Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About harald_leitl
harald_leitl
Path Finder
Member since:
02-20-2012
a month ago
Community Statistics
| Posts | 20 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 5 |
| Member Since | 02-20-2012 |
Activity Feed
- Karma Re: Is there a way to count the series of consecutive identical events that are interrupted by another event? for woodcock. a month ago
- Got Karma for Is there a way to count the series of consecutive identical events that are interrupted by another event?. a month ago
- Got Karma for Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2?. a month ago
- Got Karma for Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2?. a month ago
- Got Karma for Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2?. a month ago
- Got Karma for Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2?. a month ago
- Karma Re: Multiple Roles inherited from LDAP Group Memberships for dominiquevocat. a month ago
- Karma Re: colddb on NFS for martin_mueller. a month ago
- Karma Re: colddb on NFS for jodros. a month ago
- Posted Re: Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 05-13-2016 01:10 AM
- Posted Re: Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 05-13-2016 01:07 AM
- Posted Re: Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-27-2016 12:34 AM
- Posted Re: Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-27-2016 12:28 AM
- Posted Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-26-2016 11:54 PM
- Tagged Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-26-2016 11:54 PM
- Tagged Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-26-2016 11:54 PM
- Tagged Is there a way to count the series of consecutive identical events that are interrupted by another event? on Splunk Search. 04-26-2016 11:54 PM
- Posted Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2? on Getting Data In. 01-20-2015 11:12 PM
- Tagged Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2? on Getting Data In. 01-20-2015 11:12 PM
- Tagged Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2? on Getting Data In. 01-20-2015 11:12 PM
05-13-2016
01:10 AM
Sorry for the late answer.
Here is the solution for version 6.2.4:
|autoregress Event | eval sameAsNext=if(Event=Event_p1,1,0) | streamstats current=t count(eval(sameAsNext=0)) AS sessionID | eventstats count AS inArowCount BY sessionID | search sameAsNext=0 | fields Event inArowCount
... View more
05-13-2016
01:07 AM
I'm using 6.2.4, unfortunately the reset_before available in that version.
... View more
04-27-2016
12:34 AM
as I said I don't want to count the events like:
count(A)|count(B)
5 | 6
what I want is to count the series of identical events that are interrupted by an other event. as described above.
I want a result like:
consecutive Event | count
A | 2
B | 3
A | 1
B | 2
A | 2
B | 1
... View more
04-27-2016
12:28 AM
i'm sorry, but that's not what i'm looking for. I want a result like that:
consecutive Event | count
A | 2 --> first series A seq#1+seq#2 = 2
B | 3 --> first series B seq#3+seq#4+seq#5 = 3
A | 1 --> 2nd series A seq#6 = 1
B | 2 --> 2nd series B seq#7+seq#8 = 2
A | 2 --> 3rd series A seq#9+seq#10=2
B | 1 --> 3rd series B seq#11 = 1
... View more
04-26-2016
11:54 PM
1 Karma
Hello,
Is there a way to count the series of consecutive identical events that are interrupted by another event?
Something like that:
data:
seq#;Event
1;A
2;A
3;B
4;B
5;B
6;A
7;B
8;B
9;A
10;A
11;B
the result should look like:
consecutive Event | count
A | 2
B | 3
A | 1
B | 2
A | 2
B | 1
thx
... View more
01-20-2015
11:12 PM
4 Karma
Hello,
I'm using splunk universal forwarder version 6.1.2 on Windows Servers to index EventLogs. The Events are indexed (indexer version 6.1.2), however the message field contains following message:
Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
In the Event Viewer on the Windows Server the message field is displayed correctly. I couldn't identify a specific EventID nor Server version, it happens on win server 2003 and also 2008r2. However it seems to happen mostly in Security and Application Log.
If found an article that describes the problem, however it addressed a bug in 4.3.x
http://answers.splunk.com/answers/66436/splunk-could-not-get-the-description-for-this-event-4-3-2-universal-forwarder-server-2008-r2.html
Any ideas or suggestions? Could it be the same bug?
thanks!
... View more
08-08-2014
04:33 AM
Hi,
is it possible to use satellite view in xml "map" element?
thanks!
... View more
05-26-2014
01:32 PM
my bad, was a typo in my question. i do have %d.%m.%y %H:%M:%S configured in my props.conf.
I also tried your TIME_PREFIX regex, didn't work. Somehow Splunk always recognizes the date as date and time as I described above. any other idea? thanks.
... View more
05-26-2014
06:17 AM
Hi,
I have a problem with extracting the timestamp from an csv file.
Somehow Splunk recognizes the DATE as Date and Time.
Here is a sample of my CSV Log file:
123456;textA;08.03.10 07:54:43;textB;textC;textD
Here is the result I get from the search:
08.03.10 08:03:10,000
123456;textA;08.03.10 07:54:43;textB;textC;textD
As you can see date and time is the same.
Here is what I expect to see:
08.03.10 07:54:43,000
123456;textA;08.03.10 07:54:43;textB;textC;textD
My props.conf:
[myCSVsourcetype]
TRANSFORMS-null=setnull
TIME_FORMAT = %d.%m.%y %%H:%M:%S
TIME_PREFIX = ^\d+\;\S+\;
My transforms.conf: (to remove header)
[setnull]
REGEX = ^(.*\n){1}
DEST_KEY = queue
FORMAT = nullQueue
what am I doing wrong?
why does splunk not recognize the time from the log?
using Splunk 6.0.2.
CSV file is created and moved to an indexing directory once a day.
Thanks!
... View more
09-03-2013
02:06 AM
Hi,
Is it possible that multiple indexers (same index) use the same shared NFS directory for colddb?
For example:
indexer1:
indexes.conf
[indexA]
...
coldPath = /NFS/indexA/colddb
...
indexer2:
[indexA]
...
coldPath = /NFS/indexA/colddb
...
OR should it look like:
indexer1:
indexes.conf
[indexA]
...
coldPath = /NFS/indexer1/indexA/colddb
...
indexer2:
[indexA]
...
coldPath = /NFS/indexer2/indexA/colddb
...
thx
... View more
11-30-2012
07:06 AM
The problem was caused by a search filter set on role 'A' in authorize.conf.
here is the solution:
http://splunk-base.splunk.com/answers/57026/multiple-roles-inherited-from-ldap-group-memberships
thx
... View more
11-28-2012
08:02 AM
As explained above, role 'A' is allowed to search through index1;index2;index3 and role 'B' is allowed to search through index2;index4;index5.
I thought, if I assign both roles the user would be capable of searching through index1;index2;index3;index4 and index5.
my search to verify the result:
index=*
The result I got:
Only events from index1;index2;index3 were included in the result.
The result I was looking for:
events from index1;index2;index3;index4 and index5 are shown
... View more
11-28-2012
08:02 AM
I don't think I have a problem with authentication and ldap.
In splunk manager I see that both splunk roles are assigned to the user.
However, it seems the user only gets capabilities of role 'A'.
... View more
11-28-2012
02:17 AM
Hi,
I got following behavior.
An ldap user is member of two roles. (role A = ldap groupA & role B = ldap groupB)
role A has properties set to srchIndexesAllowed = index1;index2;index3
role B has properties set to srchIndexesAllowed = index2;index4;index5
When searching for index=* the user only sees indexes from role A (index1;index2;index3).
In Splunk manager the user has both roles assigned.
What am I doing wrong?
we are currently running on 4.3.3.
thx,
harry
... View more
08-30-2012
01:28 AM
just chanced permissions - unfortunately still the same behavior.
... View more
07-16-2012
05:54 AM
Hi,
Just updated my search heads to 4.3 and now I get following message when trying to create new roles in Splunk manager.
There was an error retrieving the configuration, can not process this page.
You do not have permission to access the configuration for this page.
No difference between LDAP user (with admin privilege) and local Admin user, both receive the same error.
my /opt/splunk/etc/apps/search/metadata/default.meta shows:
....
*[manager/authentication_roles]
access = read : [ admin ], write : [ admin ]*
...
that should be okay.
Any suggestion?
thanks,
harry
... View more
- Tags:
- permissions
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
