×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
warrenpage
Explorer
Member since: ‎07-06-2010
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 3
Member Since ‎07-06-2010
Activity Feed
View All

Re: Saved search alert sending results in csv even...

by in Reporting
‎07-18-2013 07:24 PM
‎07-18-2013 07:24 PM
Fixed this by adding action.email.inline = 1 to the saved search. Guessing old saved searches from previous versions didn't have this set. [AAATest] action.email = 1 action.email.inline = 1 action.email.sendresults = 1 action.email.to = fred.bloggs@workdammit.com.au ... View more

Re: How do I turn off debug in btool.

by in Monitoring Splunk
‎07-07-2013 03:28 AM
‎07-07-2013 03:28 AM
I removed all the *debug*cfg files from the splunk etc directory, restarted splunk and this seemed to do the trick for me. ... View more

Re: Break Log file with header and details into ev...

by in Getting Data In
‎04-28-2011 06:38 PM
‎04-28-2011 06:38 PM
Thanks I suspected as much. I think I will just need to run the file through awk first to create full detail records like time=xxxxxx databasename=yyyyyyy tablename=table1 rowsread=1111 time=xxxxxx databasename=yyyyyyy tablename=table2 rowsread=2222 In the meantime just doing without the header fields and marking the details as events separately. ... View more

Break Log file with header and details into events

by in Getting Data In
‎04-26-2011 06:11 PM
‎04-26-2011 06:11 PM
I have a log file that looks generally like this Header data time=xxxxxx databasename=yyyyyyy numberortables=xx Detail tablename=table1 rowsread=1111 Detail tablename=table2 rowsread=2222 I know I could break events on each detail record. However is there a way to configure my props.conf file so it pushes/collect the Data from the header into the detail events somehow? This is so I could do a search on say databasename=xxx and tablename=yyy? ... View more

Re: In a Distributed Search environment, how do I ...

by in Splunk Search
‎04-04-2011 10:56 AM
‎04-04-2011 10:56 AM
thanks that answers my question ... View more

In a Distributed Search environment, how do I rest...

by in Splunk Search
‎04-01-2011 03:04 AM
1 Karma
‎04-01-2011 03:04 AM
1 Karma
I have a main centralized splunk index server with logs for 50+ hosts. I have a secondary Splunk instance for a smaller application where it logs its own data. I would like to set the smaller instance up as a search head to the centralized server so it can see a small subset of data on the central server which is isolated to one index. How do I restrict what the search head sees on the search peer, or can it see everything? Note - not talking about restricting the search which is topic of another question but the access to ensure they don't see other data at all. ... View more

Re: Does splunk list monitor accurately reflect fi...

by in Getting Data In
‎07-08-2010 02:20 AM
‎07-08-2010 02:20 AM
Thanks for that. I did find that using the wild card wasn't the smartest thing as the splunkd process used a bunch of CPU - I assume scanning the file system for file matches repeatedly. It would be nice to separate the polling for files to monitor (say only poll for new file every 5,10,60 etc. minutes) versus polling the files themselves. splunk add monitor '/var/mqm/qmgrs/*/errors/AMQERR01.LOG' -follow-only True Anyway I switched and ran this instead ls /var/mqm/qmgrs/*/errors/AMQERR01.LOG | xargs -i -t bin/splunk add monitor {} -follow-only True which adds each found file separately. Cpu dropped dramatically. I will just script to it to run that daily to pick up any new files. ... View more

Does splunk list monitor accurately reflect files ...

by in Getting Data In
‎07-06-2010 05:01 AM
2 Karma
‎07-06-2010 05:01 AM
2 Karma
When I run command bin/splunk add monitor '/var/mqm/qmgrs/*/errors/AMQERR01.LOG' -follow-only True to monitor specific log file under several directories e.g. $ ls /var/mqm/qmgrs/*/errors/AMQERR01.LOG /var/mqm/qmgrs/QM1/errors/AMQERR01.LOG /var/mqm/qmgrs/QM2/errors/AMQERR01.LOG /var/mqm/qmgrs/QM3/errors/AMQERR01.LOG bin/splunk list monitor returns the following /var/mqm/qmgrs/*/errors/AMQERR01.LOG /var/mqm/qmgrs/@SYSTEM /var/mqm/qmgrs/QM1 /var/mqm/qmgrs/QM1/@app /var/mqm/qmgrs/QM1/@app/esem /var/mqm/qmgrs/QM1/@app/esem/uateai07 /var/mqm/qmgrs/QM1/@app/isem /var/mqm/qmgrs/QM1/@app/isem/uateai07 /var/mqm/qmgrs/QM1/@app/msem /var/mqm/qmgrs/QM1/@app/msem/uateai07 /var/mqm/qmgrs/QM1/@app/shmem .. another 4000 subdirectories However despite what list monitor says - I do see the error files I am looking for in Splunk Is this a bug? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All