×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
cgnoel
Explorer
Member since: ‎10-24-2012
‎06-05-2020
Community Statistics
Posts 12
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎10-24-2012
Activity Feed
View All

Re: Timed out while waiting for splunkd daemon to ...

by in Monitoring Splunk
‎02-26-2013 06:48 AM
‎02-26-2013 06:48 AM
I disabled all of the indexes and brought them back online one at a time. ... View more

Re: is it possible to use wildcards, and OR condit...

by in Getting Data In
‎12-14-2012 06:03 AM
1 Karma
‎12-14-2012 06:03 AM
1 Karma
Why do you need to make sure its not preceeded with :: ? ... View more

Re: suppression of event content

by in Getting Data In
‎12-03-2012 11:52 AM
‎12-03-2012 11:52 AM
And you would need to make sure that the role could only use the dashboard(s) that you built. One way to do this is to also create an App and add the dashboard(s) to it. Then set the user role to start in that App - and set all the permissions for all the Apps so that the user can't access anything but the App you created. ... View more

Re: nullQueue transformation behavior in a multili...

by in Getting Data In
‎11-30-2012 03:02 PM
1 Karma
‎11-30-2012 03:02 PM
1 Karma
Easy to define a field for this. In props.conf: [yoursourcetypehere] EXTRACT-e42=(?<first_char>.) In your search: yoursearchhere AND first_char!="#" ... View more

Re: nullQueue difficulty

by in Getting Data In
‎11-28-2012 05:29 PM
2 Karma
‎11-28-2012 05:29 PM
2 Karma
I think the problem may be this (I am doing some guessing here): You are monitoring a directory and have Splunk doing automatic sourcetyping - which is appropriate. I expect that nothing has overriden this setting. When Splunk can't figure out a sourcetype for an input because there is insufficient data, it defaults the sourcetype to "somename-too_small". Your configuration specifies that all data of this sourcetype is to be ignored. But there isn't really any data that has been assigned this sourcetype - it's an artifact of Splunk's parsing. I think it should work anyway, but it doesn't seem to. I don't think you will find any help with btool because of this. BUT - I think there are better ways to solve this problem. Assigning data to the null queue is relatively inefficient and should be a last resort anyway. Here are some other ideas 1 - If you don't want any data from this file, blacklist it in the inputs. Find the input that is collecting the directory where this file lives, and put in a blacklist entry for the name of the file. More info about blacklisting an input 2 - If you want the data, but just don't want it to show up as "somename-too_small", override the sourcetype name in props.conf More info on overriding the automatic sourcetype ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All