Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mjm295
mjm295
Path Finder
Member since:
09-25-2012
06-11-2020
Community Statistics
| Posts | 39 |
| Solutions | 2 |
| Karma Given | 27 |
| Karma Received | 2 |
| Member Since | 09-25-2012 |
Activity Feed
- Posted do not index events using props/transforms regex help on Getting Data In. 06-11-2020 06:39 PM
- Tagged do not index events using props/transforms regex help on Getting Data In. 06-11-2020 06:39 PM
- Tagged do not index events using props/transforms regex help on Getting Data In. 06-11-2020 06:39 PM
- Karma Re: How can I delete search data result incoming within 5 minutes? for adonio. 06-05-2020 12:51 AM
- Karma Re: Bad Request for url: https://management.azure.com for jaxjohnny2000. 06-05-2020 12:50 AM
- Karma Re: Bad Request for url: https://management.azure.com for chrisyounger. 06-05-2020 12:50 AM
- Karma IBM Storage Data in Splunk for ips_mandar. 06-05-2020 12:50 AM
- Got Karma for 1 out of 2 indexer has high RAM utilisation. 06-05-2020 12:50 AM
- Karma Re: duplicate in dates for stats when using predict for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: SA-ldapsearch for Windows App - Need to turn off SSL for gcusello. 06-05-2020 12:49 AM
- Got Karma for Re: duplicate in dates for stats when using predict. 06-05-2020 12:49 AM
- Karma Re: stacked bar chart with my data- is it possible? for DMohn. 06-05-2020 12:48 AM
- Karma Re: Where and when do we use summariesonly=t with datamodel? for esix_splunk. 06-05-2020 12:47 AM
- Karma Re: Why can't I find the place to create an alert? for ChrisG. 06-05-2020 12:47 AM
- Karma Re: Splunk Answers' e-mail not Syncing for vhallan_splunk. 06-05-2020 12:47 AM
- Karma Re: Splunk App for AWS Billing: Why is a single entry of raw data showing 2 results (count=2 and 200%)? for woodcock. 06-05-2020 12:47 AM
- Karma Re: Splunk App for AWS Billing: Why is a single entry of raw data showing 2 results (count=2 and 200%)? for woodcock. 06-05-2020 12:47 AM
- Karma Re: How do I put my search string in a dashboard panel with a colon in the field name? for richgalloway. 06-05-2020 12:47 AM
- Karma Re: AWS Billing App - index aws-bill not getting populated for monkee. 06-05-2020 12:46 AM
- Karma Re: Rex mode=sed diff between replace and substitute for dwaddle. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-11-2020
06:39 PM
Hi A recent agent install across our infrastructure has created a flood in the proxy logs of blocked messages which is blowing out our license. Until there is a proper fix I need to stop ingesting events related to 1 URL. I think I just need help with the REGEX part. Log are dropped to a syslog server running a heavy forwarder, then we run a monitor on that log file. Inputs.conf [monitor:///remotesyslogs/mgmt-austaiaecho00*/*.log]
disabled = false
index = star_proxy
sourcetype = cisco:wsa:squid props.conf [cisco:wsa:squid]
TRANSFORMS-screen=eliminate-screenconnect transforms.conf [eliminate-screenconnect]
REGEX = ?.=screenconnect
DEST_KEYi = queue
FORMAT = nullQueue Example event from log file: 2020-06-12T04:04:55+10:00 mgmt-austaiaecho005.casino.internal accesslogs_splunk: Info: 1591898695.320 0 10.10.216.100 TCP_DENIED/407 0 CONNECT tunnel://screenconnect.techmedia.com.au:8080/ - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> - - "12/Jun/2020:04:04:55 +1000" - Basically for next 4 weeks I need to drop all events with screenconnect.techmedia.com.au Thanks Mark
... View more
Labels
- Labels:
-
heavy forwarder
05-24-2020
11:37 PM
FINAL UPDATE FROM ME - this was caused by Microsoft graphing add-on had some credential errors (copied/deployed form another forwarder by mistake) removing this app and its all working again as expected.
... View more
05-13-2020
11:05 PM
Seems this may be a python issue
Works awesome on older boxes running 2.6.x
Does not work on boxes only running python 2.7.x
... View more
05-06-2020
10:25 PM
Im having this issue in several apps - but they are fresh installs (no local dir created yet)
... View more
05-01-2020
12:22 AM
tried again on different servers to try and work this out.
So 2 different Linux servers failed (Red Hat 6 and Red Hat 7)
1 Linux worked (AMZN Linux v1) - as in can get to proxy config and inputs pages
1 Windows worked
Wierd.
... View more
04-29-2020
06:07 PM
Smiilar here - looking at an upgrade from Red Hat 7 and Splunk 7 - to Red Hat 8 and Splunk 8, only just started looking at it though.
... View more
04-29-2020
05:59 PM
Hi
We installed a new heavy forwarder, splunk v7.3.5 on Red Hat 7.7
added mimecase app v3.1.5
Splunk runs as user "splunk"
All files under /opt/splunk are owned byt that user.
Also double cheked /opt/splunk/etc/apps/TA-mimecast-for-splunk and below are all splunk:splunk
When I navigate to the mimecast app, the page loads as expected.
https://server.name:8000/en-US/app/TA-mimecast-for-splunk/mc_home
When I click Configuarion it loads the 3 sub tabs (Proxy/Logging/Caching) with proxy selected, but its just a never ending loeading icon under there.
Logging and Caching sub tabs load OK and making changes where updates the conf files in the local dir as expeted.
Going back to the proxy tab - again results in the never ending loading message.
Similarly The main inputs tab
https://server.name:8000/en-US/app/TA-mimecast-for-splunk/inputs
just give the never ending loading issue.
Other tabls seem to load OK and display some things.
Any ideas?
Thanks
Mark
... View more
07-09-2019
02:18 AM
Also looking at this - have a DS5100 and DS3500 and want to get performance data in to Splunk. not found anything yet. Have you?
... View more
11-11-2018
06:56 PM
indexes.conf for the bucket:
[app_logs]
homePath = $SPLUNK_DB/app_logs/db
coldPath = $SPLUNK_DB/app_logs/colddb
thawedPath = $SPLUNK_DB/app_logs/thaweddb
frozenTimePeriodInSecs = 31557600
disabled = 0
... View more
11-11-2018
06:43 PM
1 Karma
After out upgrade from 6.5 to 7.2 1 of 2 indexers has high ram utilisation. We are running Enterprise Security too.
Health Status from the search head is showing a yellow for splunkd - data forwarding (I assume to that indexer?)
Health status on that indexer is showing a Red for buckets.
The percentage of small of buckets created (60) over the last hour is very high and exceeded the red thresholds (50) for index=app_logs, and possibly more indexes, on this indexer
So I'm not sure why its creating lots of small buckets - is this related to how we setup inputs?
... View more
01-03-2018
10:13 PM
Actually its all working now. as long as its saved with it unticked and the test worked, then I can drop out to the normal splunk search and run "|ldapsearch etc"
Its only when you go back in to the config that it automatically adds the SSL tick, so im not going back in there again now its working.
... View more
01-03-2018
09:28 PM
Same issue here. tried turning it off from both Web interface AND the ldap.conf.
But its always turned back on when I go back in.
... View more
11-06-2017
04:19 PM
Hi
Im currently working through the blog posts, we have the azure management stuff working. And whould get to the Email metat data later this week. I think this is what you are looking for:
https://www.splunk.com/blog/2017/10/05/splunking-microsoft-cloud-data-part-3.html
Regards
Mark
... View more
09-19-2017
11:14 PM
| eval DATE=if('high(future)' > "3.9", _time, null()) | search DATE!=null() | head 1 | fields _time | eval mytime=strftime(_time, "%Y %m %d") | table mytime
That worked - any better options?
... View more
09-19-2017
11:12 PM
Hi
I have search for a dashboard which produces a graph and does predictions, I want to display the date when we expect a certain threshold to be crossed. I have added some smarts to the search so it now ends with
| eval DATE=if('high(future)' > "3.9", _time, null()) | search DATE!=null() | head 1 | fields _time
This gives me the date I require but in a stats table. How can I display it bigger such as a single value panel?
Thanks
Mark
... View more
08-18-2017
04:39 AM
AH nailed it
| stats sum(PricePerYr) as "Compute OPEX (US$/yr)", sum(totalPerYr) as "Total OPEX", count as "Instance Count" by Service | eval Avg_total_cost_per_instance=('Total OPEX' / 'Instance Count' )
Simple
... View more
08-18-2017
04:33 AM
his was my thoughs:
| stats sum(PricePerYr) as "Compute OPEX (US$/yr)", sum(totalPerYr) as "Total OPEX inc Ancillaries(storage, backup etc)", count as "Instance Count", eval Avg_total_cost_per_instance=("Total OPEX inc Ancillaries(storage, backup etc)" / "Instance Count" ) as Avg_total_cost_per_instance by Service
... View more
08-18-2017
04:29 AM
Thanks, i've been trying similar - and we are getting:
Error in 'stats' command: The output field 'Instance Count' cannot have the same name as a group-by field.
... View more
08-18-2017
03:23 AM
I have this query to create a stats table:
index=star_aws sourcetype=aws:ec2 State=running | dedup InstanceID | rename InstanceSize as Instance_Type
| eval Operating_System = case(match(OS,"RHE.+"), "RHEL", match(OS,"win.+"), "Windows", match(OS,"Win.+"), "Windows", 1=1, "Linux")
| fields InstanceID Instance_Type OS Operating_System Service StarName
| join type=left max=1 Instance_Type Operating_System [ | inputlookup aws_price.csv ]
| eval PricePerYr=round(PricePerYr,2)
| eval totalPerYr=(PricePerYr * 1.5)
| stats sum(PricePerYr) as "Compute OPEX (US$/yr)", sum(totalPerYr) as "Total OPEX inc Ancillaries(storage, backup etc)", count as "Instance Count", by Service
Stats table output is in the attached screen shot
How can I add a 5th column showing Average total cost per instance?
IE Column 4 divided by column 5?
Instances are different sizes/costs
Thanks
Mark
... View more
08-16-2017
08:21 PM
1 Karma
Thanks Dal, looking much tidier now. Just for completeness my final query is:
index="linux_capacity" source=cpu CPU=all host=ip-10-134*
| eval PctUsed = 100 - pctIdle
| timechart avg(PctUsed) as PercentUsed span=1h
| eval PercentUsed=round(PercentUsed,2)
| predict "PercentUsed" as futures algorithm=LLP future_timespan=960 lower90=low upper90=high
| eval futures=round(futures,2)
| eval high(futures)=if(_time<=now(), null(), 'high(futures)' )
| eval low(futures)=if(_time<=now(), null(), 'low(futures)' )
| eval low(futures)=if( 'low(futures)' < 0, 0, 'low(futures)' )
| streamstats current=f max(_time) as priorbesttime
| where _time > priorbesttime
| fields - priorbesttime
... View more
08-16-2017
05:03 PM
Thanks for the "Null" clarification.
... View more
08-16-2017
04:49 PM
its 6.5.1 to be exact.
... View more
08-16-2017
05:27 AM
Version 6.5 here.
... View more
08-15-2017
09:54 PM
I have this query to predict CPU usage, looking at real data for last 90 days and predicting ahead 60 days.
index="linux_capacity" source=cpu CPU=all host=ip-10-134* | eval PctUsed = 100 - pctIdle
| timechart avg(PctUsed) as PercentUsed
| predict "PercentUsed" as futures algorithm=LLP future_timespan=60
| eval upper95(futures)=if(_time<=now(), Null, 'upper95(futures)' )
| eval lower95(futures)=if(_time<=now(), Null, 'lower95(futures)' )
Looking at the stats (results) the 10 days from today backwards get duplicated. Today is 16th August. Here is the snip of the stats:
2017-08-02 10.345810 11.2606080643
2017-08-03 8.371493 11.6832498048
2017-08-04 8.287087 10.2299365809
2017-08-05 12.312134 12.2315872649
2017-08-06 11.367797 10.9899627817
2017-08-07 17.745977 14.2295366964
2017-08-08 10.109057 10.1245616922
2017-08-09 17.496496 14.0287175836
2017-08-10 8.339878 11.2479039882
2017-08-11 8.737030 10.0940590718
2017-08-12 8.032037 9.39042740568
2017-08-13 7.555324 9.33242169748
2017-08-14 9.514418 11.8174795236
2017-08-15 8.862755 8.98957755123
2017-08-16 8.136355 11.4131114138
2017-08-06 11.2479039882
2017-08-07 10.0940590718
2017-08-08 9.39042740568
2017-08-09 9.33242169748
2017-08-10 11.8174795236
2017-08-11 8.98957755123
2017-08-12 11.4131114138
2017-08-13 11.2479039882
2017-08-14 10.0940590718
2017-08-15 9.39042740568
2017-08-16 9.33242169748
2017-08-17 11.8174795236 4.01416734251 19.6207917047
2017-08-18 8.98957755123 -0.453621346862 18.4327764493
2017-08-19 11.4131114138 1.74019160299 21.0860312246
2017-08-20 11.2479039882 0.874637979426 21.6211699969
2017-08-21 10.0940590718 4.39114905157 15.796969092
2017-08-22 9.39042740568 -4.25403965674 23.0348944681
So the real Data stops on 2017-08-17
BUT then the predicted data start again from 2017-08--6
Before the 95th percentiles kick on the 2nd time we cross 2017-08-17
What could be casuing this? It makes the graphe I am creating look messy.
Thanks
Mark
... View more
04-12-2017
08:08 PM
Thanks, managed to make that work.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-11-2020
08:10 PM
|
Karma given to
