Activity Feed
- Karma Re: How can I run this query more efficiently without using so many join commands? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5. 06-05-2020 12:48 AM
- Got Karma for Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5. 06-05-2020 12:48 AM
- Posted Re: Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5 on Getting Data In. 10-08-2016 12:21 PM
- Posted Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5 on Getting Data In. 10-08-2016 09:04 AM
- Tagged Override hostname to FQDN in etc/system/local/inputs.conf on Windows Forwarder v6.5 on Getting Data In. 10-08-2016 09:04 AM
- Posted Re: How can I run this query more efficiently without using so many join commands? on Splunk Search. 08-24-2016 08:35 AM
- Posted How can I run this query more efficiently without using so many join commands? on Splunk Search. 08-24-2016 05:48 AM
- Tagged How can I run this query more efficiently without using so many join commands? on Splunk Search. 08-24-2016 05:48 AM
- Posted Re: Will IMAP Mailbox work for Splunk 6.2? on All Apps and Add-ons. 01-14-2015 02:32 AM
- Posted Will IMAP Mailbox work for Splunk 6.2? on All Apps and Add-ons. 01-11-2015 02:28 PM
- Tagged Will IMAP Mailbox work for Splunk 6.2? on All Apps and Add-ons. 01-11-2015 02:28 PM
- Tagged Will IMAP Mailbox work for Splunk 6.2? on All Apps and Add-ons. 01-11-2015 02:28 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 |
10-08-2016
12:21 PM
Thanks rjthibod, but I know that if I change the inputs.conf on each forwarder that it fixes the issue. If I have to do this manually it's going to take a long time to login to each and every server to make the change.
How can I accomplish this from the Splunk server without making changes directly on the forwarder?
... View more
10-08-2016
09:04 AM
2 Karma
Hello,
I need to set Windows forwarders to use the FQDN as the hostname across all inputs, as I have duplicate hostnames in my environment. I've tried changing everything in a Splunk deployment app, but the only thing that seems to work is if I manually correct the entry in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf from hostname to FQDN.
From:
[default]
host = svr-vCenter
To:
[default]
host = svr-vCenter.domain.local
The changes that I've made in the deployment app have meant that the splunkd.log reports the name correctly:
10-08-2016 16:46:59.063 +0100 INFO ServerConfig - Host name option is "fullyqualifiedname".
10-08-2016 16:46:59.063 +0100 INFO ServerConfig - My hostname is "svr-vCenter.domain.local".
But anything sent to the Splunk indexer shows up as the shortname and the FQDN gets ignored unless I change the file above.
Is there any way I can automatically set this during install or afterwards in Splunk other than manually changing the contents of the file? What am I missing as this is driving me nuts!
Thanks,
Andy
... View more
- Tags:
- splunk-enterprise
08-24-2016
08:35 AM
Wow that's amazing!!!! So much quicker and I get all the info I needed.
Thanks very much, our OpsTeam will salute you! 🙂
... View more
08-24-2016
05:48 AM
Hello,
I'm running the following query to combine data from two different sources and to create a table for our AppAssure monitoring:
host="AppAssure1" source="WinEventLog:AppAssureMonitoring" EventCode=350| fields ServerName AgentStatus Version LatestSnapshot IsPaused LatestSnapshotStatus RepositoryName| dedup ServerName | rename RepositoryName AS LocalRepositoryName |
join type=outer ServerName [search host="AppAssure2" source="WinEventLog:AppAssureMonitoring" EventCode=150 |fields ServerName ReplicatedStatus ReplicatedTimeStamp | dedup ServerName] |
join type=outer ServerName [search host="AppAssure1" source="WinEventLog:AppAssureMonitoring" EventCode=250 |fields ServerName ExportedTimeStamp ExportedStatus | dedup ServerName| rename ExportedTimeStamp AS LocalExportedTimeStamp|rename ExportedStatus AS LocalExportedStatus ] |
join type=outer ServerName [search host="AppAssure2" source="WinEventLog:AppAssureMonitoring" EventCode=250 |fields ServerName ExportedTimeStamp ExportedStatus | dedup ServerName | rename ExportedTimeStamp AS ReplicaExportedTimeStamp| rename ExportedStatus AS ReplicaExportedStatus]
I'm aware that it's horribly inefficient, but can't see a way to get the same result without using the join command as I also need to rename the fields as I go etc. I have to run this query on multiple tables on the same dashboard and as you can imagine it takes quite a while to load.
Can anyone clever point me in the right direction of where to go from here?
Thanks,
Andy
... View more
- Tags:
- splunk-enterprise
01-14-2015
02:32 AM
Thanks Adauria, I managed to get it installed via this method but it wouldn't work.
Eventually, I found that I needed to add the following line at the end of Splunk\etc\apps\IMAPmailbox\default\restmap.conf:
handleractions=create,edit,list,remove,enable,disable,_reload
I then deleted the generated imap.conf file and copied the one from default, edited it and put my server details in, edited inputs.conf to enable the section for Windows and added the complete Splunk path in and it worked fine. 🙂
... View more
01-11-2015
02:28 PM
Hello,
I can't see how to install IMAP Mailbox in 6.2, presumably because it hasn't been marked as compatible with this version. Any chance I can force install it somehow..?
Thanks,
Andy
... View more
- Tags:
- 6.2
- IMAP Mailbox
