×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Stan
New Member
Member since: ‎08-04-2010
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-04-2010
Activity Feed
View All

How to invoke Splunk daemon to parse newly added f...

by in Getting Data In
‎09-21-2010 10:22 PM
‎09-21-2010 10:22 PM
Since I usually turned of splunkd service on my local machine and only turn it back on when I need to do some log search. Chances that when I turn the daemon back on, I will have some more files that needs to be indexed right away for search. Is there any way can make Splunk daemon do this? There may be 2 cases: index a file in an already under tracked folder. index a random file that's not under tracking folder. Thanks. ... View more

Re: How to extract field with it's value enclosed ...

by in Splunk Search
‎08-12-2010 12:24 AM
‎08-12-2010 12:24 AM
The other question is there're so many props.conf files in splunk folder. Which one should I modify. And which section and what key should I add in? eg. [SECTION NAME] KEY = ^[[^]]+]\s+-\s*([\w ]+).+[\s*([^\s]+)\s*] ... View more

Re: How to extract field with it's value enclosed ...

by in Splunk Search
‎08-12-2010 12:19 AM
‎08-12-2010 12:19 AM
Thanks for the awesome solution. But I am too new to get this work. I tried to search with '"Remain Queue" > 10 | rex "^[[^]]+]\s+-\s*(? [\w ]+).+[\s*(? [^\s]+)\s*]" but no luck. Even remove double quotes from Remain Queue still doesn't work. Why? ... View more

How to extract field with it's value enclosed by s...

by in Splunk Search
‎08-04-2010 01:33 AM
‎08-04-2010 01:33 AM
When parsing some customized log, the format it's like below [timestamps] field name [value] [00:46:38] - Remain Queue [ 0 ] [00:46:38] - Remain Queue [ 2 ] The only search term works for me is "Remain Queue" NOT 0 . I've tried "Remain Queue">0 but no luck. How can I search/sort the remain queue count? How to train splurk to know Remain Queue is a field? Further more, I've got another log entry looks like below. Is it possible to parse it if I want key-value pair become Connect=93? [00:46:38] - Connect [ 330931 / 330838 ] [ 93 ] Thanks. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM