Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About strive
strive
Influencer
Member since:
10-06-2012
06-05-2020
Community Statistics
| Posts | 545 |
| Solutions | 74 |
| Karma Given | 50 |
| Karma Received | 345 |
| Member Since | 10-06-2012 |
Activity Feed
- Got Karma for Difference between last(X) and latest(X). 3 weeks ago
- Got Karma for Re: how to limit percent results to 2 decimal places. 06-10-2024 04:04 AM
- Got Karma for Re: Splunk searches unit test automation. 12-13-2023 01:04 AM
- Got Karma for How to remove the View Dashboard link from PDF report emails?. 11-19-2023 12:26 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 11-12-2021 08:36 AM
- Got Karma for Re: Hardware recommendation for high log volume splunk deployments. 07-29-2021 05:53 AM
- Got Karma for Hardware recommendation for high log volume Splunk deployments to optimize performance and provide indexer replication?. 07-29-2021 05:53 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 12-15-2020 12:17 AM
- Got Karma for Re: How to remove duplicate values of a field inside of a row/column?. 08-28-2020 06:01 AM
- Got Karma for Re: How to convert epoch time to human readable format in search query?. 08-11-2020 10:35 AM
- Got Karma for Splunk license warnings are based on type=Usage or type=RollOverSummary?. 06-26-2020 08:09 AM
- Karma Re: Stop concurrent scheduled summary update in clustered env for somesoni2. 06-05-2020 12:49 AM
- Got Karma for Re: Clarify where pass4symmkey is used to authenticate client connections. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: REST endpoint: data/indexes-extended - Why is total_raw_size is bigger than total_size. 06-05-2020 12:49 AM
- Got Karma for Re: Peers doesn't come back live after the restart signal from Master. Why?. 06-05-2020 12:49 AM
- Got Karma for Re: Calculate the percentage of a given date_hour. 06-05-2020 12:49 AM
- Karma Re: How do i query for those results occurred before 9 AM today? for acharlieh. 06-05-2020 12:48 AM
- Karma Re: How to monitor newly written log lines from a log file whose modtime is older than 12 hours? for somesoni2. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 4 | |||
| 0 |
12-10-2018
01:51 AM
Splunk has accepted that it is a bug and they will fix it.
... View more
11-30-2018
11:06 AM
Hi,
We extensively use splunklib.client and service.jobs to create jobs, retrieve jobs and iter over, and set ttl. All these things were working fine in Splunk 6.4.5 & Python SDK 1.6.2.
In Splunk 7.0.7 & Python SDK 1.6.2, the service.jobs.iter(search=query) and job.set_ttl are not working. More details below.
We post search jobs along with custom parameters. Later we retrieve the jobs matching some custom parameters.
For example: If custom.notify_method="email", custom.notify_server="my mail server" are our custom parameters
query='custom.notify_method="email" AND custom.notify_server="my mail server"'
service.jobs.iter(search=query)
returns nothing.
for job in service.jobs:
job.set_ttl(60)
The ttl and eai:acl.ttl are set to 60. After 60 seconds, the ttl value becomes 0 but the eai:acl.ttl value remains as 60.
The job never expires and it stays for 7 days.
Why the jobs are not getting deleted after 60 seconds even though the ttl value has been updated to 0?
Both the above mentioned issues are in Splunk 7.0.7 & Python SDK 1.6.2 . But they were working as intended in 6.4.5 and SDK 1.6.2
Any pointers to solve these issues.
Thanks,
Strive
... View more
11-23-2018
05:49 AM
Hi,
The custom fields set in search/jobs POST are not returned in search/jobs GET . In earlier versions of splunk the custom fields were returned. However they are missing in 7.0.7
As per documentation http://docs.splunk.com/Documentation/Splunk/7.0.7/RESTREF/RESTsearch#search.2Fjobs , the custom fields should be available in GET.
Is this a bug?
Note: in Splunk 7.0.7, the custom fields are returned only for search/jobs/<search-id> end point.
Thanks,
Strive
... View more
08-16-2018
04:34 AM
The daily scheduled searches are going to be affected because of this. Is there any workaround for this for daily scheduled searches.
Whats happening is:
The daily scheduled search reruns automatically for all the days from the beginning till DST start date and thus creating duplicate summary data. This is because splunk is not able to resolved the time modifier snapped to day.
Any workarounds for this would be highly appreciated.
Meanwhile a case has been raised with Splunk to look into this issue.
... View more
08-12-2018
08:03 AM
Thank you. Looks like the pre-built dashboards where -0d@d has been used should be changed to handle previous day case.
It will be better if Splunk changes the error message. From end user perspective he/she is right when they pick Yesterday option from Time Range Picker presets. That time users will be lost if SPlunk just displays a error message like this: 'latest_time must be greater than earliest_time'.
... View more
08-12-2018
06:34 AM
If that is the case then the dashboards should show empty bucket from 00:00:00 to 01:00:00 since the time 00:00:00 doesn't exist. But that is not the case. The dashboards show values for that particular hour.
... View more
07-04-2018
04:08 AM
Try this
https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
... View more
05-03-2018
02:04 AM
I dug deeper and found a way of making it work. I just concentrated on this portion of error - " error:0906D06C:PEM routines:PEM_read_bio:no start line".
Combining the cert and key into one file solved the issue.
The link that helped me with this is: https://snippets.aktagon.com/snippets/543-how-to-fix-pem-read-bio-no-start-line-error-nginx-error
... View more
04-24-2018
07:46 PM
Even i have seen this behavior. You need not add the attributes sslKeysPassword and password to server.conf and inputs.conf respectively. Without you entering these attributes, splunk adds them.
See my other post: https://answers.splunk.com/answers/643307/why-is-the-ssl-connection-between-forwarder-and-in.html
In my case:
a. in server.conf, i did not even have [sslConfig] stanza. Splunk adds that and underneath sslKeysPassword attribute also.
b. In inputs.conf, i had [SSL] stanza but not password attribute. During restart splunk adds password attribute.
... View more
04-24-2018
01:05 AM
Hi,
In the SSL/TLS world, it is not mandatory to have passwords for the private key. However, in case of Splunk, the SSL connection between forwarder and indexer fails when password less certificates are used.
After a bit of debugging, I found that Splunk adds password attribute to the [SSL] stanza of inputs.conf. I have a inputs.conf in /opt/splunk/etc/system/local/ directory. I haven't specified password (since the certificates that I am using are password less). Upon Splunk restart, it adds the password attribute with some hashed value. Due to this I am getting error as: ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
Splunk adding password attribute to inputs.conf is a bug or is it intended behavior? If it is intended behavior, then how to stop Splunk from editing files in /opt/splunk/etc/system/local/ directory?
Regards,
Strive
... View more
03-20-2018
11:31 PM
Modified Search:
index = xyz
| stats count avg(time_taken) by cs_uri_stem, host
| eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", true(), "NULL")
| eval avg(time_taken)=round('avg(time_taken)',2)
| table cs_uri_stem count avg(time_taken) Silo
Tested similar search locally and works
index=XYZ | stats count avg(bytes) by column1 | eval Silo = case(1==1 AND column1="CACHE_MISS", "Silo1", 1==1 AND (column1="CACHE_MEM_HIT" OR column1="CACHE_REVALIDATED_MEM_HIT"), "Silo2", true(), "NULL")
... View more
03-20-2018
04:33 PM
Was Splunk restarted when the search was running?
... View more
03-20-2018
04:27 PM
http://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2Fdispatch
... View more
03-20-2018
08:48 AM
It works for us. For us in our pivot interface the default is -48h
We are using Splunk 6.4.5
... View more
03-20-2018
08:35 AM
Try this
index = xyz
| stats count avg(time_taken) by cs_uri_stem, host
| eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", true(), "NULL")
| eval avg(time_taken)=round('avg(time_taken)',2)
| table cs_uri_stem count avg(time_taken) Silo
... View more
03-20-2018
08:34 AM
Try this
index = xyz
| stats count avg(time_taken) by cs_uri_stem, host
| eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", "NULL")
| eval avg(time_taken)=round('avg(time_taken)',2)
| table cs_uri_stem count avg(time_taken) Silo
... View more
03-20-2018
08:20 AM
OR you can also take the search like this for 3rd panel
index="file1" type=input" | stats count as Count1 by _time | join _time type=left [index="file2" type="output" | stats count as Count2 by _time] | eval Field3=case((Count1-Count2)=5,"GOOD","WARNING") | fields Field3
... View more
03-20-2018
08:19 AM
Are you sure that Count1-Count2=5 then Good else WARNING?
... View more
03-20-2018
08:18 AM
You can have base search and refer that in other panels. Something like this
<query>
index="file1" type=input" | stats count as Count1 by _time | join _time type=left [index="file2" type="output" | stats count as Count2 by _time]
</query>
<earliest>0</earliest>
<latest></latest>
<panel>
<chart>
<title>Panel 1</title>
<search base="base_search">
<query>| fields Count1</query>
<earliest>0</earliest>
<latest></latest>
</search>
<panel>
<chart>
<title>Panel 2</title>
<search base="base_search">
<query>| fields Count2</query>
<earliest>0</earliest>
<latest></latest>
</search>
<panel>
<chart>
<title>Panel 3</title>
<search base="base_search">
<query>| eval Field3=case((Count1-Count2)=5,"GOOD","WARNING") | fields Field3</query>
<earliest>0</earliest>
<latest></latest>
</search>
... View more
03-19-2018
11:56 PM
1 Karma
There are two ways:
Option1: Include date_year also in stats and then join them.
Something like: index=_internal | stats count by date_month date_year | eval Month=date_month." ".date_year | fields Month count
Option 2: Assuming that your data is properly indexed with timestamp, do eval on _time field.
Something like: index=_internal | eval Month=strftime(_time, "%Y %m") | stats count by Month
... View more
03-19-2018
11:45 PM
How much data you have?
What is your HW configuration?
Dont you have other filter conditions available?
... View more
03-19-2018
11:37 PM
I have alert action to log it as event. All the tokens mentioned there are available when we log event.
Some of them are not available when we are using it as command in custom alert action.
My guess is, the job has to be complete i suppose to have all the tokens available.
This is my sample log event and it works perfectly fine
app=$app$ alert_name=$name$ severity=$alert.severity$ owner=$owner$ triggered_time=$trigger_time$ value=$result.fieldname$ job_earliest_time=$job.earliestTime$ job_latest_time=$job.latestTime$ job_run_duration=$job.runDuration$
... View more
03-09-2018
05:38 PM
Try this
[general_default]
default_namespace = launcher
appOrder = search
default_earliest_time = -48h
default_latest_time = now
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
| User | Karma Count |
|---|---|
| 13 | |
| 1 | |
| 12 | |
| 2 | |
| 1 |
