Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About splunk_svc
splunk_svc
Path Finder
Member since:
02-09-2014
06-05-2020
Community Statistics
| Posts | 33 |
| Solutions | 2 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 02-09-2014 |
Activity Feed
- Posted Re: Properties/Arguments in Endpoint URL for REST Modular Input on Splunk Enterprise. 09-27-2017 10:19 PM
- Posted Re: How to send DBX Input results on HF to external (remote) index/indexer on All Apps and Add-ons. 09-27-2017 09:59 PM
- Posted Properties/Arguments in Endpoint URL for REST Modular Input on Splunk Enterprise. 09-27-2017 09:55 PM
- Tagged Properties/Arguments in Endpoint URL for REST Modular Input on Splunk Enterprise. 09-27-2017 09:55 PM
- Posted Re: How to send DBX Input results on HF to external (remote) index/indexer on All Apps and Add-ons. 05-15-2017 09:03 PM
- Posted How to send DBX Input results on HF to external (remote) index/indexer on All Apps and Add-ons. 05-03-2017 08:37 PM
- Tagged How to send DBX Input results on HF to external (remote) index/indexer on All Apps and Add-ons. 05-03-2017 08:37 PM
- Tagged How to send DBX Input results on HF to external (remote) index/indexer on All Apps and Add-ons. 05-03-2017 08:37 PM
- Posted Re: How do you get around the subsearch limitation when defining events? on Splunk Search. 03-12-2017 10:34 PM
- Posted How do you get around the subsearch limitation when defining events? on Splunk Search. 03-12-2017 10:08 PM
- Tagged How do you get around the subsearch limitation when defining events? on Splunk Search. 03-12-2017 10:08 PM
- Posted Re: Parsing fields from json logs on Getting Data In. 10-26-2016 09:50 PM
- Posted Re: Parsing fields from json logs on Getting Data In. 10-26-2016 09:10 PM
- Posted Re: Parsing fields from json logs on Getting Data In. 10-26-2016 08:10 PM
- Posted Re: Parsing fields from json logs on Getting Data In. 10-26-2016 08:09 PM
- Posted Re: Parsing fields from json logs on Getting Data In. 10-20-2016 11:01 PM
- Posted Parsing fields from json logs on Getting Data In. 10-20-2016 08:42 PM
- Tagged Parsing fields from json logs on Getting Data In. 10-20-2016 08:42 PM
- Tagged Parsing fields from json logs on Getting Data In. 10-20-2016 08:42 PM
- Posted Re: Including event count in legend of timechart on Dashboards & Visualizations. 10-17-2016 03:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-27-2017
10:19 PM
BTW, we are running v6.6.3 of Splunk Enterprise.
... View more
09-27-2017
09:59 PM
It seems unless you add the index manually by editing the config file, only local indexes are listed in the configuration dropdown.
i.e. the dropdown doesn't let you manually type in an index name that only exists on a remote indexer.
... View more
09-27-2017
09:55 PM
Hi Splunkers.
I'm trying to set up a REST input to bring back output from an API.
These are the parameters used to form the API Endpoint URL. i.e.
https://<my_api_base_endpoint>/<1st_parameter>/<authtype>/token?api-version=<api_version>;
In the above example I need to provide the above parameters to build the entire endpoint URL both before and after the "?" etc as opposed to hard-coding them in the endpoint URL field in the setup screen.
The config screen in Splunk web config for the REST input provides an area for URL arguments and and HTTP Header properties but nothing used in either of these two areas seems to get substituted into the actual URL that Splunk calls when it tries to contact the endpoint.
Any advice on where these parameters go so they can flesh out the endpoint URL when it's called?
Note that the initial call to the API is a POST to get an access token with all subsequent calls being a GET.
Finally, in case it's relevant to answering the question, this input will be running on a HF.
Cheers and thanks in advance.
... View more
05-15-2017
09:03 PM
Have done some further digging.
I've been able to manually get some test data from this HF to the indexers via the "add data" option from the HF's web console (so I know the general forwarding config on the HF is correct)
I see this test data when I run a query from the SH but can't get any data produced by the DB Connector itself to arrive at the forwarders.
For those people running a DB Connector on a HF with distributed indexers, what did you have to do to the the results of the DB input to make it the the indexers.
... View more
05-03-2017
08:37 PM
Hi Splunkers.
We currently have a distributed/clustered setup with separate Indexers and HFs.
One of the HFs has the DB Connector installed on it.
This is currently working in so far as we are able to successfully produce results from a configured DB Input.
We are trying to get this HF to forward DB query results to a remote indexer. i.e. we are not storing any data locally on the HF.
All the HFs (including the one with the DB Connector) have the same forwarder config pointing to the indexers.
Despite this we can't get this HF to forward the output from the DB input to the Indexers.
I notice when configuring the DB Input in the DBX, the source, sourcetype and index dropdowns are populated with local options but let you supply your own values for these.
Note:
The index we have configured for the DB input exists on the remote indexers.
The config screen does however display the following message when providing the index name in the config:
The index does not exist in this instance. Please create the index or make sure the index exists in other Splunk instances.
The forwarding config for this HF points to the indexers. It's the same forwarding config running on our other HFs which is working correctly.
Is there anything else we need to do get this DBX instance successfully forwarding to the remote indexers?
Thanks.
... View more
03-12-2017
10:34 PM
BTW, using Splunk v6.2.6
... View more
03-12-2017
10:08 PM
Hi Splunkers.
I am retrieving a field from JSON log file using rex, table and spath.
Although this runs fine as a standard query, I'm not be able to turn this into an eventtype due to the restriction on subsearches when defining an event type's query.
Here's my query:
index=my_index "lane" |rex "^(?:[^ \n]* ){7}(?P.+)"|table my_data|spath input=my_data | fields lane
I am trying to create an event type of "lane" from this but of course cannot due to the subquery limitation.
I'm sure there is a way around this limitation but I've not been able to find it.
Don't seem to have found anything similar post on here either.
How does one get the output of this into an eventtype??
Thanks.
... View more
- Tags:
- splunk-enterprise
10-26-2016
09:50 PM
Sorry about the confusion.
The trailing backslash is NOT coming in with the data.
This was only displayed when I viewed the output in table mode.
The table mode was escaping the quotes with a backslash.
Viewing it in raw mode shows the field(s) to be quite delimited (only).
... View more
10-26-2016
09:10 PM
Have been comparing results of original and full search that gokadroid supplied.
Still get the following error when using the smaller of the two searches. i.e. to get just the message field.
Error in 'rex' command: Encountered the following error while compiling the regex '.*action\":\"(?<action>[^\]+)': Regex: missing terminating ] for character class.
The actual query itself does contain [^\] in it.
It's only the error message that Splunk returns that has the single backslash in it.
i.e. "[^\]"
... View more
10-26-2016
08:10 PM
Unfortunately Masa, that is the way the data is being presented.
We don't have the opportunity to modify the source to exclude the extra characters.
... View more
10-26-2016
08:09 PM
Thanks gokadroid.
I'll put this down to a copy and paste snafu.
The forum is removing the second backslash and needs an additional one used to escape the first one.
Will have a bit of a play with your revised search string.
... View more
10-20-2016
11:01 PM
Just tried that.
I seem to get the following error:
Error in 'rex' command: Encountered the following error while compiling the regex '.*action\":\"(?<action>[^\]+)': Regex: missing terminating ] for character class
Will post some samples of action field. (Need to to remove identifying data first) them first.
... View more
10-20-2016
08:42 PM
Hi Splunkers.
I'm attempting to search based on fields in a JSON log file
For example I am trying to search based on the "action" field from the following (sample) JSON event:
{"message":"{\"action\":\"USER_PROFILEACTION\"}","requestfrom":"source","responsestatus":"403","username":"user@name.com","station":"/level1/profile","resource":"/level1/profile","responsetime":275,"starttime":1476061950172,"finishtime":1476061950447}
I've attempted to use spath and also a rex pipe but have had no luck.
(i.e. here : https://answers.splunk.com/answers/418995/how-to-extract-fields-from-json-which-is-stored-)in.html
In this example it contains "USER_PROFILEACTION".
Also note that the string in the action field also contains a trailing backslash at the end of the string.
Preferably I'd like to strip this in the process.
Any attempts I've made end up converting the field that the raw JSON log is stored in into a multivalue field, with a a second copy of the JSON log.
Thanks in advance.
... View more
10-17-2016
03:49 PM
Got it.
Using "sourcetype" in the query was converting the value label into "_json".
Replacing sourcetype in alemarzu's query above with my_fieldname did the trick.
Thanks folks.
... View more
10-16-2016
10:59 PM
Thanks alemarzu.
I gave that a go.
I get a single entry in the legend of "VALUE_json" with a total of all events found.
(There should be three values in the legend)
I tried it again and replaced "eval my_fieldname=sourcetype" with "eval my_fieldname=my_fieldname".
I now get the three values listed in the legend but beside each is a the same event count. i.e. the total event count across all three values.
... View more
10-16-2016
05:57 PM
Hi Splunkers.
I'm trying to get event counts for timechart values displayed in the legend.
i.e. In the legend I want to display the event count, in addition to each value.
I am trying to include the count due to a couple of values on the timechart hiding others, having a much higher record count in comparison the the rest.
I am already doing something similar for a pie chart:
[query] | stats count by my_fieldname | eval my_fieldname=my_fieldname.", ".count
(...with the eval command appending the count to the value displayed in the legend)
I don't seem to be able to get this working for a timechart. If I do the following, I end up with only one value appearing in the legend as "NULL"
[query] | eval my_fieldname=my_fieldname.", ".count | timechart count by responsestatus
I'm pretty sure this has to be manipulated before the timechart as there don't seem to be any timechart options to include the record count.
... View more
- Tags:
- splunk-enterprise
10-13-2016
05:22 PM
Found the issue.
There were two different apps running, one with the directory in upper case, the other with it in lower case.
Application 1 : $SPLUNK_HOME$/etc/apps/appdir
Application 2 : $SPLUNK_HOME$/etc/apps/APPDIR
Despite the SearchHead running on Linux (i.e. a case-sensitive filesystem), App 1 seemed to only be looking in the Upper-case directory for the one .html file (every other file for Application 1 was read from the correct directory).
Moving Application 1 into a directory with a completely different name fixed it.
i.e. one that was not identical to Application 2's directory if ignoring case-sensitivity.
Not sure if it is a bug in Splunk but certainly a subtle problem to isolate given it only seemed to happen for the one file.
Did a quick search and didn't see anything about Splunk being case-insensitive when looking for files.
... View more
10-06-2016
05:35 PM
Thanks somesoni2. Worked like a treat.
... View more
10-05-2016
08:53 PM
I'm trying to get a pie chart to display percentages of total results as well as the number of events for each eventtype reported.
(i.e. have the percentage and the event count for each segment of the pie chart displayed.
I can get the percentage displayed using this:
<option name="charting.chart.showPercent">true</option>
I don't see an equivalent option for displaying the event count however.
The only answer I could find was from a couple of years ago
(https://answers.splunk.com/answers/203082/pie-chart-legend-show-as-a-separate-element.html)
(Not exactly what I was looking for but would be a starting point)
It suggests running a second copy of the query and outputting the event count to another table in the same panel:
(sample query)
<panel>
<chart>
<searchString>sourcetype=access_* status=200 action=purchase | top categoryId</searchString>
<earliestTime>0</earliestTime>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
<table>
<searchString>sourcetype=access_* status=200 action=purchase | top categoryId</searchString>
</table>
</panel>
The issue with this is that it doubles the length of time it takes to generate the panel.
The query itself can take up to 20 seconds or so, which means waiting 40 seconds for the sake of getting the event count.
Is there a charting option similar to charting.chart.showPercent which can do this to avoid running the second query?
... View more
- Tags:
- splunk-enterprise
10-05-2016
07:37 PM
I've been trying to do this myself.
Is there any way to do this so that the second instance of the query (or the table itself) uses the results already obtained by the first one? (As opposed to to running the query in full a second time).
In my instance, the original query can take up to 20 seconds to run (depending on time range selected).
I'd prefer not to double the run time of the panel simply to show the number of records (which have obviously been generated previously upon execution of the first instance of the query).
... View more
10-04-2016
03:51 PM
Ended up merging the text and the image within the one .html file in order to get this working.
It would have been preferable to have the image being rendered from a separate HTML from the text to allow for similar dashboards.
(i.e. same text, different image).
... View more
10-04-2016
03:47 PM
Hi bshuler.
I've used the Sideview/Freshmaker apps to refresh the views and navs etc.
This should be the equivalent of your first command above.
I've also already tried restarting Splunk on the SH on which the apps are running.
None of these seemed to resolve the problem.
If I move the App A's .html file back into the {App A}/appserver/static from the equivalent location for App B, the dashboard complains that it can't find the .html file.
If I move it back into App B's appserver/static directory the dashboard from App A then displays correctly.
This would confirm that App A is definitely looking for the .html file in App B's /appserver/static directory.
... View more
10-03-2016
11:04 PM
Hi Splunkers.
If an application running on a SH is set to not share it's objects with other apps, is there any reason an app can reference a .html file with the same name from another application?
For example.
Application "A" has a view that references a .html file called App_html_file.html.
This is located in $SPLUNK_HOME/etc/apps/App_A/appserver/static/ and is displayed with the following view:
<dashboard>
<label>Welcome to Application A</label>
<row>
<panel>
<html src="App_html_file.html"/>
</panel>
</row>
</dashboard>
Application "B" has a view that references the same .html filename but in it's own directory.
i.e. in $SPLUNK_HOME/etc/apps/App_B/appserver/static/ (with a file called App_html_file.html).
It is displayed with the following view:
<dashboard>
<label>Welcome to Application B</label>
<row>
<panel>
<html src="App_html_file.html"/>
</panel>
</row>
</dashboard>
Note that although both .html filenames are the same they have different content and are each in the appserver/static directory of their respective app.
I would expect these to operate independently of each other.
( I have permissions set on each app to not share objects with other apps)
What I am seeing however, is when the content of App B's html file is changed, the content displayed in Application A changes.
If I move App B's .html file out of the way, App A complains that it can no longer find it's .html file.
Why is App A displaying .html files from App B and not looking within its own appserver/static directory?
I need App A and App B to have .html files that can be displayed (and edited) independently or each other.
I have used the Freshmaker app to refresh the views and have also restarted Splunk on the SH these apps are running on but still have the same symptoms.
Thanks.
... View more
09-29-2016
06:26 PM
This puts the image in a panel of its own below the panel the .html file is being rendered in.
(Appearing the same as it does now).
I think the img needs to be in the same html tag as the Welcome.html.
... View more
09-29-2016
03:57 PM
HI Splunkers.
I'm attempting to create a dashboard as a landing page (essentially a simple panel with with a separate navbar at the top).
The page needs to display text from a .html file on the left with an image (in the same panel) right-aligned.
These need to appear in the one panel.
i.e. the text on the left hand side of the panel and the image on the right.
The image is appearing on the RHS but is underneath the last of the the text, and in a second panel.
I'd like to avoid using any CSS for such a simple display requirement but can't for the life of me get this to work.
A sample of the code is below.
I suspect I need to get the .html and the image within the same tag (as opposed to an inline one) but I attempt to do so I get missing tag errors when the page renders in Splunk.
Thanks in advance.
<dashboard>
<label>Application Landing Page</label>
<row>
<panel id="main">
<html src="Welcome.html" style="text-align: center;"/>
<html>
<img src="/static/app/app_name/app_image.png" align="right" />
</html>
</panel>
</row>
</dashboard>
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
