About bizza

bizza · ‎06-12-2015

English version, I used localedef to force C and UTF8 before trying the upgrade. I still don't know what was the issue and this make me a little uncomfortable... RHEL7 works at the first try. strace wasn't helpful to find the root cause and ldd show me that shared libraries was linked correctly, so I think this is just a bug.

bizza · ‎06-12-2015

Upgrading RHEL and rebooting solve the issue, but I'd like to understand the error.

bizza · ‎06-12-2015

Hi, I have some troubles deploying Splunk_TA_stream on universal forwarders. Indexer using the same TA works fine, and I was able to get stream data. Once I put the TA in the deployment server, and client correctly download and install it, just after the splunkforwarder deamon restart I found this in the logs: 06-12-2015 15:34:34.623 +0200 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd" terminate called after throwing an instance of 'std::runtime_error' 06-12-2015 15:34:34.623 +0200 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd" what(): locale::facet::_S_create_c_locale name not valid Splunk run as a root, I tried chown'ing files and binaries to splunk:splunk, but the issue persist. Operating system is RHEL 6.6 x86_64, SELinux disabled. I had the same issue on the indexer on my first installation, and I solved it just deploying the app using the web interface uploader, and upgrading RHEL (yum update -y), but I don't know if this is related. Any hints? Ciao Marco

bizza · ‎10-23-2014

UP I tried to setup items_count=1 in alert_actions.conf under [rss] stanza, as specified in .spec file, items_count = <number> * Number of saved RSS feeds. * Cannot be more than maxresults (in the global settings). * Defaults to 30. but I still found 30 items. Any hint? Ciao

bizza · ‎07-17-2014

thanks martin, i solved just parsing the csv with a perl script.

bizza · ‎07-16-2014

Hi Martin, thank for your answer. I need to extract from results some fields and use they as a parameter for the third party script. Something like the host, the username for example. Do you know if it's possible? regards

bizza · ‎07-16-2014

Hi, we are setting up some alerts based on a vendor script to automatically populate an Event Management Console. The problem is that we need to extract some informations (=fileds) from Splunk raw data included in the alert to pass it as a parameter to the script itself, so we will be able to pupulate correctly the Event management console. Example syntax: custom_bin.sh -n @event.management.console:port -b host_extracted_from_splunk_data -u user_extracted_from_splunk_data where: custom_bin.sh is our third party script -n @event.management.console:port is the event management console fqdn:port -b host_extracted_from_splunk_data is the host field indexed by splunk present in the specific record we need to extract to -u user_extracted_from_splunk_data is the user filed extracted ... like the host field Any hint on how we can achieve it? Regards

bizza · ‎06-05-2014

mkv solved my issue. Now I'll works on new props/transforms regex, but now splunk splits records correctly. ciao

bizza · ‎06-05-2014

Yes, problem was MAX_TIMESTAMP_LOOKAHEAD. Thanks for your help guys ciao

bizza · ‎05-28-2014

Yes, True first and then False. I tried a non-matching truncate regexp too.

bizza · ‎05-28-2014

Hi, I configured dbconnect as tail-input on a Oracle database. My problem is when I found a record with a multiline cell, usually when a SQL query is stored inside the cell. Splunk split that record: there is a way to avoid it? For example: field1 | field2 | field3 ID | TIMESTAMP | SELECT * FROM TABLE; works fine. field1 | field2 | field3 ID | TIMESTAMP | SELECT * FROM TABLE WHERE someoption blablabla; Got me 2 events, and the second one is "WHERE someoption blablabla;" , without any interesting fields, so it cannot be correlated correctly to any other fields. Any hints? Regards

bizza · ‎05-05-2014

Yes, I added the --Y --m ecc only to show where timestamp fields are. Ignore it and you'll have the original log line.

bizza · ‎05-05-2014

The problem is that timestamp is splitted on every lines. For example: 204023600511105443000 20140422--Y2014--m04--d180000000005.0600000000000041096125031ABDCE 81234567 ABDCE F & C 10024 ABDCE F & C 45399700123456789000000000.104023600582105443000 386511186636492--H15--M36PSBP every line has 300 characters(digits), fields are position-sensitive. I added --Y, --m, --d, --H and --M just before timestamp fields. I believe that a custom datetime.xml is my only option.

bizza · ‎05-05-2014

You only need to monitor the directory path, incoming files will be processed and indexed as soon as they'll copied on it. To manage the alert I suggest you to setup a script, (if -e in bash, for example), as a scripted input or to write some output to a file, and manage alerts using that file. regards

bizza · ‎05-05-2014

I tried to configure a custom datetime.xml (for my first time) as follow: <datetime> <define name="csdate" extract="year, month, day, hour, minute"> <text><![CDATA[[\s\S]{40}(\d{4})(\d{2})(\d{2})[\s\S]{206}(\d{2})(\d{2})]]></text> </define> <timePatterns> <use name="csdate"/> </timePatterns> <datePatterns> <use name="csdate"/> </datePatterns> </datetime> Regex match exactly year, mont, day, hour and minute. In props.conf I added DATETIME_CONFIG = /etc/system/local/datetime.xml SHOULD_LINEMERGE = FALSE TIME_FORMAT = %Y%m%d%H%M Any ideas why data are not indexed with resulting timestamp? I tried to split in 2 regex, for timePatterns and datePatterns match, but the result is still the same. Or do you suggest a different way to achieve timestamp override at index time? Regards

bizza · ‎04-30-2014

sourcetype="mysourcetype" | eval ts=date.time | eval _time = strptime(ts, "%Y%m%d%H%M") | timechart count by my_field works great! thanks

bizza · ‎04-30-2014

I just need to graph data using ts (from eval) as timestamp

bizza · ‎04-30-2014

Yep, I restarted Splunk after that. Using table command I see correctly date and time fields, and in the left column too, but I'm not able to use it as timestamp in my searches

bizza · ‎04-30-2014

I put in my props.conf, in the right sourcetype: EXTRACT-extract_time = your_regex And I searched sourcetype = mysourcetype | eval ts=date.time If it is supposed to work it don't. What I'm missing?

bizza · ‎04-30-2014

Just an example, with 1 instead of orig digit and A instead of char, white space are actually the same. Extracted timestamp shoud be 201404300833 in %Y%m&d%H%M format 1111111111 1.20140430AAA111 11AAAA AAAAA AA11111111111110833111A AAAAAAAAA 111111111 AAAAAAAA1111111

bizza · ‎04-30-2014

Hi all, I'm trying to extract the timestamp from a crappy unstructured logs. Every event is one line with 300 character/digits, and field are in fixed position (example: from 1 to 10 means hostname, from 11 to 12 means status, and so on). I need to compose my timestamp merging 2 different fields: from position 15 to 20 and from position 60 to 66. Any hints? Regards

bizza · ‎10-22-2013

I used the JMS app, and it works great. Thanks for your suggestions bizza

bizza · ‎10-03-2013

something like this inputs.conf [monitor:///path/to/file.csv] sourcetype = yoursourcetype disabled = 0 props.conf [sourcetype::yoursourcetype] CHECK__FOR _HEADER=TRUE SHOULD _LINEMERGE = false TRANSFORM-transformfile = transf_csv transforms.conf [transf_csv] DELIMS="," FIELDS="field1", "field2", "field3", "field4", "fieldN"

bizza · ‎10-03-2013

Hi gjohnson, why you are not putting that csv in inputs.conf, defining a TRANSFORM in props.conf, defining a field DELIM on your transforms.conf and the assign the right field to the different column? ciao

bizza · ‎10-03-2013

Hi all, I need to collect data from a IBM Websphere MQ where mainframe write messages. I read something on internet and on splunk answer, and I talked with some people that already achieve it, but I found 2 different scenario. The first one is well explained here: http://blogs.splunk.com/2013/04/11/splunking-websphere-mq-queues-and-topics/ The second one, that people I talked about actually are using, is write a custom python script that use a IBM MQ client to write messages from MQ to a file, and Splunk use that file as input. Which one is the most stable solutions? Or there is any other way to do it? Regards

Posts	39
Solutions	0
Karma Given	21
Karma Received	9
Member Since	‎04-26-2011

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Why am I getting error "locale::facet::_S_create_c...

Scripted Alert to third party event managemet

DBConnect - Problem with multiline cells

Manually configure timestamp at index time from cu...

Timestamp splitted in log files

Websphere MQ from mainframe

Indexes tiering age-based (not depend from size)

Monitor cisco router interfaces- Is syslog enough ...

Rewrite hostname don't work

Remove section from windows 2008r2 security log

Re: Why am I getting error "locale::facet::_S_crea...

Re: Why am I getting error "locale::facet::_S_crea...

Why am I getting error "locale::facet::_S_create_c...

Re: Limit number of alerts in RSS

Re: Scripted Alert to third party event managemet

Re: Scripted Alert to third party event managemet

Scripted Alert to third party event managemet

Re: DBConnect - Problem with multiline cells

Re: Manually configure timestamp at index time fro...

Re: DBConnect - Problem with multiline cells

DBConnect - Problem with multiline cells

Re: Manually configure timestamp at index time fro...

Re: Manually configure timestamp at index time fro...

Re: Get Status of File arrived in folder or not.

Manually configure timestamp at index time from cu...

Re: Timestamp splitted in log files

Re: Timestamp splitted in log files

Re: Timestamp splitted in log files

Re: Timestamp splitted in log files

Re: Timestamp splitted in log files

Timestamp splitted in log files

Re: Websphere MQ from mainframe

Re: Field Extraction

Re: Field Extraction

Websphere MQ from mainframe