Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bpitts2
bpitts2
Path Finder
Member since:
04-25-2015
03-14-2021
Community Statistics
| Posts | 24 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 5 |
| Member Since | 04-25-2015 |
Activity Feed
- Karma Re: Is Splunk supported on Kubernetes for mattymo. 06-05-2020 12:49 AM
- Karma Re: How to expand macros in a Splunk search? for inventsekar. 06-05-2020 12:48 AM
- Karma Audit Default Admin Creds? for muebel. 06-05-2020 12:48 AM
- Karma NOT a question: There is a small bug in the health checks for 6.5.0 Monitoring Console and this is how to resolve it. for lycollicott. 06-05-2020 12:48 AM
- Karma Re: NOT a question: There is a small bug in the health checks for 6.5.0 Monitoring Console and this is how to resolve it. for lycollicott. 06-05-2020 12:48 AM
- Karma Re: How Do I Blacklist a specific file. for inventsekar. 06-05-2020 12:48 AM
- Karma Re: How to control splunk logs splunkd_stderr.log & splunkd-utility.log filling up disk space for anantdeshpande. 06-05-2020 12:48 AM
- Got Karma for Why doesn't the new 50gb Dev License support being a remote master?. 06-05-2020 12:48 AM
- Got Karma for Re: How Do I Blacklist a specific file.. 06-05-2020 12:48 AM
- Karma Re: Newbie Question: How do you search multiple log types at the same time. for treinke. 06-05-2020 12:47 AM
- Karma Re: Splunk App for Stream: Why are we seeing constant growth of memory usage by the streamfwd.exe process? for vshcherbakov_sp. 06-05-2020 12:47 AM
- Karma Re: Average sessions per hour for woodcock. 06-05-2020 12:47 AM
- Karma Re: How to troubleshoot serverclass.conf error "Attribute unsupported by UI: stanza=serverClass:PerfmonManage...reason='2+ distinct values at this level'"? for dgrubb_splunk. 06-05-2020 12:47 AM
- Karma Re: Why are my search peers showing a status of "duplicate license"? for fairje. 06-05-2020 12:47 AM
- Karma Why is the Windows perfmon data in Splunk for percentage processor time different from the performance counter value on the server? for shreyasathavale. 06-05-2020 12:47 AM
- Got Karma for How to deploy and configure the Splunk App for Stream in an environment with heavy forwarders?. 06-05-2020 12:47 AM
- Got Karma for Splunk App for Stream: Why are we seeing constant growth of memory usage by the streamfwd.exe process?. 06-05-2020 12:47 AM
- Karma Re: How to Reset the Admin password? for matt. 06-05-2020 12:45 AM
- Got Karma for Re: How to Reset the Admin password?. 06-05-2020 12:45 AM
- Posted Re: Why doesn't the new 50gb Dev License support being a remote master? on Installation. 11-03-2016 09:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
11-03-2016
09:35 AM
Bah, shame on me for not reading the FAQ.
Thanks!
... View more
11-03-2016
08:08 AM
I totally understand that. However, there's also a new watermark applied to every page when you're using the Dev/Test license, not to mention that usage telemetry is sent back to Splunk.
We don't really surpass our old 10gb dev license very frequently, but I was looking forward to using the 50gb license to bring in a few chatty logs so that we can work on moving forward with implementing them into our production system.
Thanks,
Bpitts2
... View more
11-03-2016
07:54 AM
1 Karma
Hello,
I have a distributed dev environment that matches very closely to our production environment. This is a very typical best practice no matter what software you're dealing with. I was shocked to find that the new 50Gb development license does not support being a remote license master for a distributed search environment.
I guess I'll have to renew my 10gb dev license and use that instead.
I'm really looking for an answer to whether this was intentional, or if a mistake has been made with the way the new licenses are issued.
Regards, BPitts2
... View more
Labels
- Labels:
-
license
10-19-2016
06:20 AM
Good to know, thanks!
... View more
10-19-2016
06:19 AM
I downvoted this post because this is a completely irrelevant answer.
... View more
10-19-2016
06:09 AM
Hello,
From my understanding, you would configure a database output in DB Connect v2, then reference that output when you use the search command.
dbxoutput output=<string>
Creating an Output:
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Createandmanagedatabaseoutputs
Using the DB Connect v2 Search Commands:
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Commands
... View more
10-19-2016
06:00 AM
Hello,
As you mentioned most logs can be controlled from /etc/log.cfg, however there are some logs such as splunkd_stderr.log that are effectively "hard coded" and cannot be changed. However, it was suggested that you could use a symbolic link to move the files to your preferred location.
Reference:
https://answers.splunk.com/answers/9879/possible-to-move-splunks-log-folder-splunk-home-var-log-splunk.html
Best Regards,
BPitts2
... View more
10-19-2016
05:56 AM
Hello,
I believe that Splunk Cloud Instances can only install approved applications. Please see the following document for more info: http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/GetSplunkCloudapps
Best Regards,
BPitts2
... View more
10-18-2016
06:12 AM
1 Karma
As long as you don't want ANY of the "voipcall_wcas1.cdr." files you could just add "voipcall_wcas1.cdr.*" to the blacklist.
Apparently, I cant submit this as an answer because I have less than 40 rep points.
... View more
10-18-2016
06:08 AM
Review the splunkd logs from the forwarder hosting the event collector. I found issues with JSON line breaking that was preventing mine from working correctly.
... View more
10-18-2016
06:06 AM
1 Karma
Yes, you need to rename the file and then restart the splunk service.
... View more
01-13-2016
09:48 AM
Usage Instructions
Get started with Splunk Web:
In your EC2 Management Console, find your instance running Splunk Enterprise.
Copy its public IP.
Paste the public IP into a new browser tab (do not hit enter yet).
Append :8000 to the end of the IP.
Hit enter.
Log into Splunk with the following credentials:
username: admin
password: {the instance id of the instance just created}
... View more
01-13-2016
09:11 AM
I know this is old, but I was hoping you may have found an answer. I'm also observing different returned values in splunk than what is in perfmon local to the server.
... View more
11-23-2015
01:50 PM
Hello All,
I'm working on a new query for one of our SIP (VoIP) dashboards. In the SIP world, each call has a unique call ID called the SIP Call ID. Due to the way that our fail-over devices work, we'll see 'phantom' calls on our back-up server because the phones consistently try to register to the backup device.
I'm able to filter the majority of these messages by simply excluding the word "REGISTER" in my current search. However, there are still some false-positive results because of the response messages that are returned by the fail-over device. Both the SIP Call ID and message type are extracted as their own fields.
I would like to build a query that if it finds an event with the message type "REGISTER", it would then exclude all messages with the associated SIP Call IDs.
So far I've managed this:
index=sbc_pci "sipmsg.log" sipmessage="REGISTER" | stats values(call_id) as badcallid | mvexpand badcallid
Which has given me a nice list of the sip call IDs that I want to exclude. I just need some help understanding how I pipe this to a sub search as a "NOT".
Perhaps something like:
index=sbc_pci "sipmsg.log" sipmessage="REGISTER" | stats values(call_id) as badcallid | mvexpand badcallid | search index=sbc_pci "sipmsg.log" NOT badcallid
So close, but I'm not able to connect all the dots.
Thanks!
... View more
11-16-2015
11:03 AM
Ah, btool, I thought that might be the right direction. I'll take a look. Thanks!
... View more
11-16-2015
10:54 AM
Hello all,
This morning I logged into our deployment server and found a message that the forwarder manager screen was in 'read only' mode because some of our serverclass.conf settings were not supported.
Ok, not a big deal, right? I figured I would just browse the config, find the error and correct it.
The error message that was thrown is below:
11-16-2015 12:08:18.789 -0500 WARN DS_DC_Common - Attribute unsupported by UI: stanza=serverClass:PerfmonManage property=restartSplunkd reason='2+ distinct values at this level'
Well, the problem is that my D:\Program Files\Splunk\etc\system\local\serverclass.conf doesn't contain any stanza named "serverClass:PerfmonManage"
Is there an easy way to figure out where Splunk has picked up "serverClass:PerfmonManage", maybe in another conf that I'm not thinking of?
Thanks,
BPitts2
... View more
10-16-2015
10:04 AM
Will do, thanks!
... View more
10-16-2015
09:31 AM
1 Karma
Hello all!
We've started to roll out the Splunk App for Stream to a few of our production servers. I've been watching the streamfwd.exe process' memory usage, and it just keeps growing. After leaving it run all night it was at 3.1GB this morning.
We're on Splunk 6.3 with the latest Splunk_TA_Stream (as far as I'm aware). We're only pulling SIP traffic.
I'll likely end up opening a support ticket, but wanted to ask here first if anyone else has seen this before.
Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-14-2021
10:33 PM
|
Karma from
Karma given to
