Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About splunkears
splunkears
Path Finder
Member since:
06-01-2013
06-05-2020
Community Statistics
| Posts | 37 |
| Solutions | 2 |
| Karma Given | 25 |
| Karma Received | 7 |
| Member Since | 06-01-2013 |
Activity Feed
- Karma Re: How to write a Splunk transaction search that is similar to grep Before and After string pattern for MuS. 06-05-2020 12:48 AM
- Karma Re: How to write a Splunk transaction search that is similar to grep Before and After string pattern for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Unable to get REST API Token for Damien_Dallimor. 06-05-2020 12:47 AM
- Got Karma for Splunk Java SDK : Why does job.isDone(..) hang forever, but the job inspector in Splunk Web shows the job is done?. 06-05-2020 12:47 AM
- Karma Re: controlling access to dashboard and search capability for somesoni2. 06-05-2020 12:46 AM
- Karma Re: ANSWERS forum: How to pin the Q&As in this forum, so I can refer them back.. for piebob. 06-05-2020 12:46 AM
- Karma Re: ANSWERS forum: How to pin the Q&As in this forum, so I can refer them back.. for somesoni2. 06-05-2020 12:46 AM
- Karma Re: How to plot number of scheduled jobs on a hourly time scale by user for dmaislin_splunk. 06-05-2020 12:46 AM
- Karma Re: How to plot number of scheduled jobs on a hourly time scale by user for dmaislin_splunk. 06-05-2020 12:46 AM
- Karma Re: Splunk DBConnect App - not reading timestamp column value correctly for pmdba. 06-05-2020 12:46 AM
- Karma Re: Restrict Index access for GKC_DavidAnso. 06-05-2020 12:46 AM
- Karma Re: how to use the TA-uas_parser for dshpritz. 06-05-2020 12:46 AM
- Karma Re: Increasing Splunks Search performance on Linux for twkan. 06-05-2020 12:46 AM
- Karma Re: controlling access to dashboard and search capability for sowings. 06-05-2020 12:46 AM
- Karma Re: Expected performance? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Expected performance? for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Can index compression be disabled once an index has already be created and is in use ? for pierrem350. 06-05-2020 12:46 AM
- Karma Re: Hadoop Connect - how to change the polling frequency of HDFS file lists, to a longer duration.? for Ledion_Bitincka. 06-05-2020 12:46 AM
- Karma Re: Search only works for index=* in flashtimeline for okrabbe_splunk. 06-05-2020 12:46 AM
- Karma Re: What is the best way to design/define roles? for lguinn2. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
12-09-2016
11:41 PM
Thank you for the quick response. I'm getting zero results, when I do not provide keyword (common field) next to transaction, that's available in both begin record and end record. Can you please suggest, how to get next (all) records within say 30sec span, that starts with (for example) "begin" record. Is this doable?
I after finding records (transactions) that got initiated but did not complete in say 30sec.
Thanks a lot.!
... View more
12-09-2016
10:02 AM
Hi,
I wanted to find transactions in logs using "startswith" and "endswith" but my log record does not have a common field to
use in transaction command .. as mentioned in
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Transaction
| transaction "some common field" startswith="begin transaction" endswith="done" maxpause=2s maxspan=180s
My problem is, in the above command, my record does not have a common value / field in the record that marks the beginning and ending of transaction.
Hence, I wanted to try a different approach... where I search for records with "begin transaction" and then, in those results, would like to get / see results of next following 10-20 records within 180sec span, which have "done" as marker for END of transaction.
Is this doable with Splunk?
Any other suggestions - to get the transactions marked with begin and end as a single unit of record.?
Thanks.
... View more
08-05-2015
11:05 PM
1 Karma
Hello,
I'm using Splunk Java SDK. Something like the following:
...
...
while (!myJob.isDone()) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
e.printStackTrace();
}
}
My search query takes a long time and hangs forever at myJob.isDone()
But, when I inspect the job by going to Splunk Web's job inspector, I see the job is already done.
Can you help if something wrong with what I'm doing? or is this a known issue with Splunk 6?
... View more
08-02-2015
10:15 AM
Splunk documentation is not correct for version 6- REST API
REF-- wrong end point in the doc:
http://dev.splunk.com/view/SP-CAAADQT
--for end point --> /servicesNS/admin/search/auth/login does NOT work and results "Login Failed"
where as the end point below
/services/auth/login works.
... View more
12-22-2013
08:31 AM
I found the gold-star in the Question. So, this feature is there already.
... View more
12-21-2013
07:45 PM
Thanks. I don't see that small yellow star icon below Down vote arrow. But, I do find the recent activity in my profile, which works for me. So , +1 on the vote.
... View more
12-21-2013
10:19 AM
2 Karma
Hi,
I found this community and the answers found here, very helpful. I wanted to mark / pin certain Questions in this forum as my favorite, private to me, under my profile. I see that there is a "favorite" url ; but not sure how to make / add a question as favorite. I did not want to use another 3rd party (fb, Linkd+etc.).
Is there a way how to do this, on this Splunk site.? Initially, I had thought, if I comment on (or vote) on a specific question, it would show up in my - list of commented page.. but, I was wrong there.
Any idea.. Webmaster ?
... View more
12-20-2013
08:01 AM
Just curious on the job management app - whats it?
... View more
12-20-2013
07:38 AM
Thanks. Seems like Btool is the one I can use to get what we want. I'm thinking, we can scrub Btool output to generate scheduled job data and then feed that back to Splunk to get plots we wanted. Thanks for the command.
... View more
12-19-2013
07:40 PM
Thanks. But your answers takes me into history or past..like how many got executed last hour, last day, 2 days ago..etc. But, I wanted to get to future view .. like how many are getting scheduled tomorrow.. this week, next week .. by all of the users as of today?
Where does cron regex for scheduled, enabled get stored? which index?
Also, how to create an alert say, if more than N jobs get scheduled at the same time?
... View more
12-19-2013
12:19 PM
Thanks for the pointer. I'm aware of SOS. But, don't know how to do this with SOS.
What is the name of the index where SOS will store the schedule job 's cron information.
For example, if a job is scheduled to run -- once every week -- by user A -- and another job by user B -- to run say every day.. my plot should project all the jobs that going to be run this week.. Basically I wanted to see how many are going to flood the system, by running around the same time. Some kind of visualization .... Basically Future look of jobs going to run this week, next week etc.. etc.
... View more
12-19-2013
09:41 AM
1 Karma
Hi,
How do we list out all of the saved scheduled jobs on a Splunk setup by user, by day, by search, by tittle of the saved search?
Also, I wanted to plot in a days view of scheduled jobs -- ie.. 0-23 HRS scale with 1HR, all the jobs for a given user.
Basically, I wanted to know how many are scheduled at the same time in a given day and by users.
I've the following REST call:
| rest /services/saved/searches | stats values(search) as QueryName, values(title) as JobName, values(cron_schedule) as ScheduledAt by eai:acl.owner, title, cron_schedule
But, not sure how to transform cron-expression into a time to plot.
thanks..
... View more
12-06-2013
10:51 AM
That links seems broken.
My requirement is, to move all the user created reports and indexes to another Search head and peer respectively. How do we do this? Thanks.
... View more
11-20-2013
04:04 PM
I tried something different. Basically, I've pre-loaded the indexed files into file-cache, so there is zero latency in IO of the indexed files. But, unfortunately, it did not succeed, as the indexed files are gzip compressed. gzip is good but slow while uncompressing.
Looking for options on how to disable compression during post-index operation.
For now, using summary indexing - sistats etc. We are ok with this approach.
... View more
11-19-2013
11:12 PM
Though this tip was useful, I found the app TA-uas_parser DEAD slow. while using with
a query like the following:
index="weblogs" |
rename user-agent AS http_user_agent |
lookup uas_lookup http_user_agent | stats dc(myUserApp) by os_family
any tip on making this run faster?
... View more
11-06-2013
12:01 AM
Yes, those job inspector reports differ as they are from 2 different search jobs.
First one did not complete. Second did.
Just wanted to highlight something interesting. My h/w has 192GB memory. And, none of other system processes are consuming this memory. This search is being done on single box with search head and indexer on the same box. I'm just indexing 70GB data for a total of 30 Days. Avg size per day 2.GB
If I use Cassandra for 70GB of data, even for that matter memcache, I can keep entire 70GB in memory. And hence, I would get split second perf.
Pls. tips on. Splunk 6 perf?
... View more
11-03-2013
10:48 PM
Ditto.
I also note that, when I've 24CPUs..only 2 are busy and rest are idle. And, my search takes a long time. Any pointers on parallelizing splunk search.
Has anyone tried http://code.google.com/p/ppss/ with splunk search on the same host / box.?
... View more
11-03-2013
10:47 AM
Thanks for your hint on where the time is spent. The indexing is also on version 6.
... View more
11-02-2013
11:58 AM
Uh well, first of all it would be nice to know the actual search you're running?
The search string is just of the form -> index=myIndex
thats it.
This myIndex has 70GB of data indexed as per normal practices. No errors etc while indexing. You may be right ..as the time spent is not being shown any of the other activities of searching.. it may be just waiting to read or write etc..
I'm trying sistats etc. to see if that can help. Amazed that we see this after upgrade 😞
I might be missing something in the UI that changed significantly in ver 6.
... View more
11-02-2013
09:39 AM
Facing terribly slow search time performance. Same worked fine with Splunk 5.
Job inspector shows the following:
Execution costs
Duration (seconds) Component Invocations Input count Output count
0.078 command.fields 78 911,212 911,212
184.017 command.search 78 - 911,212
0.423 command.search.index 78 - -
0.078 command.search.calcfields 78 911,212 911,212
0.078 command.search.fieldalias 78 911,212 911,212
0 command.search.index.usec_64_512 4 - -
0 command.search.index.usec_8_64 127 - -
182.176 command.search.rawdata 78 - -
0.083 command.search.kv 78 - -
0.078 command.search.lookups 78 911,212 911,212
0.078 command.search.tags 78 911,212 911,212
0.078 command.search.typer 78 911,212 911,212
0.045 command.search.summary 78 - -
0.018 dispatch.check_disk_usage 18 - -
0.023 dispatch.createProviderQueue 1 - -
0.085 dispatch.evaluate 1 - -
0.085 dispatch.evaluate.search 1 - -
184.037 dispatch.fetch 78 - -
0.04 dispatch.preview 40 - -
0.008 dispatch.readEventsInResults 1 - -
184.023 dispatch.stream.local 78 - -
2.303 dispatch.timeline 78 - -
0.269 dispatch.writeStatus 119 - -
0.039 startup.handoff
search log is showing thousands of these lines and search never completed so, finalized the search after x minutes.
11-dd-2013 09:15:07.587 INFO DispatchThread - Generating results preview took 1 ms
11-dd-2013 09:15:10.181 INFO DispatchThread - Generating results preview took 1 ms
11-dd-2013 09:15:12.591 INFO DispatchThread - Generating results preview took 1 ms
11-dd-2013 09:15:15.216 INFO DispatchThread - Generating results preview took 1 ms
From the line
182.176 command.search.rawdata 78
The 183 seconds not totaling up to the individual times spent.
Appreciate if anyone could help / shed light on this.?
Thanks.
Added more:
My indexers are version 6 as well. I've debugged this a bit further. There is not much Disc I/O but, yes the CPU spins crazy. Actually, I let the search job run in the background. This is just 30days data of size 70GB. Each day has couple of files with records more than of size 2GB. The search job completed after 45 minutes. There could something wrong with my indexing.
Here is the completed job inspector shows:
703.171 command.prestats 23,639 295,181,393 122,367
1,725.204 command.search 23,677 - 295,181,829
1,021.454 command.search.rawdata 23,638 - -
524.957 command.search.kv 23,638 - -
23.639 command.search.lookups 23,638 295,181,393 295,181,393
23.638 command.search.calcfields 23,638 295,181,393 295,181,393
23.638 command.search.fieldalias 23,638 295,181,393 295,181,393
10.732 command.search.summary 23,677 - -
0 command.search.index.usec_1_8 26 -
search log has:
11-dd-2013 hh:33:01.347 INFO loader - Detected 24 (virtual) CPUs and 193800MB RAM
11-dd-2013 hh:33:01.347 INFO loader - Maximum number of threads (approximate): 12288
11-dd-2013 hh:33:01.347 INFO loader - Arguments are: "search" "--
id=scheduler_adminlauncher_a3_at_1383438780_5" "--maxbuckets=0" "--ttl=172800" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--user=admin" "--pro" "--roles=admin:can_delete:power:user"
..
..
11-dd-2013 hh:33:01.672 INFO BatchSearch - Adding bucket:mytestindex~58~0867F605-4D1D-4B32-84CD-
BBB2474E0F1B to batch search with min seek addr offset:0 and max seek addr offset:0 and bucket has time range set:0
... View more
- Tags:
- performance
- upgrade
10-24-2013
02:16 PM
How do we index a data file which is an aggregated data for a given day. The data does not contain timestamp.
Splunk gives an error while searching- saying that "Error in IndexScopedSearch: The search failed. More than XXX events found at time t"
I've looked at these forums and found the following link, which tells me its a limitation on Splunk.
Max number events at the same timestamp
Tuning Search with more than 250K events at one timestamp
Disable timestamp processor
Consider the following use-case.
Imagine, you are looking at a stock price data on a day-scale for 6 months. The data file in this case, may contain ticker price for a given day. If the data points are more than 100K, since there is no timestamp, Splunk given the error during search time.
Has anyone figured how to workaround this?
... View more
10-23-2013
11:47 PM
How do we index a data file which is an aggregated data for a given day. It does not contain timestamp. If an analyst is looking at an YEARLY chart with a span of days (not hours or minutes or seconds), Splunk fails here. Isn't it?
Imagine, you are looking at a stock price on a day-scale for 6 months. The data file in this case, may contain ticker price for the day. For this case, please suggest how to index using Splunk.
thanks..
... View more
09-25-2013
08:58 AM
1 Karma
Debugged this extensively. Finally, I did a hack. Hardcoded my root context path /mysplunkapp in the file account.py:login(..) method
This works for me.
File affected:
../lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/account.py
@expose_page(must_login=False, methods=['GET','POST'], verify_session=False)
@lock_session
@set_cache_level('never')
def login(self, username=None, password=None, return_to=None, cval=None, **kwargs):
#FIX (1) line below
return_to = '/mysplunkapp/en-US/' <<===
# Force a refresh of startup info so that we know to
# redirect if license stuff has expired.
startup.initVersionInfo(force=True)
updateCheckerBaseURL = self.getUpdateCheckerBaseURL()
ps: Replace hardcoded value with cherrypy.config.get('root.endpoint') , if you didn't like hardcoding.
... View more
09-23-2013
03:05 PM
Hello:
My instance is running behind a proxy with root end point as - say /mysplunkapp
The configurations are done in web.conf file correctly to reflect the root context path to /mysplunkapp
The problem is while login into splunk. From the firebug, we see that there is 303 - "See Other" firing up.
With this, the context path is lost and the proxy web server is not able to understand where to redirect the request to.
Hence, users getting lost ( redirected to some other page on the proxy) . This happens, on and off. Specifically, for sure for the first time login into Splunk.
I looked into the Splunk python code. But, could not locate where the login is handled. Though I see login.html where FORM based auth is taken care.. I could not see the real issue in the code. I suspect its around redirect and return_to variable.
In simple terms, whats expected is, after login into Splunk, the response should have the path as "/mysplunkapp"
but, what is redirected is just root "/".
Hence proxy is not able to understand where to redirect to?
Any idea how to address this?
thanks..
... View more
09-19-2013
12:32 PM
Thanks for the hint. My dashboard was with default permission for role user. I've added the new role too, in the permission list, for this dash. And hence, it works now 🙂
The test user is able to access dashboard. And he is not able to access search / flashtimeline as expected.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
