Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tradevine
tradevine
Engager
Member since:
07-18-2013
11-30-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 07-18-2013 |
Activity Feed
- Posted Increased CPU on Universal Forwarder since v9 on Getting Data In. 11-29-2022 06:56 PM
- Karma Re: Filtering Events, Creating Custom Fields and Discarding Raw Data at index time for kristian_kolb. 06-05-2020 12:46 AM
- Posted Re: Case Sensitive Columns From SQL on Splunk Search. 11-25-2013 12:57 PM
- Posted Re: There was an error retrieving the configuration, can not process this page. After upgrade to Splunk6 on Getting Data In. 10-10-2013 08:25 PM
- Posted Re: There was an error retrieving the configuration, can not process this page. After upgrade to Splunk6 on Getting Data In. 10-10-2013 07:06 PM
- Posted Re: Filtering Events, Creating Custom Fields and Discarding Raw Data at index time on Getting Data In. 10-08-2013 12:46 PM
- Posted Re: Filtering Events, Creating Custom Fields and Discarding Raw Data at index time on Getting Data In. 10-08-2013 12:45 PM
- Posted Filtering Events, Creating Custom Fields and Discarding Raw Data at index time on Getting Data In. 10-07-2013 07:32 PM
- Tagged Filtering Events, Creating Custom Fields and Discarding Raw Data at index time on Getting Data In. 10-07-2013 07:32 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
11-29-2022
06:56 PM
We upgraded the Splunk Universal Forwarders on our web servers from 8.0.5 to 9.0.1 back in late October and since then we've seen a dramatic increase in CPU Utilization by the Splunkd.exe process on each server. Each instance is tracking a fairly large amount of files - typically 3k or so per day and in a folder that can contain up to 10k files. I've found reducing the amount of 'old' files in the folder helps, but the CPU load is still dramatically above what it was with version 8.0.5.
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
11-25-2013
12:57 PM
I've encountered this too, after install the new version of DBConnect all of my views (which rely on case sensitive camel-case fields) now return 0 results. Very frustrating and time-consuming to resolve!
... View more
10-10-2013
08:25 PM
DB connect, plus I've created a custom app with a series of Filemonitors, SQL queries etc. All of my input.conf config's are stored within the custom app so i can create a backup of it.
... View more
10-10-2013
07:06 PM
I get the same error message after upgrading to Splunk 6 and trying to go into 'remote event log collections' and 'remote performance monitoring' from the Data Inputs screen.
Strangely enough though, if I click Add Data I can create new inputs, and it seems to still acknowledge the existing Event Logs and Perfmon entries.
... View more
10-08-2013
12:46 PM
Excellent answer! I was attempting to use non-capturing groups and messing around with the syntax of the format.
This works perfectly for me on the end of my props.conf entry for hostfile:
SEDCMD-trim_start = s/* - M://g
SEDCMD-trim_end = s/ms,C:.*//g
Combined with my regex I've brought down my theoretical daily indexing on these particular logs from 1.8Gb (raw) to 4mb!
... View more
10-08-2013
12:45 PM
Excellent answer! I was attempting to use non-capturing groups and messing around with the syntax of the format.
This works perfectly for me on the end of my props.conf entry for hostfile:
SEDCMD-trim_start = s/* - M://g
SEDCMD-trim_end = s/ms,C:.*//g
... View more
10-07-2013
07:32 PM
I'm attempting to minimize the amount of data Splunk indexes, but i'm dealing with very large log files. At the moment I can filter the events in these logs based on a regex search to only return the events that I need, however I'd like to shrink the indexed data even further, capturing only one field from the event. This is some contents from a typical log file:
00:22:15.911 - M:ReadByID TradeMeOrganisationWorker,D:0ms,C:1,S:
00:22:32.119 - M:ReadMultiple vwTMNewAutoListing,D:7427ms,C:0,S: at LTI.Services.Concrete....
00:22:34.397 - M:ReadMultiple vwListingQuestion,D:32ms,C:0,S:
The Bold event is the specific M type I'd like to capture (i.e. my Regex search is 'ReadMultiple vwTMNewAutoListing'), however the only information i'm interested in is the Duration (i.e. D:), and discard all the rest of the data - the S: field is a stack-trace and can be quite large.
This is my current config:
PROPS.conf
[hostfile]
pulldown_type = true
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = false
TRANSFORMS-set = setnull,newautolisting
REPORT-extract = durationMS
TRANSFORMS.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[newautolisting]
REGEX = ReadMultiple vwTMNewAutoListing
FORMAT = indexQueue
DEST_KEY = queue
[durationMS]
REGEX = ReadMultiple vwTMNewAutoListing,D:(?<DurationMS>\d+)ms
FORMAT = DurationMS::$1
DEST_KEY = queue
As you can see, I'm sending all the events that do not match the Regex to Null, however the end result is I capture the complete Raw event that matches 'ReadMultiple vwTMNewAutoListing', plus I create the DurationMS field at search time. Is it possible to create the DurationMS field at index-time and discard the rest of the Raw event?
... View more
- Tags:
- transforms.conf
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-30-2022
12:59 AM
|
