Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kaufmanm
kaufmanm
Communicator
Member since:
03-01-2012
06-05-2020
Community Statistics
| Posts | 41 |
| Solutions | 12 |
| Karma Given | 8 |
| Karma Received | 19 |
| Member Since | 03-01-2012 |
Activity Feed
- Got Karma for Re: Hardware recommendation for high log volume splunk deployments. 07-29-2021 05:53 AM
- Got Karma for Re: Trying to get the first 10 events based on sourcetype. 06-21-2021 12:23 PM
- Karma Re: Sharing search with custom field extraction for skoelpin. 06-05-2020 12:48 AM
- Karma Re: Prebuilt dashboards for Splunk Add-on for Cisco UCS for rpille_splunk. 06-05-2020 12:48 AM
- Karma Is it possible to use AWS tags for scheduled searches? for lnx11. 06-05-2020 12:48 AM
- Karma Re: Is it possible to run an indexer cluster with varying amounts of storage capacity and have it be workable? for s2_splunk. 06-05-2020 12:48 AM
- Karma Re: Is it possible to run an indexer cluster with varying amounts of storage capacity and have it be workable? for sdvorak_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: Is it possible to use AWS tags for scheduled searches?. 06-05-2020 12:48 AM
- Got Karma for Sharing search with custom field extraction. 06-05-2020 12:48 AM
- Karma Re: Splunk stopped indexing file for briang67. 06-05-2020 12:46 AM
- Karma Re: Can you install the AWS ELB app on Splunk Enterprise or Cloud? for khourihan_splun. 06-05-2020 12:46 AM
- Karma Splunk 6 - Customize Search App Views for lguinn2. 06-05-2020 12:46 AM
- Got Karma for Re: forwarders constantly running. 06-05-2020 12:46 AM
- Got Karma for Re: How Can I Trigger An Alert NOT On The Hour (ie 3:30pm). 06-05-2020 12:46 AM
- Got Karma for Re: How Can I Trigger An Alert NOT On The Hour (ie 3:30pm). 06-05-2020 12:46 AM
- Got Karma for Re: Does someone have a lookup table for user agent strings (browser, os, versions, ect.) that they can share?. 06-05-2020 12:46 AM
- Got Karma for Re: Does someone have a lookup table for user agent strings (browser, os, versions, ect.) that they can share?. 06-05-2020 12:46 AM
- Got Karma for Re: forwarders constantly running. 06-05-2020 12:46 AM
- Got Karma for Re: Trying to get the first 10 events based on sourcetype. 06-05-2020 12:46 AM
- Got Karma for Re: Deployment client not getting all matching deployment apps. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
03-22-2017
08:53 AM
Thanks for the response! Makes sense, we kicked the can down the road by expanding our on-prem for now, what you wrote out there will likely have to be the approach in the months leading up to getting booted from our datacenters.
... View more
03-13-2017
10:46 AM
Appreciate the response. The next step for us once we double the storage is to move into AWS. Can we span a site in a multisite cluster between our datacenter and an AWS availability zone? e.g. We have three indexers in DC1, three indexers in DC2 in a multisite cluster where DC1 is a site and DC2 is a site. Can we add three indexers in AWS AZ1 and add them to the DC1 site within the multisite cluster, and the same for the other side? What kind of network bandwidth between the DC and AWS would that require, assuming most of 500 GB/day is generated in DC1 today? Then we could gradually add more indexers to AZ1 as we retire indexers in DC1 until we're fully in AWS?
... View more
03-13-2017
10:45 AM
Thanks, the next step for us once we double the storage is to move into AWS. Can we span a site in a multisite cluster between our datacenter and an AWS availability zone? e.g. We have three indexers in DC1, three indexers in DC2 in a multisite cluster where DC1 is a site and DC2 is a site. Can we add three indexers in AWS AZ1 and add them to the DC1 site within the multisite cluster, and the same for the other side? What kind of network bandwidth between the DC and AWS would that require, assuming most of 500 GB/day is generated in DC1 today? Then we could gradually add more indexers to AZ1 as we retire indexers in DC1 until we're fully in AWS?
... View more
03-13-2017
09:53 AM
We have an on premises Splunk infrastructure with indexers that have 9 TB of usable storage in a cluster. We are moving from 6 months retention to 1 year retention and need to double our storage. Is it possible to run a cluster with varying amounts of storage in our indexers and make use of it?
e.g. We could add new indexers with 30 TB of usable storage, but would the cluster be able to use any of the 21 TB beyond what we're using on the existing indexers? It's basically just cold storage of data older than six months. Any documentation that specifies whether or not this works?
... View more
02-28-2017
05:04 AM
hostname and owner were example tags from my environment. In the source=ec2_instances data you will have to see what tags you have available to you or set some more in AWS in order to make a join happen.
... View more
02-27-2017
07:04 AM
1 Karma
The aws:description sourcetype is from a configured input in the Splunk TA for AWS. Either you are not collecting the data/the input is not configured or you are not searching against the correct index. Try adding index=* to the subsearch, e.g. index=* sourcetype="aws:description" . Otherwise look into configuring the description input here: http://docs.splunk.com/Documentation/AddOns/released/AWS/DescriptionInput
... View more
02-13-2017
11:21 AM
Yes, it is possible. You will need to join data from your log with the tagging data output from source=ec2_instances. So if the hostname was both in the host field of your log and in a tag of the EC2 instance labeled hostname, you could do something like:
source="/var/log/messages" ERROR | eval tags.hostname = host | join type=left tags.hostname [search sourcetype="aws:description" source=*ec2_instances* earliest=-60m | fields tags.hostname tags.owner]
Then you will have your ERROR message with the tags.owner field you need to escalate the alert. You could pass the event to a script that knows how to process that field appropriately or do a lookup to find the e-mail address. Left join since when the join fails you probably still want to proceed with a default escalation.
... View more
08-03-2016
01:45 PM
Just frustrating there's a readwrite_all_objects capability but somehow there is no read_all_objects capability.
... View more
08-03-2016
01:20 PM
Would there be a way for me to get access to a user's private field extractions without admin_all_objects?
... View more
08-03-2016
08:00 AM
1 Karma
I have a user that wants to give me a search with references to a number of custom field extractions local to his profile.
e.g. index=cisco SLA="191" | transaction Cisco_Host maxspan=1800s
Well I have access to the same index, I can't see the results of the search since I don't know how the custom field extraction is defining SLA or Cisco_Host for example. Both he and I are minimally privileged users so I can't look at anything about his profile, is there any easy way for him to convert his search into something not reliant on any custom field extractions? i.e. He runs a search expander and then is able to send me this search so I can see his results:
e.g. index=cisco | rex field=_raw "SLA: (?\d\d\d)" | rex field=_raw "Cisco Host: (?.*) " | search SLA="191" | transaction Cisco_Host maxspan=1800s
Or do I need to get him to send me all his custom field extractions and maintain a separate copy on my account? These are probably just quick hack extractions that could change and probably aren't going to be shared globally or on any app.
... View more
03-21-2016
01:54 PM
Thanks, just upgraded from 6.1 for this app so wasn't familiar with this.
... View more
03-21-2016
01:38 PM
The overview mentions “prebuilt” dashboards, but I see none. Do these actually exist somewhere and how do I get to them? We are collecting data.
“After the Splunk platform indexes the events, you can analyze the data using the prebuilt dashboard panels included with the add-on”
... View more
08-21-2014
11:24 AM
Is it possible that ones that aren't getting indexed are identical to ones in other directories that are getting indexed? Splunk could see it as a duplicate file and skip indexing. Out of the box, Splunk isn't great at handling this sort of work.
You could try looking into adding crcSalt = <SOURCE> to your stanza, but it depends on your use cases.
... View more
05-22-2014
08:32 AM
This is great, I was thinking about going through and doing the same thing, thanks for sharing.
... View more
04-20-2014
08:54 PM
I don't know that this will work if you need to use the lookup on the search nodes, but I think it's your best bet, so I'd try it out and see what happens. On the search head, edit distsearch.conf and add the below stanza:
[replicationBlacklist]
large_lookup = name_of_lookup_file.csv
Then restart Splunk on the search head and see if the searches you need still work.
Source: Splunk docs
... View more
04-17-2014
07:25 AM
4 Karma
You can use the dedup command to only keep 10 of each sourcetype, returning the full events:
* | dedup 10 sourcetype
... View more
04-15-2014
02:37 PM
The transaction command can group these events together into one event based on a common field:
| transaction T | table T S demoval anotherdemo lastdemo
Then you can create a table with rows that have the common T values alongside the S, demoval, anotherdemo, and lastdemo values there were previously part of separate events.
http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction
... View more
03-26-2014
06:24 AM
After talking to our technical account manager, this is the solution we came up with, it works very well:
We run a scheduled search every five minutes on the search head, that gets the complete list of deployment clients from our deployment server (replace deploymentsever with the host name of your deployment server, or use local if it's the same as your search head) and then stores them in a static lookup file.
| rest /services/deployment/server/clients count=0 splunk_server=deploymentserver | fields hostname name | rename name as clientName | outputlookup clientNames.csv
Then we add the below stanzas to props.conf and transforms.conf so all messages get their clientName looked up based on their host:
props.conf:
[host::*]
LOOKUP-client = clientLookup hostname AS host OUTPUT clientName
transforms.conf:
[clientLookup]
filename = clientNames.csv
And now, we can simply type clientName=new_web_app into the Search app, and all of our logs from that app will come up. Works great, and haven't seen any noticeable performance hit from the extra lookups.
... View more
03-25-2014
01:26 PM
Yes, it would be simple and if you look at the script the case for Trident 4.0 is already handled. The key thing is the script goes through the mapping and returns the first match. So put this sort of match at the top of the list, that way the Trident user agents will match that instead of the generic IE7 match that can be further down the list.
... View more
