Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About inventsekar
inventsekar
Super Champion
Member since:
06-19-2015
09-07-2021
Community Statistics
| Posts | 1263 |
| Solutions | 149 |
| Karma Given | 1676 |
| Karma Received | 322 |
| Member Since | 06-19-2015 |
Activity Feed
- Posted Re: Dashboard Single Value Panels on Dashboards & Visualizations. 09-07-2021 06:12 AM
- Got Karma for Re: Regex for multiline. 08-27-2021 02:44 AM
- Got Karma for Re: PLEASE READ BEFORE POSTING FEEDBACK. 08-19-2021 12:37 PM
- Got Karma for Sekar, the splunker!. 08-19-2021 12:35 PM
- Got Karma for Re: Need some help on rex command - User agent. 08-12-2021 10:21 AM
- Got Karma for Re: PLEASE READ BEFORE POSTING FEEDBACK. 08-11-2021 11:28 AM
- Got Karma for Re: Dashboard loading time for first time is high. 07-21-2021 04:05 AM
- Posted Re: How do I Identify anomalous changes in event counts across critical hosts and sources in Splunk & ES? on Splunk Enterprise. 07-15-2021 08:22 PM
- Posted Re: S3 indexes.conf issues on Splunk Enterprise. 07-15-2021 10:22 AM
- Posted Re: alert when directory or subdirectory does not have file that created today on Splunk Search. 07-15-2021 09:46 AM
- Tagged Re: alert when directory or subdirectory does not have file that created today on Splunk Search. 07-15-2021 09:46 AM
- Posted Re: Network Availability Report on Monitoring Splunk. 07-15-2021 09:38 AM
- Posted Re: Timechart future dates on Dashboards & Visualizations. 07-15-2021 09:30 AM
- Posted Re: I need complete this query find the top 5 viewed products referred by a domain. on Splunk Search. 07-15-2021 09:11 AM
- Posted Re: Timechart future dates on Dashboards & Visualizations. 07-15-2021 08:45 AM
- Got Karma for Re: I need complete this query find the top 5 viewed products referred by a domain.. 07-13-2021 08:50 PM
- Posted Re: Splunk users getting logged out repeatedly while they are actively using dashboard on Splunk User Behavior Analytics. 07-11-2021 05:58 AM
- Posted Re: I need complete this query find the top 5 viewed products referred by a domain. on Splunk Search. 07-11-2021 05:56 AM
- Got Karma for Re: Splunk users getting logged out repeatedly while they are actively using dashboard. 07-09-2021 05:58 AM
- Got Karma for Re: Show hosts that stop reporting logs. 07-07-2021 01:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 2 | |||
| 0 |
09-07-2021
06:12 AM
Please check this post: https://community.splunk.com/t5/Splunk-Search/How-do-you-fix-the-font-size-of-each-single-value-display-panel/m-p/383063
... View more
07-15-2021
08:22 PM
Hi @SamHTexas .. critical hosts and sources - may we know this list is a small one with few hosts and sources or a large list? for example, if you got only less than 5 / 10 hosts, we can use simple SPL query.. if the list is big, then 1) you should create a CSV file - host or source - number of logs today - date of today 2) then create alert on that CSV file and create email alerts the basic idea: just the reverse of idea of host stops sending logs: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to-splunk-expeditiously.html (if a host sent more than 1million logs in last 24 hrs, create an email notification)
... View more
07-15-2021
10:22 AM
Hi @anuragschandra ... https://docs.splunk.com/Documentation/Splunk/8.2.1/admin/Indexesconf#indexes.conf.example ### This example demonstrates how to configure a volume that points to
### S3-based remote storage and indexes that use this volume. The setting
### "storageType=remote" indicates that this is a remote-storage volume.
### The "remotePath" parameter associates the index with that volume
### and configures a top-level location for uploading buckets.
[volume:s3]
storageType = remote
path = s3://remote_volume
remote.s3.bucket_name = example-s3-bucket
remote.s3.access_key = S3_ACCESS_KEY
remote.s3.secret_key = S3_SECRET_KEY also pls check this https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/ConfigureremotestoreforSmartStore also this page has got some good details on indexes.conf for S3:ac https://blog.arcusdata.io/how-to-set-up-splunk-smart-store-in-aws
... View more
07-15-2021
09:46 AM
Hi @indeed_2000 How can I trigger this with Splunk: every day check that path and whenever one server not copy backup files, Splunk alert me you should write a simple query like index=main host=hostname | stats count and save it as alert.. on the alert, add a condition that if the count is "zero"(the hostname has not sent backup files), then send you an email notification.
... View more
- Tags:
- alerts
07-15-2021
09:38 AM
Hi @Vaishnavi_sahil ..may i know if this info/log is already loaded to splunk or not.. if not yet, then, i think thats an excel file, right.. so, please save it as a CSV file and then upload that data to splunk. once you loaded to splunk, then splunk query will be easy. for example (if you update us the field names, then query will be formulated): index=nnm_logs | table Node_Name Node_Availability
... View more
07-15-2021
09:30 AM
| eval latest = if(1626908400 < 0, now(), 1626908400) <some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" > the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks.
... View more
07-15-2021
09:11 AM
Sure @EdwinOssa , no problems.. i appreciate your questions and wish you best of luck for your splunk learnings .. (sorry for the late reply) 1) the " chart avg(percent)" is missing a "by" field.. generally "chart avg(time_spent) by referer_domain" Please check the search reference document for chart command syntax and examples: https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Chart#Basic_examples 2) the time_spent field is not available on the logs i think(i am not sure of the last number that appears on these logs.. that may be the time_spent, but i am not sure) 3) referer_domain is just 4 on these logs. so something missing on your requirement. Please let us know more details.
... View more
07-15-2021
08:45 AM
Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs: index="test_index" earliest=-2h@h latest=+d@d |timechart span=30m count by host
... View more
07-11-2021
05:58 AM
Hi @Jugabanhi not sure of this issue.. only Splunk Support can help us on these situations. could you please follow up with Splunk Support and after your issue got resolved, maybe you could update your solution here, for future reference. thanks.
... View more
07-11-2021
05:56 AM
1 Karma
Hi @EdwinOssa your query is perfect one.. the field "productName" is not available. only "ProductId" is available. so, you could run: index=main sourcetype=acc* action=view [search sourcetype=acc* status=200 action=view | top limit=5 referer_domain | table referer_domain] | stats count,values(productId),distinct_count(productId) by referer_domain
... View more
07-04-2021
01:23 AM
@HattrickNZ if you are having a 9 digit epoch means, thats timestamp value is a very old timestamp(before Sun Sep 9 01:46:39 2001 UTC)(but ideally it should work fine, something wrong.. pls provide us your search query) Question Will UNIX's epoch time change from 9 to 10 digits affect Gentran? (SCI8237) Answer No. epoch time is how time is kept track of internally in UNIX. It's seconds, counting upward from January 1st, 1970. This number hit 1 million (1,000,000) in March of 1973, and will hit one billion (1,000,000,000) on Sun Sep 9 01:46:39 2001 UTC. This change, from a number which can be represented in 9 decimal digits to a 10-digit number, is not expected to cause any problems for UNIX systems. The reason is that this value is not stored as decimal digits. Instead, it is stored as an integer value (a 32-bit binary variable) which can be used safely until the year 2038, when the epoch date goes back to 0. The uses in UNIX of a decimal format for the "seconds time" value are primarily in portable file formats, such as tar, cpio, and ar. These formats have always supported at least eleven decimal (or octal in some cases) digits, easily handling UNIX's one-billionth "birthday". https://www.ibm.com/support/pages/will-unixs-epoch-time-change-9-10-digits-affect-gentran-sci8237-sterling-gentranserver-unix
... View more
07-02-2021
08:41 PM
1 Karma
Hi @splunkcol https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to-splunk-expeditiously.html Check this Splunk Search Query: | tstats latest(_time) as latest where index=main earliest=-24h by host
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
... View more
07-02-2021
05:35 PM
1 Karma
Hi @Jugabanhi more details needed please.. - is this a new install? - are there any new upgrades recently? - the users authentication, is it LDAP? to troubleshoot further... There are three timeout settings: The splunkweb session timeout. The splunkd session timeout. The browser session timeout. If, for some reason, you need to set the timeouts for splunkweb and splunkd to different values, you can do so by editing their underlying configuration files, web.conf ( tools.sessions.timeout setting) and server.conf ( sessionTimeout setting). For example: $SPLUNK_HOME/etc/system/local/server.conf - [general] sessionTimeout = 3h $SPLUNK_HOME/etc/system/local/web.conf - [settings] tools.sessions.timeout = 180 - Could you please try to find out your splunk's splunkweb timeout and splunkd timeout(you said splunkweb timeout as 60mins,.. is splunkd timeout also same, pls doublecheck that) - pls check with system admins and find out the browsers timeout these values will help us analyze the problem further. https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Configureusertimeouts Best Regards, Sekar
... View more
07-02-2021
12:25 AM
1 Karma
Hi,.. may i know if you faced this issue or users reported this issue to you? (at times the users exaggerate the small issues). please check the users login/logout times index=_internal file=login OR file=logout
... View more
07-02-2021
12:15 AM
Hi, splunkd sourcetype works fine:
earliest=-30d index=_internal sourcetype=splunkd user="*" action=login OR action=logoff | table user status action reason message sourcetype=splunk_web_service --- not available nowadays. I think its removed or merged with splunkd.
... View more
06-02-2021
08:27 AM
For reference of the new learners of crontab,... Minute ---- hour ------ day of month(1-31) ---- month(1-12) ---- day of week(0-6)
0 0 1 1,4,7,10 *
min----hr----day--- Jan,Apr,Jul,Oct---anydayOftheWeek
... View more
06-02-2021
08:12 AM
Hi @jip31 ... the if condition was wrong.. pls try this.. (i ran without the inputlookup, when you run it with the inputlookup, it should just be fine i think) | tstats count where (index=agd-*) by host index
| stats dc(index) as "Number of index" by host
| appendpipe
[| stats count as countKO
| where countKO = 0 ]
| eval countKO=if(countK0="No host in index", "countKO=0", countKO)
| table countKO if this resolves your query, pls accept it as answer.. upvote would be appreciated. thanks.
... View more
05-18-2021
05:30 AM
Hi @richgalloway / Hi All.. the above rest query returns around 25 searches, i ran all of them, all are running fine.. no errors they give(on the gui, as well as on job inspector),.. 1) on the internal logs, i see this error around 12 times per hour, (6 times at the hour, 6 times at the 30min).. so, just after it appears on the internal log, i login to the search head linux box, on the dispatch directory, when i search for the search logs for this error, the correct search query which caused this log into the internal logs not showing up.. find ./ -type f -exec grep -H '/86400)' {} \; find ./ -name search.log -exec grep -H '/86400)' {} \; 2. apart from search queries, is there anything else which might cause this errors in the internal logs?! (any field extractions, ..etc)
... View more
05-14-2021
11:46 AM
Hi All, On the internal logs i see this eval command error - ERROR EvalCommand - Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*)/86400)'. but it does not provide more details like which search query / search report / alert caused this error msg. searched about this, but no luck. could someone provide some suggestions please. thanks..
... View more
Labels
- Labels:
-
eval
04-05-2021
02:50 AM
Hi @prettysunshinez ... We can have a full panel as hidden. We can not hide one or two columns alone(as per my knowledge). Even if there are some ways to hide the column, how can you implement drilldown on that panel which is hidden?!?!.. If you explain your situation more clearly, there should be some other ways to solve this issue.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-07-2021
09:44 AM
|
Karma given to
