Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About 0YAoNnmRmKDg
0YAoNnmRmKDg
Path Finder
Member since:
09-18-2014
09-12-2023
Community Statistics
| Posts | 25 |
| Solutions | 1 |
| Karma Given | 60 |
| Karma Received | 10 |
| Member Since | 09-18-2014 |
Activity Feed
- Got Karma for Re: After configuring the HTTP Event Collector, why am I receiving a "Server is busy" error?. 04-16-2021 03:20 PM
- Karma Re: Is it possible to override a base search <earliest> and <latest> fields? for to4kawa. 11-08-2020 02:17 PM
- Posted Re: Why won't the Splunk Add-on Builder load? on All Apps and Add-ons. 09-29-2020 11:52 PM
- Karma Re: Why won't the Splunk Add-on Builder load? for scadaman. 09-29-2020 11:51 PM
- Karma Re: How to improve universal forwarder performance for MuS. 06-05-2020 12:50 AM
- Karma Re: What's the order of operations for upgrading Splunk Enterprise? for jmulcaster_splu. 06-05-2020 12:50 AM
- Karma Re: host in metadata but has no logs for MuS. 06-05-2020 12:50 AM
- Karma Re: Why is the KV Store Process Failing After Upgrade from 7.1.3 to 7.2.0? for dauren_akilbeko. 06-05-2020 12:50 AM
- Karma Re: Will there be any changes to licenses when we upgrade from 7.0 to 7.1.2? for livehybrid. 06-05-2020 12:49 AM
- Karma Re: Splunk 7.0.0 on Mac failing to run for mattymo. 06-05-2020 12:49 AM
- Karma How can I search to show which browser and browser version users are using? for marshaljoel83. 06-05-2020 12:49 AM
- Karma Re: How can I find hosts from a CSV that are and aren't returning events to Splunk? for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Can props.conf and transforms.conf be created in the Deployment Server GUI to push to indexers? for MuS. 06-05-2020 12:49 AM
- Karma Re: What are the best practices for uploading CSV files in merging fields from more than two sources? for MuS. 06-05-2020 12:49 AM
- Karma Re: What is the best practice for mounting the archiving paths? for MuS. 06-05-2020 12:49 AM
- Karma Re: How do you display columns with an inner join? for MuS. 06-05-2020 12:49 AM
- Karma Re: How to find .conf files on a splunk interface which is only accessible via a URL? for MuS. 06-05-2020 12:49 AM
- Karma Re: How to convert an IP address to lat and long and to use the Missile Map? for MuS. 06-05-2020 12:49 AM
- Karma Re: How to assign value to a field which is not present in some of the events and compare that value with other values from other events where that field is present? for MuS. 06-05-2020 12:49 AM
- Karma Re: After upgrade to 7.1: Bug - Dashboard Chart - drawn pixels stayed incorrectly in old positions even after the Y-axis scale has changed for MuS. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-29-2020
11:52 PM
Fixed it for me too - odd issue. ran this search index=_internal component=AuthorizationManager and created the missing roles with no capabilites and the page loaded straight away Thanks!
... View more
05-25-2020
07:33 PM
Hi,
I had this quirk too, its specific to Splunk cloud free trials (15 days).... even though HEC shows as disabled in the UI it will work
also use the endpoint similar too.... https://prd-p-h00lm.splunkcloud.com:8088/services/collector
That should get you there
... View more
04-30-2020
08:56 PM
Hi Phil,
Is there anything in the internal index working?
index=_internal | timechart count by host have any results for example?
also to check HEC is working you can follow some steps here to test with curl
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/HTTPEventCollectortokenmanagement
specifically
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/HTTPEventCollectortokenmanagement#Send_an_event_to_HEC
curl -k "https://mysplunkserver.example.com:8088/services/collector" \
-H "Authorization: Splunk CF179AE4-3C99-45F5-A7CC-3284AA91CF67" \
-d '{"event": "Hello, world!", "sourcetype": "manual"}'
... View more
10-03-2018
11:47 PM
Awesome, thank you too! - fixed
10/4/18
7:44:27.882 PM
2018-10-04T06:44:27.882Z I CONTROL [initandlisten] MongoDB starting : pid=4329 port=8191 dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo 64-bit host=splunk
host = splunk
index = _internal
source = /opt/splunk/var/log/splunk/mongod.log
sourcetype = mongod
10/4/18
6:15:55.506 PM
2018-10-04T05:15:55.506Z F CONTROL [initandlisten] ** IMPORTANT: UPGRADE PROBLEM: The data files need to be fully upgraded to version 3.4 before attempting an upgrade to 3.6; see http://dochub.mongodb.org/core/3.6-upgrade-fcv for more details.
host = splunk
index = _internal
source = /opt/splunk/var/log/splunk/mongod.log
sourcetype = mongod
10/4/18
6:15:22.876 PM
2018-10-04T05:15:22.876Z I CONTROL [initandlisten] MongoDB starting : pid=18818 port=8191 dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo 64-bit host=splunk
host = splunk
index = _internal
source = /opt/splunk/var/log/splunk/mongod.log
sourcetype = mongod
10/4/18
6:08:03.372 PM
2018-10-04T05:08:03.372Z F CONTROL [initandlisten] ** IMPORTANT: UPGRADE PROBLEM: The data files need to be fully upgraded to version 3.4 before attempting an upgrade to 3.6; see http://dochub.mongodb.org/core/3.6-upgrade-fcv for more details.
host = splunk
index = _internal
source = /opt/splunk/var/log/splunk/mongod.log
sourcetype = mongod
10/4/18
6:08:01.914 PM
2018-10-04T05:08:01.914Z I CONTROL [initandlisten] MongoDB starting : pid=11974 port=8191 dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo 64-bit host=splunk
host = splunk
index = _internal
source = /opt/splunk/var/log/splunk/mongod.log
sourcetype = mongod
... View more
10-01-2018
03:38 AM
There is a "Drive Smart details" dashboard that gets a subset of the smart data - it may show in there as errors. Do you have a specific case you are looking for? they may also show as CAM errors in the default syslog
Thanks
... View more
06-27-2018
01:46 PM
1 Karma
maybe share your inputs.conf
here is how to specify the index from the docs as MuS suggested
index = <string>
* Sets the index to store events from this input.
* Primarily used to specify the index to store events coming in via this input
stanza.
* Detail: Sets the index key's initial value. The key is used when selecting an
index to store the events.
* Defaults to "main" (or whatever you have set as your default index).
also check your default role permissions for default indexs searched or go for a good old 15 minute search of
index=*
to check all indexes
... View more
06-12-2018
05:17 PM
1 Karma
this just took me 2 hours to resolve! thank you for posting back - what an odd behavior!
... View more
03-07-2017
04:19 PM
1 Karma
For future me, I thought i'd post the actual answer - after some amazing help, its actually very simple.....
to make a KPI to track errors....
make your search to filter results
index=main error* fail*
then in the "Threshold Field" to use
_time
and then set the "Service/Aggregate Calculation" to be "Count"
also remember to click the "Apply Adaptive Thresholding" button to apply the template chosen and job done!
... View more
04-10-2016
07:28 PM
Hi,
Just to confirm there are no lookups built into the freenas app, so likely from another app.
Let me know if you do find it linked though!
Cheers
... View more
03-01-2016
06:33 PM
check
the powershell execution policy on the w7 machine
is the deployment server running windows? if show check file permissions
try another simple inputs.conf to monitor a file on the desktop (or similar) to check the deployment and client funtionality
search index=_internal error host=myw7machine ` to check for app deployment issues
as a start....
... View more
03-01-2016
06:23 PM
have you tried
my awesome search | timechart span=30m count foo blah blah
span=30m will force Splunk to break into 30 minute segments
is that what you mean?
... View more
02-25-2016
12:40 PM
1 Karma
crude but quick
index=* | table host index | uniq | sort host
note index = * so will be intensive, limit time period appropriately
also index=* OR index=_* will give you all internal indexes if thats required
this will give you ALL hosts not just forwarders so you can add host=UF* OR host=HW* assuming host names of the forwarders are that to reduce your results
... View more
02-25-2016
12:22 PM
Hi,
you could just set the number of results in the alert triggers wizard to 10000 events?
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Defineper-resultalerts
then just use something like
index = _internal | stats count by source | top limit=5 source
so you would have
my_awesome_search | top limit=10 Src
Cheers
... View more
02-22-2016
03:09 AM
I deleted the mongod.lock file from C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo and restarted my Splunk instance
worked for me! thanks! splunk 6.2.3 solaris (SmartOS zone)
... View more
02-01-2016
10:16 PM
OK great, welcome to the wonderful world of Splunk - i think you will be pleasantly surprised how simple it is to use and get data in compared to ELK! enjoy!
... View more
02-01-2016
05:46 PM
yes for sure - just google "splunk dashboard" images 🙂
https://www.google.co.nz/search?q=splunk+dashboard+image&rlz=1C5CHFA_enNZ670NZ670&espv=2&biw=1440&bih=763&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiZ-Mmp-tfKAhXD5KYKHZHkAwkQ_AUIBigB&dpr=1
i would be amazed if there is something you can't do!
is there something specific you are concerned about?
... View more
02-01-2016
04:12 PM
2 Karma
Hi,
I think the word "Created" here needs to be clarified.
You can make identical (I'd say better) dashboards in Splunk to ELK. However you can't just natively "import" an ELK dashboard into Splunk. They have very different search languages so the ELK table / graph would return no results in Splunk.
There may be a third party tool to do this conversion for you, but otherwise it would be a manual replacements, panel by panel.
... View more
02-01-2016
03:06 PM
the REST API.... just use the rest api app for Splunk and then connect to the twitter API....
https://splunkbase.splunk.com/app/1546/
then you can just Splunk the Twitter JSON like a BOSS 🙂
... View more
02-01-2016
02:43 PM
Hi,
As FreeNAS does not have a persistent storage, you cannot install a forwarder on there, so I opted to use shell scripts that run via CRON and output to syslog then to Splunk.
So you
install the WHOLE app into Splunk
Then copy the SH files are in the "BIN" folder of the app, to a persistent dataset (eg /TANK/SCRIPTS) on the FreeNAS and CRON set to run every few minutes (Choice is yours for interval, depends on granularity)
FreeNAS will then run the scripts and output to syslog which is sent to SPlunk, populating the dashboards of the APP
Check the docs tab on the app for wider explanation, i have copied the details below for your convenience. follow the links to the freeNAS docs for how to setup cron and syslog forwarding.
Hope this helps, post back how you go 🙂
Inputs
For this app to work completely the REST API Modular Input is required, install the REST app first (thanks to the awesome Damien Dallimore)
FreeNAS API
http://api.freenas.org/index.html
This app utilises the FreeNAS api for some data.
Check either inputs.conf, or if you are a novice you can just change the details in the “data inputs” section of Splunk.
You will need to configure for your environment;
Your FreeNAS IP address or host name
Your FreeNAS ROOT password (currently the FreeNAS API only allows the root user)
.SH files
There are several .sh scripts in /TA-SH_files_for_FreeNAS directory that need to be placed on a persistent dataset on the FreeNAS server with a cron job associated with them, set to run every few minutes.
https://doc.freenas.org/9.3/freenas_tasks.html
these scripts output to “logger” - which is the syslog output
Also once copied over this command may be your friend 🙂
sh
chmod 777 foo.sh
Syslog
You need to configure FreeNAS to log to a central server (Splunk®) for the data to be ingested, point to port 1514 e.g.
192.168.1.2:1514
https://doc.freenas.org/9.3/freenas_system.html#general
... View more
07-08-2015
08:45 PM
Many thanks in advance for any help here..
I know what i need to do in principle but cant nail the Splunk search.... I have tried to use transaction and first last but cant it to work.
I have a csv file exported monthy and ingested into splunk, need to calculate a monthy $ value for a given combination
sudo search....
for the FIRST time you see foo=1 and bar=10, select field x
for the LAST time you see foo=1 and bar=10, select field y and x
for the LAST time you see foo=1 and bar=11, select field y and x
for the LAST time you see foo=1 and bar=n..., select field y and x
For the LAST time you see foo=1 select field y
add x+y+x+y+x+y = monthy $
for the FIRST time you see foo=2 and bar=20, select field x
for the LAST time you see foo=2 and bar=20, select field y and x
for the LAST time you see foo=2 and bar=21, select field y and x
for the LAST time you see foo=2 and bar=n..., select field y and x
For the LAST time you see foo=2 select field y
add x+y+x+y+x+y = monthy $
and so on.... any ideas
there are times and dates in each row
foo and bar will always be uniq
with the example below, the desired output in a table would be...
1 = $4099.66
2 = $5672.07
ID Start Stop y foo x bar
1 31/03/15 22:01 1/04/15 19:31 278.88 2197.94 764.22 10
1 1/04/15 19:31 2/04/15 17:59 340.91 2019.52 702.19 10
1 2/04/15 17:59 7/04/15 00:00 342.32 2015.46 700.78 10
1 7/04/15 00:00 7/04/15 23:45 638.98 1162.27 404.12 10
1 7/04/15 23:45 8/04/15 15:45 792.56 720.56 250.54 10
1 8/04/15 15:45 9/04/15 16:20 943.96 285.14 99.14 10
1 9/04/15 16:20 10/04/15 20:36 93.98 2729.71 949.12 11
1 10/04/15 20:36 11/04/15 14:59 214.13 2384.16 828.97 11
1 11/04/15 14:59 12/04/15 15:13 218.21 2372.42 824.89 11
1 12/04/15 15:13 13/04/15 14:48 350.74 1991.26 692.36 11
1 13/04/15 14:48 14/04/15 18:42 578.17 1337.16 464.93 11
1 14/04/15 18:42 15/04/15 14:17 687.16 1023.69 355.94 11
1 15/04/15 14:17 16/04/15 18:37 767.65 792.2 275.45 11
1 16/04/15 18:37 17/04/15 19:05 955.14 252.98 87.96 11
1 17/04/15 19:05 18/04/15 16:05 50.98 2853.38 992.12 12
1 18/04/15 16:05 19/04/15 15:39 51.14 2852.93 991.96 12
1 19/04/15 15:39 20/04/15 18:27 215.4 2380.51 827.7 12
1 20/04/15 18:27 21/04/15 20:15 350.21 1992.78 692.89 12
1 21/04/15 20:15 22/04/15 18:34 488.3 1595.64 554.8 12
1 22/04/15 18:34 23/04/15 17:09 630 1188.1 413.1 12
1 23/04/15 17:09 25/04/15 16:00 630.12 1187.75 412.98 12
1 25/04/15 16:00 26/04/15 09:44 631.33 1184.28 411.77 12
1 26/04/15 09:44 27/04/15 19:27 631.69 1183.23 411.41 12
1 27/04/15 19:27 28/04/15 23:45 930.24 324.6 112.86 12
1 28/04/15 23:45 29/04/15 15:33 33.3 2904.22 1009.8 13
1 29/04/15 15:33 30/04/15 14:39 206.14 2407.14 836.96 13
2 31/03/15 23:50 1/04/15 23:46 81.63 2765.22 961.47 20
2 1/04/15 23:46 2/04/15 23:21 329.13 2053.41 713.97 20
2 2/04/15 23:21 3/04/15 22:57 388.6 1882.38 654.5 20
2 3/04/15 22:57 4/04/15 13:34 524.51 1491.5 518.59 20
2 4/04/15 13:34 7/04/15 22:21 701.85 981.44 341.25 20
2 7/04/15 22:21 8/04/15 23:38 937.17 304.66 105.93 20
2 8/04/15 23:38 9/04/15 23:51 129.28 2628.19 913.82 21
2 9/04/15 23:51 10/04/15 23:23 370.06 1935.69 673.04 21
2 10/04/15 23:23 11/04/15 16:43 565.21 1374.42 477.89 21
2 11/04/15 16:43 13/04/15 23:24 777.8 763.02 265.3 21
2 13/04/15 23:24 14/04/15 23:45 1020.29 65.6 22.81 21
2 14/04/15 23:45 15/04/15 23:45 224.09 2355.52 819.01 22
2 15/04/15 23:45 16/04/15 23:58 497.82 1568.25 545.28 22
2 16/04/15 23:58 17/04/15 23:45 750.78 840.73 292.32 22
2 17/04/15 23:45 18/04/15 22:49 815.2 655.44 227.9 22
2 18/04/15 22:49 19/04/15 11:23 951.57 263.25 91.53 22
2 19/04/15 11:23 20/04/15 23:47 105.86 2695.53 937.24 23
2 20/04/15 23:47 21/04/15 23:59 352.14 1987.24 690.96 23
2 21/04/15 23:59 22/04/15 23:45 578.07 1337.44 465.03 23
2 22/04/15 23:45 23/04/15 23:39 838.94 587.17 204.16 23
2 23/04/15 23:39 24/04/15 23:58 28.91 2916.86 1014.19 24
2 24/04/15 23:58 25/04/15 03:37 87.79 2747.52 955.31 24
2 25/04/15 03:37 28/04/15 23:57 271.71 2218.54 771.39 24
2 28/04/15 23:57 29/04/15 23:55 538.2 1452.1 504.9 24
... View more
- Tags:
- transactions
05-26-2015
02:15 PM
1 Karma
Thank you so much - i used this to highlight status words instead of numbers - awesome!
... View more
04-20-2015
04:18 PM
Thats great, works nicely - sorted what i needed for a smoke and mirrors demo - thank you very much for taking the time to answer!
... View more
04-20-2015
03:26 AM
Hi Guys,
longtime lurker, first time poster....
so after many hours of work and rework I surrender - I cant get Sankey to display all the nodes I want it to.
The flow i am looking for in Sankey is
host > service > customer
this is to show if host x dies, it kills service y and affects customer z
i started by taking apart the 6.x samples app apart, and replacing with my search but the "services" nodes never show, i just get links from host to customer. the sample data in the 6.x app is csv and all the do is reference 2 columns and the magic happens, what am i missing?
I feel it is something fundamental but simple i'm not getting here...
Many thanks in advance for any help!
Original 6.x samples app search
<search id="sankey_search">
<query><![CDATA[
index=_internal sourcetype=splunk_web_access NOT uri_path=*/static/* uri_path=*/app/* OR uri_path=*/manager/*
| rex field=referer "https?://.+?/.+?(?<referer_path>/[^\\?]+)"
| rex field=uri_path "/.+?(?<path>/.+)"
| rename referer_path as from path as to
| stats count by from to | head 50
]]></query>
My new search
<search id="sankey_search">
<query>
<![CDATA[
|inputlookup hosts.csv | search host="*" service=* customer=* | head 100 | stats count by host, customer
]]>
</query>
Sample csv
host,service,customer
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123431,Service1,Customer1
ABC123300,Service2,Customer2
ABC123321,Service3,Customer3
ABC123332,Service4,Customer4
ABC123940,Service5,Customer5
ABC123334,Service6,Customer6
ABC123702,Service7,Customer7
ABC123341,Service8,Customer8
ABC123740,Service9,Customer9
ABC123740,Service1,Customer5
ABC123640,Service2,Customer6
ABC123433,Service3,Customer7
ABC123710,Service4,Customer8
ABC123722,Service5,Customer9
ABC123330,Service6,Customer10
ABC123603,Service7,Customer1
ABC123801,Service8,Customer2
ABC123513,Service9,Customer3
ABC123800,Service1,Customer4
ABC123312,Service2,Customer5
... View more
10-27-2014
07:31 PM
try this
index=windows | stats count by user | where count>3 | top 3
otherwise try expanding your question a bit - its a little hard to follow...
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-12-2023
07:51 PM
|
Karma given to
