Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About raj_mpl
raj_mpl
Path Finder
Member since:
01-12-2018
2 weeks ago
Community Statistics
| Posts | 91 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 01-12-2018 |
Activity Feed
- Posted Lookup based dashboard in another SHC where the Lookup file is not there on Dashboards & Visualizations. 2 weeks ago
- Posted O365 logs stopped indexing on All Apps and Add-ons. 06-11-2020 03:02 AM
- Got Karma for Re: How do you get the value from a tabular event for alerting?. 06-05-2020 12:50 AM
- Got Karma for Re: How do you get the value from a tabular event for alerting?. 06-05-2020 12:50 AM
- Posted Re: Table time field using transaction on Splunk Search. 10-18-2019 02:27 AM
- Posted Re: Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 07-08-2019 05:25 AM
- Posted Re: Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 06-25-2019 10:15 PM
- Posted Re: Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 06-25-2019 05:26 AM
- Posted Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 06-24-2019 10:16 PM
- Tagged Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 06-24-2019 10:16 PM
- Tagged Splunk DB Connect: How to send database search output to Splunk and build a dashboard with the result set? on All Apps and Add-ons. 06-24-2019 10:16 PM
- Posted splunk alert subject - [EXTERNAL] splunk alert failed on Reporting. 05-16-2019 09:45 PM
- Tagged splunk alert subject - [EXTERNAL] splunk alert failed on Reporting. 05-16-2019 09:45 PM
- Posted How to place splunk lookup table data output to a remote server? on Splunk Search. 04-29-2019 02:58 AM
- Posted Re: What happens when we restart universal forwarder as root user ? on Getting Data In. 04-26-2019 02:49 AM
- Posted Re: What happens when we restart universal forwarder as root user ? on Getting Data In. 04-26-2019 02:42 AM
- Posted What happens when we restart universal forwarder as root user ? on Getting Data In. 04-26-2019 02:34 AM
- Posted Re: Log data of a particular sourcetype from one of the forwarder is missing in splunk on Getting Data In. 04-26-2019 02:29 AM
- Posted Re: Log data of a particular sourcetype from one of the forwarder is missing in splunk on Getting Data In. 04-25-2019 02:03 AM
- Posted Log data of a particular sourcetype from one of the forwarder is missing in splunk on Getting Data In. 04-24-2019 10:26 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Hi All, I have created a dashboard which was entirely built on dynamic lookup files in a clustered environment. It basically shows the statistics content and required values of the lookup file in different panels based on the requirement. Now the requirement is to create the same dashboard in another cluster environment where the lookup files were not exist (we are not authorized to upload the necessary lookup files in this SHC). How to accomplish this? Thanks in advance 🙂
... View more
06-11-2020
03:02 AM
Hi There , I can see the internal logs error message as below 2020-06-06 09:00:23,441 ERROR pid=2 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 500 Server Error: Internal Server Error for url: https: *********** Can someone guide me in fixing the issue so that the logs resume Thanks in Advance
... View more
- Tags:
- o365
Labels
- Labels:
-
other
10-18-2019
02:27 AM
The time of the first event in the transaction is assigned to _time for the entire transaction. The transaction command automatically assigns a duration field to each transaction. You can eval the end time to be _time + duration.
... your search and transaction | eval First_Event_Time=_time|Table ........
... View more
07-08-2019
05:25 AM
I go with scripted input as of now . Could you please help me about the configuration files .
I have the Query with me now . If I place that query in a script , after a successful run of that script ,output will be redirected to a separate file .
Now how to keep my config files in forwarder , at a time executing the script as well as reading the output file.
New to scripted inputs. Thanks
... View more
06-25-2019
10:15 PM
Yes @amitm05 , search queries using |dbquery has to be processed by splunk only but the data for processing will be in database .
I am thinking to develop a script for running the query on database and will keep it as scripted input with a interval=20m like that . Will it work ?
... View more
06-25-2019
05:26 AM
Hi @amitm05 ,
Could you just elaborate the procedure number 3 . And more over I had scheduled some of the database search queries using |dbquery command in splunk . So any kind of database related search query is ultimately processed by splunk only right?
Please correct me in this.
Thanks 🙂
... View more
06-24-2019
10:16 PM
Hi all,
My requirement is, I have to build a Dashboard by using a database search output.
I have a complex SQL search with 100+ lines logic in it having complex logic in it.
When I tried to run through Splunk which is another network, Faced problems with Java Bridge server (Status as loading or stopped). And the search job status will be displayed as parsing
Due to which other database cron jobs were stopped.
By restarting Search Head I am able to see Java Bridge server status a s running again.
Now is there any possibility to build a dashboard with the output of complex SQL search without running it through Splunk?
We are using Splunk dbconnect app 1.1.4 version.
Thanks 🙂
... View more
05-16-2019
09:45 PM
Hi All,
We used to get splunk alerts with a subject line defined as splunk alert : $name$
From 2 days onwards , Subject line included a string called [EXTERNAL] in all the Splunk alerts . Ex
[EXTERNAL] Splunk Alert : Failure Alert . Unwanted string [EXTERNAL] was added to all the subject lines
Why this [EXTERNAL] string is being adding to the splunk alerts ?
How to avoid that?
Thanks
... View more
- Tags:
04-29-2019
02:58 AM
Hi All,
I had configured an alert with trigger action as Output results to lookup with replace option .
Since the alert will run every 1 hour , a .csv will get generated with the results right.
Now are there any ways to send that particular lookup file to an external location means to an external remote server location ?
Thanks in advance .
... View more
04-26-2019
02:49 AM
Ok @FrankVl , Thanks for your quick response
Thank you 🙂
... View more
04-26-2019
02:42 AM
Will that work ? And The missing log from a particular source will start indexing again if I restart the splunk UF as splunk user.
And what the thing called fish bucket .bat files in this scenario?
... View more
04-26-2019
02:34 AM
Hi All,
So , What happens when I restart universal forwarder as root user on Linux . And Previously if done so what needs to be done if anything goes wrong
I am missing one of the log file on a particular host , but remaining logs from different sources are working fine from the same host
So restarted UF as root user ,but didn't worked
Any help ?
Thanks
... View more
04-26-2019
02:29 AM
What happens if we restart the splunk forwarder with a root user ?
... View more
04-25-2019
02:03 AM
Yes , Other sources are also sending the data to same Index
[monitor:///user/sysem.log]
index=bal
sourcetype=mri
And for the same index different log from different sources are coming
... View more
04-24-2019
10:26 PM
Hi All,
In UF installed server ,we have monitor stanza to read the .log file from a particular source named it as one of the sourcetype.
I used to get the log feed upto 7 days . But suddenly it stopped and not able to see any log feed from that particular sourcetype only
But I am getting the different types of log files nearly from 8 sources from the same UF installed server to indexer
I had rebooted the UF but no luck . By running splunk btool command I can see the monitor stanza for the missing sourcetype in inputs.conf along with others
Please guide me on this
Thanks
... View more
04-18-2019
02:34 AM
Hi all,
Splunk is not sending alert emails to one of the group distribution list . But at the same time it is sending the emails to other group distribution list and all the individual email ids in that alert DL list
what could be the problem here
Thanks
... View more
- Tags:
- splunkalert
04-11-2019
10:30 PM
@akarunkumar321 , You can try the below query and let me know
index=ccp source=service1.log earliest=-4h latest=now() | rex field=_raw "trackingId\":\s\"(?[\w-]+)\"" | table ProducerTrackingID |join type=outer ProducerTrackingID [search index=service2.log earliest=-4h latest=now() | rex field=_raw "trackingId\":\s\"(?[\w-]+)\""|rename ConsumerTrackingID as ProducerTrackingID]|search NOT source=service1.log
... View more
04-11-2019
10:18 PM
@akarunkumar321 can you try splunk joins here
... View more
04-09-2019
12:18 AM
... | rex "(?<STATUS>good|bad)" will help you
... View more
03-25-2019
10:07 PM
Hi All, I found the solution for this , Will take a chance to update the answer here
Firstly I had written the regex to extract the multiple values of MID's and TID's from the raw logs
sourcetype=mysourcetype TID MID | rex max_match=50 "<MID>(?P<mid_extracted>[^\<]+)"|rex max_match=50 "TID\=\"(?P<tid_extracted>[^\"]+)" |table mid_extracted , tid_extracted
Now to split the multiple values in a singe event used > MVEXPAND and finally performed the join with the externally uploaded lookup file .Lookup table contains 2 columns . one is MID Values/TID Values second one is Status .Under MID Values/Tid Values columns we have all the values to be checked and in second column all the values were written as MATCHED
The final query having join condition is as below
sourcetype=mysourcetype TID MID |rex max_match=50 "TID\=\"(?P<tid_extracted>[^\"]+)" |mvexpand tid_extracted |table tid_extracted |join type=left tid_extracted [| inputlookup tid_test.csv]
Now If any value in Splunk extracted output matches the value in Lookup file , The status field value displays as MATCHED
else
displays empty value
Note: In lookup file the column heading should be exactly as splunk output field heading means tid_extraced should be same
... View more
