Activity Feed
- Got Karma for Re: What does "show source" under "event actions" do?. 06-03-2024 04:52 PM
- Got Karma for Re: How can I bypass the License Agreement on startup after a new install?. 05-27-2024 03:01 AM
- Got Karma for Re: How to list all lookup files from an app?. 12-06-2023 01:41 PM
- Got Karma for Re: How can I bypass the License Agreement on startup after a new install?. 03-04-2023 01:16 PM
- Got Karma for Re: How can I bypass the License Agreement on startup after a new install?. 09-23-2022 04:00 AM
- Got Karma for Re: see users logging in from more than one country. 06-09-2022 12:33 PM
- Got Karma for Re: How can I verify if the boot-start is already enabled?. 03-09-2022 02:45 AM
- Got Karma for Re: Search to get the license usage per a single host?. 01-19-2022 12:09 PM
- Got Karma for Re: How can I identify which dashboards include a specific string?. 11-03-2021 07:20 AM
- Got Karma for Re: How to remove columns from search results table?. 10-27-2021 07:56 AM
- Got Karma for Re: Why is my search skipping?. 10-06-2021 11:00 AM
- Got Karma for Re: How to increment the field based on the previous value based on the condition?. 08-09-2021 06:27 AM
- Got Karma for Re: How to track the bundle size on indexers over time. 04-16-2021 06:56 AM
- Got Karma for Re: Does the splunk_archver app need to be distributed to the search peers via the knowledge bundle?. 02-09-2021 12:27 AM
- Got Karma for How to add custom message in place of "Search is waiting for input" for a dashboard panel?. 10-02-2020 08:35 AM
- Got Karma for Re: How to remove columns from search results table?. 09-17-2020 05:04 AM
- Got Karma for Re: How to count by DIFFERENT values of a field?. 08-27-2020 06:07 AM
- Posted Re: Data Onboarding Strategy on Getting Data In. 08-10-2020 09:17 AM
- Posted Data Onboarding Strategy on Getting Data In. 08-08-2020 10:41 AM
- Karma Re: rex - matching everything until a tab for Ayn. 07-25-2020 09:06 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
08-10-2020
09:17 AM
@isoutamo thanks for your response. We follow most of these guidelines if not all. The guidelines is a generic framework and does not address my problem. We encourage our SMEs to provide props.conf during the on-boarding process but I can't enforce it. We try to reward by fast tracking the on-boarding process for them. There are only handful of them who provide us props upfront. But this is not sufficient to keep up with the demand. I am looking for a more self-service on-boarding by SMEs approach and we as admins to do governance on the data and keep a check on the license and hardware.
... View more
08-08-2020
10:41 AM
I would like to hear from other admins on how they are keeping up with high demand of data onboarding requests into their Splunk instance in large organizations. We are battling with more than 300 requests per month to onboard data into Splunk as every application in the organization wants to utilize Splunk for monitoring and the demand only keeps increasing. Most of these are custom application logs. The biggest bottleneck is defining props (LINE BREAKER, TIME STAMP etc..,) for the source types by having to manually analyze each individual log. Other parts of the onboarding (inputs.conf, indexes.conf etc..,) can be easily automated for seamless onboarding but not props. Not defining props for source types to leave to Splunk defaults is not an option as we have seen some serious performance issues on indexers. I would like to hear from Splunk if there is a strategic direction in this regard to make admins life easier with respect to onboarding and other admins who might have dealt with similar situation and overcome in creative ways. Regards, Pradeep
... View more
- Tags:
- data
- onboarding
Labels
- Labels:
-
props.conf
-
sourcetype
06-14-2020
05:17 PM
When you say start, do you mean trying to access Splunk web URL in browser? If so, make sure you add :8000 port information after your hostname To see if Splunk is actually running. Go to bin directory under Splunk and run splunk status
... View more
05-29-2020
02:14 PM
Good to know. In my case the lookup gets appended every day with new records. So I guess not an option for me.
... View more
05-28-2020
09:09 PM
Hi @PavelP can you provide any pointers for using gziped csv files?
... View more
05-28-2020
08:45 PM
Hi @jkat54 the lookup is auto generated on a daily basis from a search and new records are added every day. Having to push the app to search heads and indexer will be a manual process every day.
... View more
05-18-2020
06:29 PM
I blacklist lookups from bundle replication by size in distsearch.conf as below
[replicationSettings]
excludeReplicatedLookupSize = 2
I now have a requirement to bypass the above condition for a specific lookup that is greater than 2 MB. Is there a way I can craft the white list to take precedence just for the lookup that I need? The reason I need this as part of the bundle is because I use this lookup as an auto lookup and is growing in size.
... View more
Labels
- Labels:
-
lookup
02-07-2020
08:59 AM
Can you please provide more details on the code changes to achieve this?
... View more
05-05-2019
08:23 AM
Hi @Flynt Any update on general availability for this? If not, I am interested in the unpublished version that has encryption and supports multiple instances.
... View more
09-13-2018
01:30 PM
Does the log files have data in them to forward?
Cross check the path for any type-o ?
... View more
08-30-2018
08:35 AM
Start from here
index=_internal sourcetype=web_access CLIENT_URL=*XabAB_TBBBBB_Dashboard* | stats values(USER) by CLIENT_URL
... View more
08-21-2018
09:34 AM
anything in splunkd.log for failed authentication?
... View more
08-21-2018
09:30 AM
Did you try reload auth? or restart splunk instance?
If you have groupBaseFilter defined, ensure the new group falls under those filters.
... View more
08-21-2018
08:58 AM
Did you try encoding using > or < use them without spaces.
... View more
08-21-2018
08:57 AM
use below search and the export
index=my_index source=my_source | table _raw
... View more
08-21-2018
07:04 AM
are your fields 15MinEarly and Now working? try | table 15MinEarly Now
... View more
08-20-2018
01:22 PM
Use . for concatenation of strings
| eval 15MinEarly=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S")
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " .15MinEarly ." - ".Now
... View more
08-20-2018
01:12 PM
yes.. only search heads
... View more
08-17-2018
08:27 AM
There is no retention for lookups. The lookup will stay until some one deletes it or overwrites it.
... View more
08-16-2018
12:17 PM
1 Karma
DB Connect does not allow you to run scheduled inputs and outputs on a search head cluster from DB Connect 3.x.x. If you want to perform the scheduled tasks, you must run them on a heavy forwarder.
http://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Distributeddeployment
... View more
08-16-2018
10:04 AM
1 Karma
two suggestions
If you have a non prod splunk instance, you should try testing in that rather than your production instance. Non prod servers sending data to non prod splunk instance to test your configs.
If you absolutely have to test in prod in a throwaway index, you should probably clear the fish bucket on the forwarders every time you change the index to real index. https://www.splunk.com/blog/2008/08/14/what-is-this-fishbucket-thing.html
... View more
08-14-2018
08:19 PM
Verify the time range you are searching. Search for a larger time range.
| rest /services/data/indexes | search title="test_index" - see if this gives you results - splunk_server field will tell you where the results are coming from
... View more
08-13-2018
08:59 AM
The first all time search, you can probably run manually, there after, you should chose earliest and latest with little bit of padding. latest=now is not a good practice as you are not accounting for the delay in the raw data. You can do something like earliest=-8m@m latest=-3m@m so that you account for 180 seconds of delay depending on how busy your indexers and forwarders are.
... View more
08-08-2018
11:56 AM
You can use chart overlay to create a secondary y-axis
Details here - http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchTutorial/Chartoverlays
... View more
08-07-2018
08:18 AM
Take a look at this answer
https://answers.splunk.com/answers/53205/daily-license-usage-by-host.html
... View more
