Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mmattek
mmattek
Path Finder
Member since:
07-22-2010
06-05-2020
Community Statistics
| Posts | 38 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 6 |
| Member Since | 07-22-2010 |
Activity Feed
- Karma Re: one search multiple chart for tfletcher_splun. 06-05-2020 12:46 AM
- Karma Re: thaw archive license implications? for gkanapathy. 06-05-2020 12:46 AM
- Got Karma for Limit REST concurrent searches for a user/role?. 06-05-2020 12:46 AM
- Got Karma for Re: enabling deployment monitor. 06-05-2020 12:46 AM
- Got Karma for Re: enabling deployment monitor. 06-05-2020 12:46 AM
- Got Karma for Re: enabling deployment monitor. 06-05-2020 12:46 AM
- Got Karma for Sourcetype aliasing. 06-05-2020 12:45 AM
- Got Karma for count rex output within one line?. 06-05-2020 12:45 AM
- Posted Re: 2 search heads for same indexers - No load balancing , No Search head pooling on Splunk Search. 04-14-2014 08:32 AM
- Posted Re: splunk-perfmon.exe exited with code -1 on Getting Data In. 02-24-2014 01:01 PM
- Posted Re: one search multiple chart on Splunk Search. 02-05-2013 02:09 PM
- Posted Re: one search multiple chart on Splunk Search. 02-05-2013 01:06 PM
- Posted one search multiple chart on Splunk Search. 02-04-2013 12:51 PM
- Tagged one search multiple chart on Splunk Search. 02-04-2013 12:51 PM
- Posted Re: splunk "searches and reports" list more owners? on Splunk Search. 10-17-2012 07:03 AM
- Posted splunk "searches and reports" list more owners? on Splunk Search. 10-16-2012 02:06 PM
- Tagged splunk "searches and reports" list more owners? on Splunk Search. 10-16-2012 02:06 PM
- Tagged splunk "searches and reports" list more owners? on Splunk Search. 10-16-2012 02:06 PM
- Posted Re: have to add wildcard to end of field value to search.. strange... on Splunk Search. 07-16-2012 12:45 PM
- Posted Re: have to add wildcard to end of field value to search.. strange... on Splunk Search. 07-16-2012 12:45 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
04-14-2014
08:32 AM
When I try this I get "duplicate license" on the search peers page.
... View more
02-05-2013
02:09 PM
That works very well, I just opened the xml file in vi and replaced it. It didn't like using the UI view for that. Thanks a lot!
... View more
02-05-2013
01:06 PM
well, when I put that in the editor, now I can't find the view? Should I not have edited the exiting view? I guess I will try making a new one? btw, this is 4.3.5 if that matters
... View more
02-04-2013
12:51 PM
trying to consolidate (only erun search once. I see some example but without my dropdown feeding the seach. Can anyone help?
<?xml version='1.0' encoding='utf-8'?>
<form>
<label>ManagedServiceRuns</label>
<fieldset>
<input type="dropdown" token="thisclient">
<label>client</label>
<populatingSavedSearch fieldForValue="client" fieldForLabel="client">clientlistForJobs</populatingSavedSearch>
</input>
<!-- Add default TimePicker -->
<input type="time" />
</fieldset>
<row>
<chart>
<searchTemplate>sourcetype=jobinfo client="$thisclient$" | fields JobDurationSecs, jobName | timechart max(JobDurationSecs)</searchTemplate>
<title>ManagedServiceMaxTime Chart</title>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.legend.showMarkers">true</option>
</chart>
</row>
<row>
<chart>
<searchTemplate>sourcetype=jobinfo client="$thisclient$" | fields positionsAttempted |timechart max(positionsAttempted)</searchTemplate>
<title>ManagedServiceRuns Positions Attempted Chart</title>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.legend.showMarkers">true</option>
</chart>
</row><row>
<chart>
<searchTemplate>sourcetype=jobinfo client="$thisclient$" | fields averageReportsSize |timechart max(averageReportsSize)</searchTemplate>
<title>ManagedServiceRuns Averrage ReportSizeChart</title>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.legend.showMarkers">true</option>
</chart>
</row>
</form>
... View more
- Tags:
- multiple
10-17-2012
07:03 AM
way more than 50.
... View more
07-16-2012
12:45 PM
put this in two comments for length 🙂
then I have this in props.conf:
REPORT-frameworkparts = framework-parts,framework-threadname-parts,rmdirect-structuredlog,rmdirect-structuredlog-props,rm-framework-event-type
[threadname]
INDEXED=true
INDEXED_VALUE=false
... View more
07-16-2012
12:45 PM
that's interesting, so I tried indexed_value=false, didn't fix it. The fields.conf spec indicates this is only applicable for an index=false, which this field is indexed=true.
here's the deal, I have a transform (in transforms.conf of this app).
[framework-parts]
FORMAT = $0 loglevel::"$1" threadname::"$2" logger::"$3" user::"$4" rmrealm::"$5" processid::"$6" messageid::"$7"
REGEX = ([A-Z]+)\s+[(.?)]\s+(.?)\s+((.?@(.?)|.?))\s+((.?))\s+((.*?))
... View more
07-16-2012
10:23 AM
I have a field defined in a transform. The field appears to work fine in a chart, whatever, but to put it in a field i have to put fieldfoo="value*" , even though the value has no characters (not even a space, I checked, after the "e" in this case.
To make it even weirder, there is an alias to this field (for backward compatibliity for some old searches, and that one works fine....
... View more
- Tags:
- searching
- transforms
05-22-2012
06:44 AM
we are going to port data from an old splunk cluster (we are migrating data centers).
I'm assuming thawing archives doesn't count to your license?
... View more
05-11-2012
10:31 AM
the rest API was great, that provided good clues.. had to do with overlapping monitor stanzas. in old environment, server had separate folders, move to new one, I changed all monitor stanzas to the same folder, but apparently only one whitelist applied!
Changed to a (x.log|y.log) etc, whitelist and one stanza...
... View more
05-08-2012
02:41 PM
I think web mangled... I had the "." characters escaped, btw
... View more
05-08-2012
02:35 PM
I have a log structure like so:
/opt/data/logs/tomcat/foo or /opt/data/logs/tomcat/bar
the logs themselves are something like log1.out.2012-05-01, etc.
I've tried several monitor stanzas like:
[monitor:///opt/data/logs/tomcat/.../*]
whitelist: foo\.out\.*
or
[monitor:///opt/data/logs/tomcat/.../foo\.out\.*]
but nothing is picking up these logs...
... View more
- Tags:
- inputs.conf
- monitor
03-30-2012
12:03 PM
if you don't care about the data, you can run a clean all and essentially start from scratch.
... View more
12-01-2011
01:02 PM
well, there is a wrinkle here. Our new data center is all VMs. No local disk at all. Its surpisingly fast. I think rather than have two vms, I will just get one larger one. In a DR situation, we can bring up the VM in a new data center, and that can be scripted/automated.
... View more
11-30-2011
01:36 PM
so there's no way to make this automatic?
ug... i wonder how I notice the start of queuing? I guess I have to set up an alert...
... View more
11-30-2011
12:04 PM
done. http://splunk-base.splunk.com/answers/35354/totally-redundant-2-node-cluster
... View more
11-30-2011
12:03 PM
How to accomplish?
Right now, I have two indexers with distributed search, but they each have separate indexes, so if a node goes down, I am missing half my data.
I have a fast network share, so putting the indexes there isn't a problem, but I can't have both indexers write to the same index..
Could I have them each write to a separate index, but search across both? Wouldn't I get the same results twice?
Should one be an indexer, but the other a "fall back" indexer?
How to accomplish total redundancy? I can run web on both and put a load balancer in front no problem.
NOTE: The "forward to the other one for indexing as well" seems to imply I need to double my license. Not an option.
... View more
11-30-2011
11:38 AM
OK, I'm trying to understand this. I have two indexers, with only one running web, but doing distributed search.
so right now, this has no redundancy. I need to be able to search all logs even if one goes down, although I understand that performance will be reduced.
How do I accomplish this?
... View more
10-31-2011
01:23 PM
We have a compatiblity app which keeps our old sourcetypes and field names. Can we point REST calls to this app?
... View more
- Tags:
- rest
10-19-2011
12:58 PM
3 Karma
I'll answer my own question. This turned out to be permissioning on the files/directories inside the apps/SplunkDeploymentMonitor. just do a chmod -R u+w SplunkDeploymentMonitor/
... View more
10-19-2011
12:17 PM
when I try to enable this app i get:
Error occurred attempting to enable SplunkDeploymentMonitor: In handler 'localapps': Cannot update application info: /nobody/SplunkDeploymentMonitor/app/install/state = enabled: Data could not be written: /nobody/SplunkDeploymentMonitor/app/install/state: enabled.
... View more
09-27-2011
08:11 AM
1 Karma
I have a user that wants REST access. Can I limit the number of concurrent searches for a user so I can be confident rogue code doesn't kill my splunk search?
... View more
- Tags:
- limits.conf
- rest
09-14-2011
02:20 PM
looking at:
http://www.splunk.com/support/forum:SplunkGeneral/2684
it looks like maybe this isn't doable with extracted fields?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
