cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
davidbann
Explorer
Member since: ‎12-16-2019
‎03-30-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎12-16-2019
Activity Feed
View All

Re: Splunk_TA_New_Relic Insight not ingesting data

by in All Apps and Add-ons
‎03-30-2021 10:54 AM
‎03-30-2021 10:54 AM
Just hit this myself. Were you able to resolve it? ... View more

Re: timestamp extraction not working

by in Getting Data In
‎02-04-2021 03:05 PM
1 Karma
‎02-04-2021 03:05 PM
1 Karma
yep that did it. using: /services/collector/event?auto_extract_timestamp=true resulted in the timestamp being picked out of the body instead of event time. Re-reading https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/FormateventsforHTTPEventCollector I noticed the following: "The HTTP Event Collector endpoint extracts the events from the HTTP request and parses them before sending them to indexers." I think that explains the "finicky" behavior as it doesn;t follow the same path as other inputs.   Thanks @bowesmana ! ... View more

Re: timestamp extraction not working

by in Getting Data In
‎02-04-2021 11:42 AM
‎02-04-2021 11:42 AM
st-test as expected ... View more

timestamp extraction not working

by in Getting Data In
‎02-04-2021 10:40 AM
‎02-04-2021 10:40 AM
I have an http event collector configured with a heavy forwarder in the DMZ forwarding to an internal Indexer. The timtestamp of all events is being set to the time received, it's not picking up the "time" value from the body despite my props.conf settings. No errors or warnings in "_internal" around timestamp or anything close to it. Test event sent to the collector: curl --location --request POST 'https://<redacted>.com/services/collector' \ --header 'Authorization: Splunk <redacted>' \ --header 'Content-Type: application/json' \ --data-raw '{"event": {"time":"2021-02-04 20:20:20.123-05:00","userSettings":{"userId":"ab12345","userName":"ab12345,"site":"000"},"version":5070004},"sourcetype": "st-test"}'   shows up as expected in Search results as expected (raw): {"time":"2021-02-04 20:20:20.123-05:00","userSettings":{"userId":"ab12345","userName":"ab12345","site":"901"},"version":5070004}   props.conf for this sourcetype is configured on both the heavy forwarder and internal indexer: [st-test] TRUNCATE = 100000 INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Structured disabled = false pulldown_type = 1 TIME_PREFIX = "time":" TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%:z MAX_TIMESTAMP_LOOKAHEAD = 32   Any ideas? ... View more

Promoting new source from test index

by in Getting Data In
‎01-09-2020 07:14 AM
‎01-09-2020 07:14 AM
I'm adding a new input (UNC directory) and due to previous lessons learned, I took from best practice and sent events to a sandbox index while I fine tuned source types etc. Now I'm happy with the config and want to move the input to my "Production" index. Other than modifying the source config to point to the new index, what do I need to do to have all the existing files reindexed to the new index? Previous attempts have only sent new events to the new index, Splunk seems to be avoiding duplicates, even across two indexes. There is existing data in the new index that I don;t want to disturb, the sandbox index can be blown away if that matters. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-30-2021 02:15 PM
Karma from
View All
Karma given to
View All