Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About AccentureQBETA
AccentureQBETA
Path Finder
Member since:
07-23-2012
06-05-2020
Community Statistics
| Posts | 26 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 07-23-2012 |
Activity Feed
- Karma Re: Montoring apache logs using splunk for kristian_kolb. 06-05-2020 12:46 AM
- Got Karma for Remove a series of numbers in a field. 06-05-2020 12:46 AM
- Got Karma for Remove a series of numbers in a field. 06-05-2020 12:46 AM
- Got Karma for Re: Remove a series of numbers in a field. 06-05-2020 12:46 AM
- Karma Re: I keep getting this "Max concurrent searches reached" error. What does it mean and how do I fix it? for rotten. 06-05-2020 12:45 AM
- Posted Re: How to check a directory is being indexed (Monitor a Directory) on Getting Data In. 10-02-2012 08:56 AM
- Posted Re: Event Types not working on Splunk Search. 08-29-2012 12:51 AM
- Posted Re: Event Types not working on Splunk Search. 08-28-2012 09:49 AM
- Posted Event Types not working on Splunk Search. 08-28-2012 09:47 AM
- Tagged Event Types not working on Splunk Search. 08-28-2012 09:47 AM
- Tagged Event Types not working on Splunk Search. 08-28-2012 09:47 AM
- Tagged Event Types not working on Splunk Search. 08-28-2012 09:47 AM
- Posted Re: Creating a Stacked Graph (Area but coloured like bar) on Splunk Search. 08-15-2012 02:42 AM
- Posted Creating a Stacked Graph (Area but coloured like bar) on Splunk Search. 08-15-2012 02:14 AM
- Tagged Creating a Stacked Graph (Area but coloured like bar) on Splunk Search. 08-15-2012 02:14 AM
- Tagged Creating a Stacked Graph (Area but coloured like bar) on Splunk Search. 08-15-2012 02:14 AM
- Posted Re: inconsistent # of events parsed - /w custom SourceType & same source file on Getting Data In. 08-14-2012 02:13 AM
- Posted Re: inconsistent # of events parsed - /w custom SourceType & same source file on Getting Data In. 08-13-2012 01:01 AM
- Posted Re: Remove a series of numbers in a field on Splunk Search. 08-08-2012 04:34 AM
- Posted Re: Remove a series of numbers in a field on Splunk Search. 08-08-2012 04:31 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
10-02-2012
08:56 AM
Why don't you post something useful and constructive. Make the thread useful for others...
I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).
... View more
08-28-2012
09:49 AM
I have also placed the events in the search app and only try and use them when i navigate to the search via apps.
I've also tried changing the permissions to global
... View more
08-28-2012
09:47 AM
I have loaded logs and can do the following search:
index=cms_cc_logs error
This returns 239 events.
If I do the below:
index=cms_cc_logs error |Typelearner
I get 6 suggestions.
If I know copy one of the searchs suggested, and search I get the same number of event back as TypeLearner said theer was..
If I added the same search, E.G: "punct::___[--]___*" error index::cms_cc_logs as an event. Manager > Event Type > New, I paste it in, add a tag HTTP and call it HTTPError
Now if I do the following searches, I get 0 matching results:
index=cms_cc_logs error eventtype="HTTPError"
or
eventtype="HTTPError"
or
index=cms_cc_logs eventtype="HTTPError"
I don't understand why.
I want to create 5-6 event types and then do a stacked graph for the number of each event type per hour or day. Splunk feels so painful at times 😞
... View more
08-15-2012
02:42 AM
index="cms_test_1" [|inputlookup Stacked_Worse12.csv | rename FullURL as cs_uri | fields + cs_uri] sc_status=200 time<19:00:00.000 time>=07:00:00:.000 | fields date, cs_uri | timechart count(cs_uri) span=d by cs_uri
Works great.
I don't know why I couldn't get it to work before 😄
... View more
08-15-2012
02:14 AM
I have the following search:
index="cms_test_1" [|inputlookup Stacked_Worse12.csv | rename FullURL as cs_uri | fields + cs_uri] sc_status=200 time<19:00:00.000 time>=07:00:00:.000 | fields cs_uri, date | stats count by date, cs_uri
Which gives me a list of Dates, cs_uri's and their count, I would like to make a stacked graph out of this. So the legend would be the cs_uri's, X-Axis will be Dates, Y-Axis will be Count.
I've tired looking into timechart, I think I can use this, span=d, count(uri), but It does full counts for the day so far..
Example Table (Pivot Table, Excel):
Date
cs_uri1
cs_uri2
cs_uri2
11/08/2012
6
3
5
12/08/2012
7
1
4
13/08/2012
4
6
8
But I can't get timechart to work and I can't get a stacked graph looking how I would like.. Using the above data, I expect to see, 3 dates across the bottom, for each date, 3 series (values, stacked, whith different colours) either in bar form or even better as a continues area graph.
The csv inputlookup contains a list of cs_uri's i;m filtering on.
... View more
08-14-2012
02:13 AM
In terms of considering Access_combined, Yes, but it doesn't capture the fields I would like. I'm unsure how that sourcetype will turn my logs into events either and if we will be able to add any index/search time field extraction with this soucetype. I'll try using that today and see if it is any better.
... View more
08-13-2012
01:01 AM
Hi Iguinn, I was only previously looking at the Manager->Indexes page.
Now when I run this: index=cms_test_1 | stats count by index
I get this
index count
1 cms_test_1 20442
Notepad without wordwrap shows I should get: 20445 (so minues 3 for comments and woohoo!)
I tried it on 3 more files and it appears to not be working now...
Splunk Indexed:
File1 = 20442
File2 = 24350
File3 = 25425
Notepad shows:
file1 = 20442
file2 = 25467
file3 = 26540
Running this index=cms_test_1 | stats count by index shows the total of 72449 all in 1 result.. so the line break appears to be working.
... View more
08-08-2012
04:34 AM
Jason, thank you so much for your answer. I havn't tried them yet, but will today and comment back. Echalex's answer is easier to understand for me, for now and works. Thank you though!
One thing though, because I might use your index-time solution later.. doesn't that do it for the whole event and not just a field? can a n index-time SEDCMD be done on a field? maybe if the stanza comes after a field extract stanza?
... View more
08-08-2012
04:31 AM
1 Karma
This is perfect, thanks
... View more
08-07-2012
10:18 AM
2 Karma
I have a field which is extracted in Splunk with values which look like this:
/aa/Application.do?inFrame=uploadframe&r=99946238&__navigator_index=0
/aa/resources/Ocean/css/trans.css?ver=6.0.4.21
/aa/Application.do?inFrame=scframe&r=99989045&__navigator_index=0
/aa/Application.do?inFrame=blank&r=99985838&__navigator_index=0
/aa/soap/Something
/aa/resources/Ocean/css/print_trans.css?ver=6.0.4.21
/aa/?internal=Y
/aa/Application.do?ts=99998203
/aa/soap/ILoginAPI
/aa/FileContents.do?widgetID=Application:Something_Something:Ext_Something:9:Something_ViewLink
I would like to the remove the series of numbers, where there are more than 3 in a row.
I think it can be done either at index time or search time using rex? I can't figure it out though..
... View more
08-07-2012
02:37 AM
OK 🙂 I've updated. Thanks. What about my main problem? any ideas?
... View more
08-07-2012
02:13 AM
This is a statiuc file.
Thanks for pointing out the field name problem, I've changed them now. After re-reading the Transforms.conf doc, I realise CLEAN_KEYS which defaults to true, implicitly solved my problem with the field names. Probabaly has a performace impact..
Regarding the Regex, I just checked your suggested syntax vs what I was using, in http://gskinner.com/RegExr/ and your didn't highlight any comments begining with #
Splunk Team seem to suggest this tool too: http://wiki.splunk.com/Community:RegexTestingTools
How sure are you my regex is incorrect?
... View more
08-06-2012
08:25 AM
Using Splunk version 4.3.3, build 128297
Using Windows Server 2008 Enterprise version 6 (Build 6002: Service Pack 2) - a Virtual Machine.
Why do I see a different number of events indexed (Event Count) via /en-GB/manager/launcher/data/indexes using the UI. When I'm adding data to Splunk from a static file, using the same file and a new index (created using the defualt settings) each time...
So far I have gotten these counts:
13,281
17,469
16,273
20,202
The source file which is an Apache Tomcat Server Log, is 3,637,248 bytes on disk, with 21319 Lines. I've created a custom Source Type for it:
My props.conf:
[Apache-TomCat]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-Apache-TomCat = Apache-TomCat
TRANSFORMS-comment = comment
LINE_BREAKER = ([\r\n]+)
My transforms.conf:
[comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
[Apache-TomCat]
FIELDS="date", "time", "c-ip", "x-H(remoteUser)", "cs-method", "cs-uri", "sc-status", "time-taken", "x-H(requestedSessionId)", "x-P(inFrame)", "x-P(eventSource)", "x-P(eventParam)", "x-P(eventShift)", "x-P(rcounter)", "x-P(scrollPositions)", "x-P(objFocusId)", "x-P(__navigator_index)", "x-R(username)", "x-S(int_user_id)
DELIMS = " "
I'm adding data to splunk via the Splunk UI, navigating from Manager > Data inputs > Add data > Files and directories > Add new Selecting Upload and index a file Browsing for the file (D:\NTPA1111_log_2012-07-30 - sample.txt) and adding the below for More Settings:
Set Host: constant value
Host field value: NTXA1528
Set the source type: From List: Apache-TomCat
Set the destination index: test1
For testing, I created 6 more indexes and tried adding the file two more times with the current settings specified above:
18921
15590
I removed LINE_BREAKER = ([\r\n]+) from the local props.conf file and tried 2 more times:
17,729
18,803
I removed the [comment] Stnza from the local transforms.conf file, removed TRANSFORMS-comment = comment from the local props.config and ran it 2 more times:
15,244
16,465
Still my results are inconsistant 😞
I've just reinstalled Splunk, created the local transforms.conf and props.conf (without the comment stanza and line_break line...) files, restarted splunk and then tried to index the file 3 more times:
21321
19,063
18995
I'm really surpried this is happening. any help/ideas would be greatful.
Example of the Log:
#Fields: date time c-ip x-H(remoteUser) cs-method cs-uri sc-status time-taken x-H(requestedSessionId) x-P(inFrame) x-P(eventSource) x-P(eventParam) x-P(eventShift) x-P(rcounter) x-P(scrollPositions) x-P(objFocusId) x-P(__navigator_index) x-R(username) x-S(int_user_id)
#Version: 2.0
#Software: Apache Tomcat/6.0.26
2012-07-30 07:00:01 255.255.255.255 - POST /Name/APP.do?ts=20383926 200 0.041 'F039AE0E56089412190ABAE26496B80E' - - - - - - - '0' - 'BBBBBB'
2012-07-30 07:00:01 255.255.255.255 - GET /Name/resources/Folder/images/image.gif 200 0.000 'F039AE0E56089412190ABEE26496B80E' - - - - - - - - - 'BBBBBB'
2012-07-30 07:00:05 255.255.255.255 - GET /Name/?internal=Y 401 0.001 - - - - - - - - - - -
... View more
08-02-2012
11:19 AM
It says 1.
I've tried loading in the file 4 more times and each time it's indexing a different number of events! This is not right at all 😞
My best was 20202, which is close..
Others were 16,273, 13281 and 17469
this is on the same file, same sourcetype, different index, which I create.. just via the web with all defualt settings!
... View more
08-02-2012
10:36 AM
What's the best way to check this?
... View more
08-02-2012
10:32 AM
10 worked fine
... View more
08-02-2012
10:23 AM
I think you are right about the regex. I'll update that and tryit again later.
The right number of events are not being parsed though.
I'll cut my file down to 10 lines including the first three lines of the header (all beginging with #) and see if the sourcetype/datainput gets 10 events.
... View more
08-02-2012
10:12 AM
I have it working now. Or so it appears so far...
I'll need to try some searches (which I'm quiet new at still) to see if the fields have extracted.
Do you know if this method of field-extraction is index-time or search-time?
... View more
08-02-2012
10:11 AM
Inputs.config:
[default]
host = NTXA1528
All my files are from: C:\Program Files\Splunk\etc\system\local
... View more
08-02-2012
10:09 AM
I did a data input from Manage > Data Inputs, rather than Home > Add Data and it's working. I think it might have been the host regex I had.
The file is called: NTPA1111_filename.txt
I have the host regex as: [NTPA][0-9]*
So I expect the Host to be NTPA1111
If the Host Regex fails, does anyone know what happenes? where the error is logged?
I've done a search for index=test
which returns 16667 events, but there should be 21k+ events 😞 Why has this happened?
My index, which the file is being processed into is called test.
... View more
08-02-2012
09:54 AM
I have created what I believe to be a custom sourcetype for Apache TomCat logs (which are customised). But when I add an input for a single file and try it (Via Splunk Web), I see no entires in my new index that i'm trying to index it to..
My props.conf:
[Apache-TomCat]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
REPORT-Apache-TomCat = Apache-TomCat
TRANSFORMS-comment = comment
My transforms.conf:
[comment]
REGEX = \#.*
DEST_KEY = queue
FORMAT = nullQueue
[Apache-TomCat]
FIELDS="date", "time", "c-ip", "x-H(remoteUser)", "cs-method", "cs-uri", "sc-status", "time-taken", "x-H(requestedSessionId)", "x-P(inFrame)", "x-P(eventSource)", "x-P(eventParam)", "x-P(eventShift)", "x-P(rcounter)", "x-P(scrollPositions)", "x-P(objFocusId)", "x-P(__navigator_index)", "x-R(username)", "x-S(int_user_id)
DELIMS = " "
I looked to see if the log had been indexed, by going to the splunk web, clicking manage, then indexes and looking at the count of events for my index which is 0! 😞
Are there any error logs which might help tell me what the problem is?
... View more
08-02-2012
07:54 AM
C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT
... View more
07-30-2012
05:37 AM
I'll read through this and see if I get my answers. Thank you for the reply.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
