Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About blbr123
blbr123
Path Finder
Member since:
03-16-2021
09-25-2024
Community Statistics
| Posts | 74 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 03-16-2021 |
Activity Feed
- Posted Re: How to edit my inputs.conf to blacklist a directory? on Getting Data In. 09-25-2024 04:55 AM
- Posted Re: props and transforms not working on Getting Data In. 05-08-2024 11:44 PM
- Posted Re: props and transforms not working on Getting Data In. 05-08-2024 11:08 PM
- Posted Re: props and transforms not working on Getting Data In. 05-08-2024 11:03 PM
- Posted props and transforms not working on Getting Data In. 05-08-2024 08:32 PM
- Posted Re: Events Formatting on Getting Data In. 11-29-2023 02:48 AM
- Posted Events Formatting on Getting Data In. 11-28-2023 09:31 AM
- Posted Re: scripted input not working on Getting Data In. 11-28-2023 03:14 AM
- Posted Re: scripted input not working on Getting Data In. 11-19-2023 08:04 PM
- Posted Re: scripted input not working on Getting Data In. 11-17-2023 06:50 AM
- Posted scripted input not working on Getting Data In. 11-17-2023 03:17 AM
- Posted Re: Database Monitoring on Monitoring Splunk. 03-09-2023 12:11 AM
- Posted Monitoring Database to see if it's running and send an alert? on Monitoring Splunk. 03-08-2023 10:43 PM
- Posted Re: Log monitoring on Getting Data In. 03-03-2023 03:32 AM
- Posted Re: Log monitoring on Getting Data In. 03-03-2023 03:31 AM
- Posted Can I monitor a log from Aug 2022 if I installed a UF in Feb 2023? on Getting Data In. 03-03-2023 02:39 AM
- Got Karma for Re: cant see the indexes i created in search results. 11-26-2022 06:00 PM
- Posted Re: cant see the indexes i created in search results on Getting Data In. 11-26-2022 12:49 PM
- Posted Re: Unable to see Logs first week of every month on Getting Data In. 09-23-2022 04:03 AM
- Posted Re: Unable to see Logs first week of every month on Getting Data In. 09-23-2022 03:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-25-2024
04:55 AM
Hi @dwaddle , May I know where do we need to run this? Can you please share some sample output?
... View more
05-08-2024
11:44 PM
Tested in splunk , only when I add (?ms) in front of regex it matches. But when I check this entire regex in the regex tool it does not match (?ms)^#Date.+\n#Fields.+ and I am not sure if we add (?ms) in transforms will work or not?
... View more
05-08-2024
11:03 PM
Yes I have checked in regex looks good. There are no other HF's before.
... View more
05-08-2024
08:32 PM
Hi All, My props and transforms is not working. Kept the props and transforms in the Heavy Forwarder. can anyone please assist. I want to drop the below lines from ingesting into Splunk but its not working. #Date: 2024-05-03 00:00:01 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https props: [mysourcetype] TRANSFORMS-drop_header= drop_header Transforms: [drop_header] REGEX = ^#Date.+\n#Fields.+ DEST_KEY = queue FORMAT = nullQueue
... View more
Labels
11-29-2023
02:48 AM
I tried the props settings you suggested but still same issue. ###### BEGIN STATUS ##### is coming as a separate event. #LAST UPDATE : Wed, 29 Nov 2023 10:39:57 +0000 GlobalStatus.status=OK , this is also coming as a separate event Both these events should come under one event.
... View more
11-28-2023
09:31 AM
Hi All, I have a scripted input which gets Data from a URL and send it to Splunk. But now I have issue with event Formatting, Actual website data I am ingesting is as shown below: ##### BEGIN STATUS ##### #LAST UPDATE : Tue, 28 Nov 2023 11:00:16 +0000 Abcstatus.status=ok Abcstatus.lastupdate=17xxxxxxxx555 ### ServiceStatus ### xxxxx xxxxxx xxxx ### SystemStatus ### XXXX' XXXX ### xyxStatus ### XXX XXX XXX . . . . So on.... But in splunk below lines are coming as a seperate events instead of being part of one complete event: ##### FIRST STATUS ##### - is coming as seperate event Abcstatus.status=ok - this is also coming as a separate event Below all events coming as one event which is correct and the above two lines should also be part of this one event: Abcstatus.lastupdate=17xxxxxxxx555 ### ServiceStatus ### xxxxx xxxxxx xxxx ### SystemStatus ### . . . So on.... ##### END STATUS ##### Below is my props: DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE=TRUE
BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5}
MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5}
TIME_PREFIX=^#\w+\s\w+\w+\s:\s
MAX_TIMESTAMP_LOOKAHEAD=200 Can you please help me with the issue?
... View more
Labels
11-28-2023
03:14 AM
My script name was access-abc.sh , I just removed hyphen and renamed it to accessabc.sh and that fixed the issue and able to see the Data in Splunk.
But now I have issue with event Formatting, Actual website data I am ingesting is shown below:
##### BEGIN STATUS #####
#LAST UPDATE : Tue, 28 Nov 2023 11:00:16 +0000
Abcstatus.status=ok
Abcstatus.lastupdate=17xxxxxxxx555
### ServiceStatus ###
xxxxx
xxxxxx
xxxx
### SystemStatus ###
XXXX'
XXXX
### xyxStatus ###
XXX
XXX
XXX
.
.
.
.
So on....
But in splunk below lines are coming as a seperate events instead of being part of one complete event:
##### FIRST STATUS ##### - is coming as seperate event
Abcstatus.status=ok - this is also coming as a separate event
Below all events coming as one event which is correct and the above two lines should also be part of this one event:
Abcstatus.lastupdate=17xxxxxxxx555
### ServiceStatus ###
xxxxx
xxxxxx
xxxx
### SystemStatus ###
.
.
.
So on....
##### END STATUS #####
Below is my props:
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE=TRUE
BREAK_ONLY_AFTER = ^#{5}\s{6}END\sSTATUS\s{6}\#{5}
MUST_NOT_BREAK_AFTER=\#{5}\s{5}BEGIN\sSTATUS\s{5}\#{5}
TIME_PREFIX=^#\w+\s\w+\w+\s:\s
MAX_TIMESTAMP_LOOKAHEAD=200
Can you please help me with the issue?
... View more
11-19-2023
08:04 PM
Hi @richgalloway I have changed the stanza to script from monitor but still unable to see any data in splunk? Is there anything else I have to check?
... View more
11-17-2023
06:50 AM
I did not understand the difference between the two stanzas can you please explain
... View more
11-17-2023
03:17 AM
Hi All, I have a requirement to Onboard Data from a website like http://1.1.1.1:1234/status/v2 and its a vendor managed API url so Application team cannot use the HEC Token option. so I have prepared the script to get the Data and tested it Locally and the script works as expected. I have created a forwarder app with bin folder and kept the script in that and pushed the App to one of our Integration Forwarder but unable to get any data in Splunk. I have tested the connectivity between our IF and the URL and its successful( Did a Curl to that URL and able to see the URL content) I have checked firewall and permissions , all seems to be ok but still I am unable to get data in splunk. Also I checked internal index but don't find anything there. Can someone guide me what else I need to check in order to get this fixed. Below is my inputs: [monitor://./bin/abc.sh] index=xyz disabled=false interval = 500 sourcetype=script:abc source=abc.sh I have also created props as below: [script:abc DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = true
... View more
Labels
- Labels:
-
indexer
-
inputs.conf
-
modular input
-
monitor
03-08-2023
10:43 PM
Hi All,
I have a requirement to Monitor whether the Database is running or down and send an alert
and this should be monitored at OS level and the Database is running in the Linux OS
Can anyone help me please how to achieve this?
... View more
Labels
- Labels:
-
splunkd
03-03-2023
03:32 AM
In the first condition how can splunk check months old logs I didn't understand the second condition can you please explain clearly what does limits have to do with reading old logs?
... View more
03-03-2023
03:31 AM
In the first condition how can splunk check months old logs I didn't understand the second condition can you please explain clearly what does limits have to do with reading old logs?
... View more
03-03-2023
02:39 AM
Hi All
I have one query with regards to Log Monitoring
Let's say I want to monitor abc.log and the last Updated date of the Log File is Aug 2022 or Sep 2022 and I install the UF in the Log server in Feb 2023 and create inputs monitoring for abc.log
Does splunk monitor the old data which is already there in the Log file from Aug or Sep 2022 and show the Logs in Splunk?
... View more
11-26-2022
12:49 PM
1 Karma
Check if that index is associated to any splunk role if yes check if you have access to that role then you can see that index while you search may be One more to check is there any data sent to that index
... View more
09-23-2022
04:03 AM
In the internal logs it gives error " parsing configuration stanza"
... View more
09-23-2022
03:55 AM
@isoutamo I have tried the configs but still same issue Please find the props
... View more
09-19-2022
07:29 AM
Thanks for the Response @isoutamo The first number in the timestamp 1/09/2022, 2/09/2022 is day and the second number is month shall I use DATETIME_CONFIG as NONE or CURRENT? and DATETIME_CONFIG=NONE Does exactly what, if you can explain this that would be great! 🙂
... View more
09-19-2022
06:10 AM
Hello All
I got a requirement to Upload Logs to Splunk
Out of 5 Hosts 3 are Linux and other 2 are windows
The Logs getting picked by Splunk but for Linux but for windows Unable to see Logs from 1st to 9th of every month
The timestamp for windows server is 1/09/2022, 2/09/2022 and so on till 9/09/2022
%d in props need date to be two digit but here it is just one digit hence the logs are not getting picked
so tried below props for windows with %e:
TIME_FORMAT=%e/%m/%Y %H:%M:%S
We apply props using sourcetype in general as it was not working tried props with source but still same issue
By the way in our infrastructure props are kept in heavy forwarder and are applied at index time
Can anyone help on this please?
... View more
- Tags:
- Getting Data In
Labels
- Labels:
-
inputs.conf
-
props.conf
-
transforms.conf
08-03-2022
01:31 PM
Is the issue fixed?
... View more
06-24-2022
01:24 AM
Hi All,
I got a request to monitor a log files in splunk.
below are the log file name pattern:
abc_uat_cpe_220614.log
abc_dev_cpe_220615.log
abc_train_cpe_220616.log and so on..
I have configured inputs lik shown below:
[monitor:///usr/local/bsl_export/abc_*_cpe_*.log]
index=abdxj
sourcetype=bsl_export:cpe
disabled = 0
But i am not getting any logs in splunk checked all the things mentioned below:
Splunk service is running
spunk user had read access
Firewall connections are all good
has latest logs files with enough size to read
Restarted the splunk service still same issue,
Checked _internal logs under log_level=WARN i see below message:
AutoloadBalancedConnectstrategy - Cooked connection to ip timed out
But connection is fine as i have checked it already.
When i run the below command it gives output as "hangup"
splunk list inputstatus
props is as below:
###########
JIRA link
###########
[bsl_export:cpe]
############
Can anyone please help me on this?
... View more
- Tags:
- Getting Data In
Labels
06-24-2022
12:44 AM
Hi All,
I have a set of folders which are created by the job which runs in the backend and the names of the folders keep changing automatically
looks something like below:
hs21dsb:hs54:bsds:hasn542sbsb
hshs21:nansh2225:haan53333
and so on..
i want to monitor just the latest folder which is created newly in the list and ignore rest of all folders.
how to achieve this in monitor stanza?
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-25-2024
08:37 AM
|
