Hi Friends,
Would want to know 2 things, as mentioned below
1. What is the typical CPU & Memory consumption of Splunk Forwarder?
2. Can we set the limit on CPU & Memory utilization by Splunk Forwarder?
↧
What is the CPU & Memory utilization of Splunk Forwarder.
↧
Java SDK send data directly to Splunk (web)
Hi,
I'm attempting to implement a direct connection to Splunk in my Java application so I can send data straight to Splunk without having to go through a forwarder. I've written some psuedocode, I just wanted to check if its correct:
import com.splunk.*;
//Connect to Splunk Service
ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername("admin");
loginArgs.setPassword("password");
loginArgs.setHost("localhost");
loginArgs.setPort(8089);
Service service = Service.connect(loginArgs);
Index myIndex = service.getIndexes().get("index_name");
Args eventArgs = new Args();
eventArgs.put("CaseName", caseName);
eventArgs.put("Result", result);
eventArgs.put("Runtime", runtime);
eventArgs.put("Environment", env);
eventArgs.put("postDate", date);
myIndex.submit(eventArgs);
Thanks,
Tom
↧
↧
select lookuptable based on role of the current user
We have an app which is deployed for different user groups which are distinguished by different roles which gives them access to their indexes. The searches use an asterisk in the index specification so each user gets the data from the index to which he gets access based on his role.
We need the same functionality for lookups, e.g.
- lookuptable_a (belongs role a)
- lookuptable_b (belongs role b)
spl: index=* | lookup lookuptable_* ...
Depending on the users role either lookuptable_a or lookuptable_b should be used, but wild-carding of lookup-table-name is not supported
↧
Could anyone please share some details on Stonebranch integration with Splunk?
There is a requirement to integrate Stonebranch logs with Splunk, I would really appreciate if anyone can share their experience or knowledge on this.
Many thanks in advance.
↧
Finding the Values from multiple event with a single key
Hi Everyone,
Through inputcsv and outputcsv, i finally able to consolidate the data in a single CSV. Now I need to create another CSV with the events with a single key. My inputcsv has data in the following format:-
Ticket | Main_Ticket | TYPE | STATUS | END_DATE
A2345A | A2345A | MAIN | IN Work | 2018-09-12
A2345A001 | A2345A | SUB | Closed | 2018-07-03
Z2995A | A2345A | PEER | Closed | 2018-07-23
A2345A002 | A2345A | SUB | In Work |2018-08-12
B4321A | B4321A | MAIN | IN Work | 2018-09-12
B4321A001 | B4321A | SUB | Closed | 2018-07-11
Z3495A | B4321A | PEER | Closed | 2018-07-19
B4321A002 | B4321A | SUB | In Work |2018-08-15
C9854A | C9854A | MAIN | Closed | 2018-07-12
C9854A001 | C9854A | SUB | Closed | 2018-06-15
Z8749A | C9854A | PEER | Closed | 2018-06-23
C9854A002 | C9854A | SUB | Closed |2018-06-29
Now I need to find the first "In Work"SUB or PEER ticket for each Main_Ticekt. The result may look like the following.
Main_Ticket | PEER_SUB_IN_Work | PEER_SUB_TN | PEER_SUB_ENDDATE
A2345A | SUB | A2345A002 | 2018-08-12
B4321A | PEER | Z3495A | 018-08-12
C9854A | Closed | Closed | 2018-07-12
So I am trying to get something like for each loop with the key filed "Main_Ticket" , find last IN Work SUB/PEER ticket and END_Date of that SUB/PEER TIcket. If all SUB/PEER tickets are CLOSED, It should return the MAIN Ticket Type value. Once I have the values, I can easily save it to outputcsv.
As of now, I am downloading the CSVs and doing it with VB. Is it possible with Splunk?
Thanks for your help and I apologize for such a long post.
↧
↧
Can python fill_summary_index.py be used to backfill an accelerated data model
We have a multisite cluster where the primary site is getting physically reloacted to a new datacenter. There will bbe about a 12 hour gap in our accelerated data models.
Is it possible to backfill the data models without having to do a full rebuild? I found python fill_summary_index.py in docs, but it is not clear if this works on data models. Docs on specifies saved searches
↧
4 site SHC captain get's elected but documentation states diffently?!
Hi Forum,
I'm integrating a streched SHC running in 4 sites. Each site have 1 SHC Member. When booting the SHC up the captain is elected automatically.
from the docs i learned:
http://docs.splunk.com/Documentation/Splunk/6.6.7/DistSearch/DeploymultisiteSHC
"If the site with a majority of members fails, the remaining members on the minority site cannot elect a new captain. Captain election requires the vote of a majority of members, but only a minority of members are running. The cluster does not function. See "Consequences of a non-functioning cluster."
"If the network between sites fails, the members on each site will attempt to elect a captain. However, only a site that holds a majority of the total members will succeed. That site can continue to function as the cluster indefinitely."
So as I'm having 4 shc members in 4 sites I never have any kind of majority in any site. So I would guess captain election should never work correctly. Any hint why it's working correctly?
Best regards,
Andreas
↧
Test Search
So I've been tasked to run a mock search as if one of our users breached a database just to see if we are collecting enough of and the correct data. By searching the user and the database server I'm presented almost 40K results, if I eliminate logoffs, that gets me down to 20K, still pretty large and it also doesn't seem to include much of anything in those returned results. Can anyone suggest some key search items to add to this search string to narrow down access, maybe even to the database level?
↧
Using OR in a pivot query
I have a data set with following query and it is saved as "model_requests"
(service=service* OR (service=Aservice* AND app_name=app*)) some_other_fields=*
Under my dash boards I have a single value chart with following query:
| pivot model_requests RootObject count(RootObject) AS "Count of Requests" FILTER service in $service_token$
$service_token$ points to a drop down in the dashboard, which has different service names or * which is a list of a set of services.
Example drop down options under static options:
Name Value
* (Service1, Service2)
Service1 Service1
Service2 Service2
I have added a new drop down for app_name and its token name is $app_token$ as follows:
Name Value
* (app1, app2)
app1 app1
app2 app2
In the pivot query, I am looking to have an OR in it to choose between the tokens service_token and app_token (Either or, both tokens data will not exists at the same time).
For example as follows:
| pivot model_requests RootObject count(RootObject) AS "Count of Requests" (FILTER service in $service_token$ OR FILTER app_name in $app_token$) FILTER something_else=*
This query doesn't work. Is there a way around this? Thanks.
↧
↧
How to mask my bank balance to be shown in splunk logs.
Hi,
How can I mask my bank balance in splunk, it is showing something like this,
mybal=2426.88,availableBal=2426.88, I need to replace numbers with #. Please suggest, I am not much good in REGEX.
Thanks in advance.
↧
Time field subtraction
I am retrieving two time fields one from main query and other from subquery. When I subtract both fields, I get blank output.
Query I am using:
index=main host=* *CRgsSessionInfo* PrimaryUserLogin=PrimaryUserLogOn | eval Time = _time | append [search host=* *CRgsSessionInfo PrimaryUserLogin=PrimaryUserLogoff | eval Time1 = _time ] | eval Diff= Time1-Time |table Diff
----------
marked code. dmj
↧
How to pass parameters to report ?
Hi,
I have made this in Splunk 6.5.2 and now I'm wondering how to pass the two tokens (host and nt_username) to the report ?
Thanx in advance
↧
Search for trellis of Scatter plots
Hi,
Im trying to create grid of scatter plots. I should be able to pick pairs of ChannelNumbers and display MeanValue comming from them in separate plots. My initial search query was:
index=main ChannelNumber=10 OR ChannelNumber=11 OR ChannelNumber=12 OR ChannelNumber=13 | eval chartName=case(ChannelNumber=10, "ChartOne", ChannelNumber=11, "ChartOne", ChannelNumber=12, "ChartTwo", ChannelNumber=13, "ChartTwo") | eval valueX = if(ChannelNumber=10, MeanValue, valueX) | eval valueY = if(ChannelNumber=11, MeanValue, valueY)| eval valueX = if(ChannelNumber=12, MeanValue, valueX) | eval valueY = if(ChannelNumber=13, MeanValue, valueY) | timechart avg(valueX) avg(valueY) by chartName
this should create Plot named "ChartOne" with ChannelNumber10 on X axis and ChannelNumber11 on Y, plot "ChartTwo" with Channel12 as X and Channel13 as Y.
However this query has a bug if same ChannelNumber gets selected for more than one plot. (for example- "ChartOne"x:10,y:11 "ChartTwo"x:10,y:12). Can anyone help me with either upgrading a query or changing my approach to it?
thank you!
↧
↧
DBX will not load after update to 3.1.3. Cannot communicate with task server, please check your settings. /opt/splunk/etc/apps/TA-Proofpoint-TAP...
When running Splunk 7.1.2 and splunk_app_db_connect 3.1.3 and TA-Proofpoint-TAP 1.3.117 it keeps DBX from loading. With the below error.
Cannot communicate with task server, please check your settings.
Traceback (most recent call last): File "/opt/splunk/bin/rest_handler.py", line 79, in print splunk.rest.dispatch(**params) File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/_init.py", line 149, in dispatch module = __import('splunk.rest.external.%s' % parts[0], None, None, parts[0]) File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxproxy.py", line 7, in from dbx_settings import Settings File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxsettings.py", line 10, in import splunklib.client as client File "/opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/splunklib/_init_.py", line 18, in from splunklib.six.moves import map ImportError: No module named six.moves
↧
Unknown Protocol and failed to establish connection with kvstore
mongod.log is being spammed with unknown protocol messages. this message rolls from server to server
we have this issue also but we only have one protocol listed. the thing i'll note is, the protocol is wrapped in quotation marks. see example:
sslVersions = "tls1.2"
instead of
sslVersions = tls1.2
the servers are able to talk to each other just fine so i'm having a hard time accepting that the quote marks are causing the problem but i dont see it in any of the examples.
↧
How can I display these rows of data in a line chart?
![alt text][1]
There are 5 rows of data in the table. I want to display these 5 rows of data a line chart.
There are 4 fields, field 1 for time, field 2 for host ID, field 3 for metric type, field 4 for numeric value.
I want to show the usage rate and memory usage of CPU in a picture, using the way of polygon graph.
Excuse me, how to realize
[1]: /storage/temp/254654-显示图形.png
↧
What is the CPU & memory utilization of Splunk Forwarder?
Hi Friends,
I want to know 2 things as mentioned below:
1. What is the typical CPU & Memory consumption of Splunk Forwarder?
2. Can we set the limit on CPU & Memory utilization by Splunk Forwarder?
↧
↧
How to mask the bank balance to be shown in splunk logs?
Hi,
How can I mask the bank balance in splunk? it is showing something like this:
mybal=2426.88,availableBal=2426.88 and I need to replace numbers with #. Please suggest, I am not good in REGEX.
Thanks in advance.
↧
Why do I get an empty output when subtracting one time field from the main query and another from the subquery?
I am retrieving two time fields one from main query and other from subquery. When I subtract both fields, I get blank output.
Query I am using:
index=main host=* *CRgsSessionInfo* PrimaryUserLogin=PrimaryUserLogOn | eval Time = _time | append [search host=* *CRgsSessionInfo PrimaryUserLogin=PrimaryUserLogoff | eval Time1 = _time ] | eval Diff= Time1-Time |table Diff
----------
marked code. dmj
↧
Why in a 4 site Search Head Cluster captain is getting elected automatically?
Hi Forum,
I'm integrating a streched SHC running in 4 sites. Each site have 1 SHC Member. When booting the SHC up the captain is elected automatically.
from the docs i learned:
http://docs.splunk.com/Documentation/Splunk/6.6.7/DistSearch/DeploymultisiteSHC
"If the site with a majority of members fails, the remaining members on the minority site cannot elect a new captain. Captain election requires the vote of a majority of members, but only a minority of members are running. The cluster does not function. See "Consequences of a non-functioning cluster."
"If the network between sites fails, the members on each site will attempt to elect a captain. However, only a site that holds a majority of the total members will succeed. That site can continue to function as the cluster indefinitely."
So as I'm having 4 shc members in 4 sites I never have any kind of majority in any site. So I would guess captain election should never work correctly. Any hint why it's working correctly?
Best regards,
Andreas
↧