Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About iparitosh
iparitosh
Path Finder
Member since:
11-29-2017
06-05-2020
Community Statistics
| Posts | 21 |
| Solutions | 0 |
| Karma Given | 10 |
| Karma Received | 1 |
| Member Since | 11-29-2017 |
Activity Feed
- Got Karma for Re: How to find all Dashboards, Reports and Alerts related to a specific index ?. 09-24-2020 03:07 PM
- Karma Re: Why same search query shows two different results when executed via different apps? (No Macros used.) for broberg. 06-05-2020 12:50 AM
- Karma Re: Where are Source type definitions stored in Distributed environment? for skalliger. 06-05-2020 12:50 AM
- Karma Re: Where is the default value of time_before_close property defined in splunk? for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: How to troubleshoot blocked queues that are preventing data from being indexed? for ltrand. 06-05-2020 12:47 AM
- Karma Using multiple REGEX for extracting a single field for splunker12er. 06-05-2020 12:47 AM
- Karma Why is Restrict Search Terms not working for dflodstrom. 06-05-2020 12:47 AM
- Karma What is the best way to design/define roles? for chris. 06-05-2020 12:46 AM
- Karma Re: What is the best way to design/define roles? for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Size limit for an event? for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: What variables can you use in email subject? for johnebgood. 06-05-2020 12:45 AM
- Posted How do I configure Universal forwarder to send only internal logs and discard rest of the data? on Getting Data In. 04-20-2020 10:38 PM
- Tagged How do I configure Universal forwarder to send only internal logs and discard rest of the data? on Getting Data In. 04-20-2020 10:38 PM
- Tagged How do I configure Universal forwarder to send only internal logs and discard rest of the data? on Getting Data In. 04-20-2020 10:38 PM
- Posted How to Disable SSL Validation in Gitlab Add-on? on All Apps and Add-ons. 03-31-2020 11:47 AM
- Tagged How to Disable SSL Validation in Gitlab Add-on? on All Apps and Add-ons. 03-31-2020 11:47 AM
- Tagged How to Disable SSL Validation in Gitlab Add-on? on All Apps and Add-ons. 03-31-2020 11:47 AM
- Tagged How to Disable SSL Validation in Gitlab Add-on? on All Apps and Add-ons. 03-31-2020 11:47 AM
- Posted License Utilization from a Disabled Index when collecting data using HEC on All Apps and Add-ons. 02-12-2020 10:05 PM
- Tagged License Utilization from a Disabled Index when collecting data using HEC on All Apps and Add-ons. 02-12-2020 10:05 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-20-2020
10:38 PM
About our architecture -
All of our UFs send data to one UF. We call it Intermediate Universal Forwarder. (IUF)
IUF receives data and forwards it to splunkcloud.
IUF is our gateway to splunkcloud.
Goal-
I am building a Disaster Recovery component of this IUF.
When there is No DR Scenario in place, IUF needs to send only _internal logs to splunkcloud but when there is DR Scenario, it needs to send all logs to splunkcloud.
This way I will be able to track the UF status on all DR nodes as well and won't consume license from them when there is no DR Scenario in place.
If I can figure out how to send only _internal logs to splunk, I could bundle this configuration into a DR-Control app into the IUF.
How do I configure a UF to send only _internal logs (Both it's own and forwarded to it by other UFs) to it's default outputs.conf location (which in our case is splunkcloud) and discard all other data to null queue?
... View more
03-31-2020
11:47 AM
I am facing following error while trying to collect logs from gitlab add on. Can anyone help me disable it. Changing the verify=True to False tor Http request function in base_modinput.py did not help as suggested on other similar question on this issue.
2020-03-31 11:33:18,582 ERROR pid=793 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/get_events.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/input_module_get_events.py", line 166, in collect_events
headers=headers)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/splunk_aoblib/rest_helper.py", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)
... View more
02-12-2020
10:05 PM
Why splunk counts data sent via HEC as consumed license even when destination index is disabled?
I am observing similar behavior in our Pord, Dev and POC environments.
... View more
What is the front end technology being used by splunk to render web pages and forms?
I want to modify the default value applied by alert expiration field in new alert creation form. By default it’s 24 hours. Is there a way in configs or some XML files which can be modified to change this to 7 days?
I also want the default privacy selection to be shared in app instead of private.
... View more
08-27-2019
08:13 PM
What’s the name of your two sourectypes ?
Where have you deployed them? SH or forwarder?
... View more
07-06-2019
06:03 PM
We are on splunkcloud, when I create a sourcetypes with LINEBREAKER setting via splunk UI, does it stored at SH or the INDEXER.
... View more
07-06-2019
06:00 PM
What do you mean by “first full value of splunk”?
... View more
07-03-2019
11:41 PM
Thank you for sharing the document. I have one doubt.
Most of my sourcetypes are defined at search head via splunk web UI. They use LINE_BREAKER attributes like - BREAK_ONLY_BEFORE, LINE _BREAKER etc.
When I make changes into any of these attributes, I can see changes in events breaking within few minutes.
Now, these LINE BREAKING key:value pairs needs to be utilised by indexer before the events are indexed.
How is it that I make a change on Splunk Web UI and it get's reflected in event processing while the changes should have been made at indexer level. Any idea how it works in backend?
... View more
07-03-2019
09:40 PM
Where are Source type definitions stored in Distributed environment? and How to manage them?
For example -
When I create a sourcetype using Splunk Web - I am assuming that they are being stored at Search Heads and later somehow migrated to indexers. I can edit them via splunk web UI directly. But Web UI won't show any source types defined in my indexers.
If I want to achieve selective parsing (ex: index only WARN logs), then since event processing occurs at indexer, I will have to define this sourcetype at indexers. And these change won't be visible to me at all since indexers are not accessible via splunk web. ( I am using splunkcloud) This is a major pain point in improving data quality since the sourcetype configuration is not all all visible to us.
What is the best practise, how do i manage my source types especially in case of splunkcloud. Is there any way to keep sourcetypes on indexers and Search Heads synchronised?
... View more
07-01-2019
12:47 PM
Thank you. Field extraction was not shared across all apps.
... View more
06-27-2019
10:41 PM
Exact same query when run via search app returns 0 Statistics but shows correct stats when run via cloud monitoring app.
I am not using any macros here.
What could be the issue here?
Query [Time range: Yesterday]:
(search_id!="rsa_" action=search host= host=sh*.splunkcloud.com index=audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin)
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector"),"summarization",match(savedsearch_name,"^ACCELERATE"),"acceleration",match(search_id,"^((rt_)?scheduler_|alertsmanager_)"),"scheduled",match(search_id,"\d{10}\.\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name)
| stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host
| search (host=* search="" user="")
| where ((search_type = "scheduled") AND isnotnull(search))
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z")
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id
| where (total_run_time >= 0)
| sort - total_run_time
| fields search, total_run_time, _time, earliest, latest, search_type, user
| eventstats count max(total_run_time) as max_run_time sum(total_run_time) as total_run_time_2 by search user
| sort 0 - total_run_time
| dedup search user
| fields search, max_run_time, _time, , earliest, latest, search_type, user, total_run_time_2 count
| rename _time as "Search Start", earliest as "Earliest Time", host as Host, latest as "Latest Time", search as "Report/Alert Name", search_id as SID, search_type as Type, max_run_time as "Max Runtime (seconds)", total_run_time_2 as "Total Runtime (seconds)", user as User, count as "Execution Count" | head
Screenshots:
... View more
06-03-2019
03:48 AM
What else can I do in order to reduce the latency in indexing for below case-
Facing large latency in indexing events for a brief period of time, every day.
I have a single source file, which logs about 0.5 Mb of data per 5 minutes. However, the same source file adds about 5000 MB data within a span of 15 minutes, only once per day.
The issue occurs due to splunk forwarder is not being able to process all 5000 MB of data within 15 minutes. I am observing few queue blocks Warning and our parsing queue is clogged (Filled greater than 90%) for almost an hour.
What have I tried already?
Increased thruhput from 256KBps to 1024 KBps.
This did help a little bit but still facing large latency issue. Meanwhile my throughput is maxed out during the duration of this issue. Not sure how much more can I increase this limit.
Added two pipelines to process events on forwarder.
This does not help as each sourcefile can be processed with a single pipeline only. A source does not load balance between multiple pipelines when processing events.
I have collected few time charts into dashboard to troubleshoot it further, attached below is the same.
About time charts in below image -
Timechart 1: Latency in events
Timechart 2: Sum of Size of events { len(_raw) }
Timechart 3: Sum of Size of events by _indextime instead of _time (Shows the size of events that were indexed during a period)
Timechart 4: Queue Fill Percentage
Timechart 5: Queue blocked count per 5 minutes
Timechart 6: Pipeline processors CPU Usage
Timechart 7: Throughput (KBps)
... View more
05-20-2019
02:07 PM
Thank you for your response. I am reading more about it to check if it cam solve my problem.
... View more
05-16-2019
12:05 PM
My bad it should be
... | stats list(field_name)... by ID
Edited my answer.
... View more
05-16-2019
11:40 AM
Try this.
index=* "message.Origin"=blabla source="something "
| eventstats count(eval('logger' ="test1")) as "example",
count(eval(logger ="test2”)) as "example2" by ID
| stats List(field1) as field1 List(field2) as field2... List(fieldN) as fieldN max(example) max(example2) by ID
... View more
05-16-2019
11:13 AM
Post event stats you can filter events with | search logger=“test1”
... View more
05-16-2019
10:42 AM
1 Karma
I don't have access to splunk right now but I can help with the algorithm-
Use ---> | rest splunk-rest-api-endpoint-for-savedsearches and |rest splunk-rest-api-endpoint-for-views commands to get details of all dashbaord and saved searches (reports and alerts) in a table format.
use fields command to narrow down the required fields which also include the search query
use regex commands to check for the use of index in the query.
use stats command to build a report of dashboards, reports and alerts by each index.
Hope it helps!
... View more
05-16-2019
10:27 AM
I have market data feed indexing into splunk.
The logs look like following -
Security: "HDFC", FIELDS: {"PRICE", "ASK", "HIGH"}, receivedTime: <time-string>
Security "YESBANK", FIELDS= {"PRICE", "HIGH"}, receivedTime: <time-string>
Security: "HDFC", FIELDS: {"ASK", "HIGH"}, receivedTime: <time-string>
Security: "HDFC", FIELDS: {"PRICE"}, receivedTime: <time-string>
Security: a single value filed
FIELDS: a multi value field
receivedTime: sting, can be different from _time
There are close to 5000 Securities log in daily.
It's about 10 GB of license usage per day. So it's a large number of events.
We want to calculate the SECUIRTY:FIELD pairs that are logging less frequency than their usual input frequency.
so, for a SECURITY:FIELD pair -
diff_time = recievedTime (previous) - receivedTime (current)
this diff time varies from each SECURITY:FIELD pair from other. Some log in every second, others log in only once a day.
The challenge is to come up with an alert/alerts that dynamically calculates the optimum frequency (diff_time) for each SECURITY:FIELD pair and then compares it with it's current value.
Now let's say we assume that an optimum frequency will be the average of last 7 frequency of inputs of same SECURITY:FIELD pair.
In order calculate this value I will have to run the query for last 7 days (cause some log only once a day), and with large amount of data and use of mvexpand command, this is not viable.
How do you suggest I achieve this goal? Please suggest an algorithm for it.
I can't use a lookup table cause of it's size issue. A large burst of input data will bring down whole splunk if lookup table grows wildly.
... View more
05-16-2019
12:48 AM
I could not find this property under $SPLUNK_HOME$/system/default/inputs.conf
time_before_close =
* The amount of time, in seconds, that the file monitor must wait for
modifications before closing a file after reaching an End-of-File
(EOF) marker.
* Tells the input not to close files that have been updated in the
past 'time_before_close' seconds.
* Default: 3.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
