cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kenmcgarrahan
Explorer
Member since: ‎02-04-2014
‎06-05-2020
Community Statistics
Posts 8
Solutions 1
Karma Given 1
Karma Received 6
Member Since ‎02-04-2014
Activity Feed
View All

Re: JSON Data Query

by in Getting Data In
‎04-07-2020 08:09 AM
‎04-07-2020 08:09 AM
@cblanton - We did not pursue the props.conf/transforms.conf referenced below. To be brutally honest, I had completely forgotten about this query. Either the need/requirement for it was re-stated or it was no longer relevant. ... View more

Re: JSON Data Query

by in Getting Data In
‎04-25-2018 08:25 AM
‎04-25-2018 08:25 AM
Ideally, we'd end up with a table where each event was a row, with each 'label' value a named column whose value is the 'answer' value. With apologies for the formatting, something like: Id username Work Order Work Order Date Order Time Completion Date 987654321 some.user 12345 04/01/2018 15:17:00 04/01/2018 987654322 other.user 12346 04/01/2018 16:00:00 04/03/2018 The JSON 'data' array is a list of attributes which varies in content across events. Being able to report and filter results off those attributes is the target. ... View more

JSON Data Query

by in Getting Data In
‎04-24-2018 12:58 PM
1 Karma
‎04-24-2018 12:58 PM
1 Karma
We are ingesting JSON data similar to the following: { "Id":"987654321", "data":[ { "answer":"12345", "label":"Work Order" }, { "answer":"04/01/2018", "label":"Work Order Date" }, { "answer":"15:17:00", "label":"Order Time" }, . . (more answer/label elements) . ], "username":"some.user" } Entirely possible we're missing it in the spath and related JSON processing documentation, but we're unable to determine how to format a search query which allows use of the "label" value as the left-hand side and the "answer" value as the right-hand side of a query (e.g., "Work Order Date"="04/01/2018"). The JSON array contains additional answer/label pairs with other date values, so specifying something like 'data{}.answer="04/01/2018"' is insufficient, as it matches any event where that date appears as any 'answer' value. Any suggestions? ... View more

Re: How to configure DBX Connect and Search Head P...

by in Deployment Architecture
‎07-24-2014 08:34 AM
1 Karma
‎07-24-2014 08:34 AM
1 Karma
Problem was ultimately traced to a firewall issue which prevented the DB connection. Splunk support helpfully pointed out that setting 'validate' to 'False' in dbx/bin/dbx_shpinst.py allows bypassing of DB check to validate successful creation of distributed.conf. ... View more

How to configure DBX Connect and Search Head Pooli...

by in Deployment Architecture
‎07-01-2014 12:51 PM
1 Karma
‎07-01-2014 12:51 PM
1 Karma
Attempting to configure DBX in a distributed configuration following the guidance at: http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupsearchheadpooling Attempting to execute the dbx_shpinst.py script against any DB entry yields the same error: /apps/splunk/bin/splunk cmd python /${shared-volume}/etc/apps/dbx/bin/dbx_shpinst.py search-head:8089 --user admin --db my_db_name splunk password: database password: No handlers could be found for logger "splunk.rest" Could not validate password Splunk is 6.0.1. DBX is V1.1.4. Any guidance on resolving this error? ... View more

Search Head Pool and Clustering

by in Deployment Architecture
‎04-29-2014 04:03 PM
3 Karma
‎04-29-2014 04:03 PM
3 Karma
Are cluster configuration and search head pooling compatible? In other words, can one configure a master node that references a search head pool? The "Managing Indexes and Clusters" document implies it is possible: If you want to use some of the more advanced features of distributed search, such as search head pooling or mounted bundles, you must edit distsearch.conf on the search head. For detailed information on search heads, including instructions on how to do advanced configuration, read the Distributed Search manual. That chapter focuses on non-clustered environments, but it also provides correct information for configuring advanced features on clustered search heads. However, the Distributed Search document makes no reference to that configuration. Does this imply that the master node configuration will reference the search heads in the pool individually, and that the search heads participation in the "pool" is governed by their individual configuration? ... View more

Re: Splunk DB Connect and reverse proxy

by in Getting Data In
‎02-24-2014 10:21 AM
‎02-24-2014 10:21 AM
No valid support contract (yet), so opening a support case isn't possible. When production licenses are procured, I can add the support case. ... View more

Splunk DB Connect and reverse proxy

by in Getting Data In
‎02-24-2014 04:03 AM
‎02-24-2014 04:03 AM
Running Splunk (in trial mode) behind a reverse proxy (wiki.splunk.com/Community:SplunkBehindAProxy) and have a problem with the DB Connect app not using the configured context root for selected actions. In ${SPLUNK_HOME}/system/local/web.conf: [settings] root_endpoint = /splunkv tools.proxy.on = True In the DB Connect configuration in the web console, the URL associated with the 'Database Connections in Splunk Manager' button lacks the '/splunkv'/ context. A 'hover' over indicates the URL is '//myhost/manager/dbx/dbx/databases', an invalid context which displays a 404 error when clicked. Manually correcting the URL to include the 'splunkv' context ('//myhost/splunkv/manager/dbx/dbx/databases') displays the page correctly and allows interaction with the DB Connect configuration. Is there a corresponding DB Connect proxy setting which corrects this error? Is there a general solution which ensures adherence to the root_endpoint value in web.conf? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
Karma given to
View All