployment Architecture. 08-18-2014 12:06 PM
- Tagged How to prevent search head from searching peer by default? on Deployment Architecture. 08-18-2014 12:06 PM
- Tagged How to prevent search head from searching peer by default? on Deployment Architecture. 08-18-2014 12:06 PM
- Posted Re: searching for linux audit events? on Splunk Search. 02-28-2014 08:50 AM
- Posted Re: tiered deployment server says deployment apps aren't installing on Deployment Architecture. 02-26-2013 11:45 AM
- Posted Re: cisco asa firewall logs on Getting Data In. 06-21-2012 08:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 |
04-27-2015
07:33 AM
1 Karma
I have a monitored file input for a .tsv file that gets updated via a SQL query every hour. However, the data is only showing up in the index periodically (haven't been able to determine the frequency, but it isn't hourly like it should be). If I restart the forwarder I see the TailingProcessor add a watch, but the file subsequently gets handled by the BatchReader as shown in the log snippet below. For other files inputs using the [monitor://...] stanza I don't see any log entries related to the BatchReader, any ideas why this one is being treated any differently? Universal forwarder is version 6.2.1.
# grep metrics5.tsv /opt/splunkforwarder/var/log/splunk/splunkd.log
04-27-2015 09:46:13.653 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///data/log/hadoop_job_metrics/metrics5.tsv.
04-27-2015 09:46:13.653 -0400 INFO TailingProcessor - Adding watch on path: /data/log/hadoop_job_metrics/metrics5.tsv.
04-27-2015 09:46:13.660 -0400 INFO BatchReader - Removed from queue file='/data/log/hadoop_job_metrics/metrics5.tsv'.
04-27-2015 10:01:47.734 -0400 INFO BatchReader - Removed from queue file='/data/log/hadoop_job_metrics/metrics5.tsv'.
The API also indicates it is being read in batch mode:
https://localhost:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus
/data/log/hadoop_job_metrics/metrics5.tsv
file position 23783042
file size 23783042
percent 100.00
type done reading (batch)
inputs.conf:
[monitor:///data/log/hadoop_job_metrics/metrics5.tsv]
disabled = false
sourcetype = hadoop_job_metrics_v2
index = main
crcSalt = <SOURCE>
props.conf:
[hadoop_job_metrics_v2]
FIELD_DELIMITER = tab
FIELD_NAMES = JOB_ID,JOB_STATUS,JOB_FAILED_MAP_ATTEMPTS,JOB_FAILED_REDUCE_ATTEMPTS,JOB_FILE_BYTES_WRITTEN,JOB_FINISHED_MAP_TASKS,JOB_FINISHED_REDUCE_TASKS,JOB_PRIORITY,JOB_TOTAL_LAUNCHED_MAPS,JOB_TOTAL_LAUNCED_REDUCES,JOB_CPU_MILLISECONDS,MAP_CPU_MILLISECONDS,RED_CPU_MILLISECONDS,JOB_MAPRFS_BYTES_READ,MAP_MAPRFS_BYTES_READ,RED_MAPRFS_BYTES_READ,JOB_MAPRFS_BYTES_WRITTEN,MAP_MAPRFS_BYTES_WRITTEN,RED_MAPRFS_BYTES_WRITTEN,JOB_PHYSICAL_MEMORY_BYTES,MAP_PHYSICAL_MEMORY_BYTES,RED_PHYSICAL_MEMORY_BYTES,JOB_VIRTUAL_MEMORY_BYTES,MAP_VIRTUAL_MEMORY_BYTES,RED_VIRTUAL_MEMORY_BYTES,JOB_NAME,PARENT_JOB_ID,USER_SUBMITTED,TIME_SUBMITTED,TIME_STARTED,TIME_FINISHED,CLUSTER_ID,CREATED
HEADER_FIELD_DELIMITER = tab
INDEXED_EXTRACTIONS = tsv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = CREATED
category = Structured
description = Tab-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
... View more
08-18-2014
12:53 PM
I suppose that could work if I create a user with that restriction and run my searches as that user... not quite the solution I'm hoping for though.
... View more
08-18-2014
12:35 PM
1 Karma
We use the eStreamer app in our deployment with very few issues. The only thing I've noticed is that occasionally when the Splunk daemon is restarted, events stop showing up in the app even though it still has a status of "Running". (To fix this usually I'll just disable/re-enable the eStreamer client in the app's GUI, and if necessary, manually run the estreamer_client.pl script in the app's bin directory.
No separate licensing is needed.
Don't let the fact that an app is community-supported deter you. There are some very good apps out there that aren't officially supported by Splunk and work just fine.
... View more
08-18-2014
12:06 PM
When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?
I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".
I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!
... View more
02-28-2014
08:50 AM
1 Karma
In my experience the most useful fields for doing transactions are msg, auid and ses. But there's way too much data coming in to run transaction on everything (slow!), so I created a subsearch which will pick out the msg IDs I'm interested in, search those and then run transactions. After that I'll table a subset of the fields make it easier to look at.
Here's an example that looks for a user SCP'ing a file and the arguments passed to the scp command:
sourcetype=auditd [search sourcetype=auditd syscall=execve exe=/usr/bin/scp | table msg] | transaction msg | table _time, auid, exe, a0, a1, a2, a3
... View more
02-26-2013
11:45 AM
1 Karma
Answering my own question, found the solution in a different thread (finally!)
http://splunk-base.splunk.com/answers/10500/tiered-deployment-servers-is-it-possible
The implementation of targetRepositoryLocation is buggy (I've since upgraded from 4.3.1 to 5.0.1, problem still exists), so the apps never properly deploy to the second tier deployment server, causing the tier 2 deployment clients to constantly download and install an app with a different checksum, even though the deployment app hasn't changed. I implemented the workaround in the thread above and it seems to work fine now.
... View more
06-21-2012
08:22 AM
Agreed - we also send to a centralized syslog server running a heavy forwarder. This allows us to do per-event filtering, since our network admins want to keep way more firewall logs than we actually wanted to index in Splunk (or have the licensing for!)
... View more
06-11-2012
06:12 PM
I have a Linux host that is both a deployment server and deployment client in a tiered deployment server configuration. For all of the apps that I am installing into the $SPLUNK_HOME/etc/deployment-apps directory (received from the primary deployment server using the targetRepositoryLocation parameter) I constantly receive messages in my splunkd log like the following:
06-11-2012 20:49:11.832 -0400 WARN DeployedApplication - Installing app: uf_win_dev to location: /opt/splunk/etc/deployment-apps/uf_win_dev
06-11-2012 20:49:11.882 -0400 ERROR DeployedApplication - Failed to install app : /opt/splunk/etc/deployment-apps/uf_win_dev. Application does not exist: uf_win_dev
06-11-2012 20:49:11.882 -0400 WARN DeployedServerClass - There was a problem installing app: uf_win_dev for server class: t2-ds
The uf_win_dev app folder gets written to $SPLUNK_HOME/etc/deployment-apps as expected, but constantly gets overwritten every time this host phones home to the primary deployment server and Splunk tries to reinstall the app because it thinks its failing each time. Any ideas what might be happening here? I tried changing some of the log output to DEBUG but didn't see any additional messages relating to it not being able to locate the application.
All Splunk instances in my environment are 4.3.1.
... View more
