About jldebell

jldebell · ‎05-13-2015

The information is in docs. splunk show shcluster-status -auth username:password http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCdeploymentoverview#4._Initialize_cluster_members

jldebell · ‎05-13-2015

I can't find the documentation about locating the captain, but I need to do a rolling restart. The docs mention it has to be initiated from the captain. Please advise. Thanks, Jennifer

jldebell · ‎05-03-2015

Sorry for the confusion, let me clarify. If your access level only allows a search for 30 days, you won't be able to see the "All Time" results. The "All Time" results would fall out of the range for the 30 day period. Hope that helps.

jldebell · ‎04-30-2015

Just a guess, but do you have permission to search the time range?

jldebell · ‎04-30-2015

Thanks for the information. If i am reading this correctly, I need to add the host details in to decipher the difference between the logs? The host details and the source are the same in both instances. It is only the log content that makes it different.

jldebell · ‎04-28-2015

Adding a wildcard to see if it will work. whitelist.0 = ***/var/opt/specific/to/sample2

jldebell · ‎04-28-2015

I have one file that I need to pull two sourcetypes from. Here are the details: i created two independent inputs.conf files. inputs.conf [monitor:///var/log/audit/audit.log] index=sample sourcetype=sample1 inputs.conf [monitor:///var/log/audit/audit.log] index=sample sourcetype=sample2 My serverclass.conf file is set up with two stanzas: [serverClass:sample1] whitelist.0 = /var/opt/specific/to/sample1* machineTypesFilter = linux* restartSplunkd = true [serverClass:sample1:app:sample1] [serverClass:sample2] whitelist.0 = /var/opt/specific/to/sample2* machineTypesFilter = linux* restartSplunkd = true [serverClass:sample2:app:sample2] I am using the whitelist to identify key information within the log. The data is coming through with both whitelist details, but it is defaulting to only one sourcetype. My whitelist also contains host information which is also shared. The only thing that separates the sourcetypes is the /var/opt/specific/to/sample* details. I don't think host details matter, so I left these details in. Do I need to add an AND statement in there? [serverClass:sample1] whitelist.0 = /var/opt/specific/to/sample1* AND whitelist.1 = host machineTypesFilter = linux* restartSplunkd = true [serverClass:sample1:app:sample1] Or is there something else that i should consider? Thanks, Jennifer

jldebell · ‎04-08-2015

The files were not able to reload because there was a TIME_FORMAT error associated. I was able to get the formatting corrected and reload the files. The error message was over a week old, but it was the root cause. I have included the link to the other question associated in case others encounter something similar. http://answers.splunk.com/answers/224111/how-do-i-properly-describe-non-standard-datetime-f.html#answer-224256 Thanks again for everyone's assistance.

jldebell · ‎04-08-2015

Thank you for asking. I didn't think of that. The ip addresses are private, so GeoIP/IPLocation won't work.

jldebell · ‎04-08-2015

We need to create a report that lists all devices and servers reporting into Splunk. We want to have the report broken out by country. We don't have an internal cross-reference to identify servers to countries. I was using this search based on other Answer questions. index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|stats count by hostname, sourceHost, fwdType, guid, os, arch I tried to plug in the geoip/iplocation searches to see if we could obtain the location of our servers. I wasn't able to get results. Please advise if you have suggestions. Thanks! Jenn

jldebell · ‎04-02-2015

Thanks for the information. We are testing both options to see which will work best for our situation. Thank you!

jldebell · ‎04-02-2015

Thanks for the information. This was helpful. i can't accept the answer because it is a reply unfortunately.

jldebell · ‎03-31-2015

I am working with application data that has the same exact format across several applications. The sourcetypes are based on application names. We have a couple of fields that we need to extract. I have a props.conf built, but we want to have a one props.conf to control these settings across the applications. How can I tie the sourcetypes to the one props.conf file? thanks, Jenn

jldebell · ‎03-30-2015

Thanks again for your help! This got us closer to solving the problem.

jldebell · ‎03-30-2015

Here is the solution that worked for us: [sourcetype] TIME_FORMAT = %y%j|%H%M%S TIME_PREFIX=\w{2}\| TZ=UTC MAX_TIMESTAMP_LOOKAHEAD=12 disabled = false NO_BINARY_CHECK = true Thanks again for your help!

jldebell · ‎03-27-2015

I am working with a | delimited field log. The second column is the jdate and the third column appears to be a epoch time. The julian date is formatted as year, day of the year... 15 = 2015 and 085 = 3/26/15. I am guessing the time is formatted as hh:mm:ss. field1|15085|232038| field1|15085|231633| field1|15085|203812| field1|15085|203812| props.conf is defined as the following: FIELD_DELIMITER = | FIELD_NAMES = type,jdate,time,..... TIMESTAMP_FIELDS = jdate,time TIME_FORMAT = %Y%m%d %H%M%S The data is indexing into Splunk and then it will stop for a couple of days and restart. Looking at _internal index, the following error message is populated: A possible timestamp match (Fri Jan 4 05:24:39 2008) is outside of the acceptable time window. I know the time stamp format is off, but I am not sure how to adjust it. Looking for suggestions if anyone else experienced this. Thanks, Jenn

jldebell · ‎03-17-2015

I tried the string, but I am getting a file path not recognized. I am in the server, drilled down to the splunkprivatedb and then added the string. The first path was the splunkprivatebd and the second was the path to the file. I was able to tab and have it pull the information (auto-fill function in Unix). Which I would expect that if I tab and it auto-fills that the path exists. I am guessing it is a user error and I played around based on documentation, but I am not catching it. In the server: logged in as Splunk. navigate to the /opt/splunk/var/lib/splunk/fishbucket/splunkprivatedb/ folder add the following details: ./splunk cmd btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunkprivatedb/ --file /opt/splunk/F1/F2/text_file.TXT --reset Error message: -bash: ./splunk: No such file or directory I am going to search on error messages related to the command and see if i can find anything. Please keep me posted if you see anything I missed. Thanks, Jenn

jldebell · ‎03-16-2015

Thanks for the reference. i was reading about the one shot and fish bucket clean up. I will see if this will work. Thanks!

jldebell · ‎03-16-2015

If I understand correctly, this will clean out the file so then I can re-index it. It won't impact other files since I am specifying which to look for. I will try this.

jldebell · ‎03-16-2015

I altered the start of the file. I added a space initially, but it didn't work. It would not let me save it stating there were no changes. I then added | (pipes). The file updated, but did not index.

Posts	29
Solutions	3
Karma Given	0
Karma Received	14
Member Since	‎08-27-2014

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

How do I locate the captain on a search head clust...

How do I get multiple sourcetypes from one source?

How do I create a report that lists all servers an...

Is it possible to have multiple sourcetypes point ...

How do I properly describe non-standard date/time ...

How do you reload a file?

What is the best way to combine 3+ fields?

How to troubleshoot read "denied" permissions on m...

Why is the scheduled dashboard PDF attaching "_clo...

Are there any resources that explain in detail how...

Re: How do I locate the captain on a search head c...

How do I locate the captain on a search head clust...

Re: Events don't show up in Search when the time r...

Re: Events don't show up in Search when the time r...

Re: How do I get multiple sourcetypes from one sou...

Re: How do I get multiple sourcetypes from one sou...

How do I get multiple sourcetypes from one source?

Re: How do you reload a file?

Re: How do I create a report that lists all server...

How do I create a report that lists all servers an...

Re: Is it possible to have multiple sourcetypes po...

Re: Is it possible to have multiple sourcetypes po...

Is it possible to have multiple sourcetypes point ...

Re: How do I properly describe non-standard date/t...

Re: How do I properly describe non-standard date/t...

How do I properly describe non-standard date/time ...

Re: How do you reload a file?

Re: How do you reload a file?

Re: How do you reload a file?

Re: How do you reload a file?