All,
I have the PS input from Splunk for Unix enabled on all endpoints. Seems to be there should be an easy way to check running status of a process from 15 minutes ago to now and get a list of machines where the app has stopped.
thanks
-Daniel
↧
Anyone have a good search to determine if an app has stopped across 4k machines?
↧
Splunk forwarder question
Hi there,
We have Splunk forwarder deployed on a Windows server and inputs.conf is configured with two log sources.
[default]
host = test_OP_CBE_AUX1
[monitor://C:\ClearPath\logs]
whitelist = [\\]cpe2Pims-\d\d\d\d_\d\d_\d\d\.log$
index = pb
sourcetype = json
recursive = false
disabled = false
[monitor://C:\ClearPath\logs\CatalogUpdater]
whitelist = [\\]UnclassifiedExtractor_splunk\.log
index = pb
sourcetype = json
recursive = false
disabled = false
However, we are seeing logs forwarded to Splunk indexer only from [monitor://C:\ClearPath\logs] and other source [monitor://C:\ClearPath\logs\CatalogUpdater] does not forward the logs.
If set disable to "true" for [monitor://C:\ClearPath\logs] -- we immediately see logs being forwarded from [monitor://C:\ClearPath\logs\CatalogUpdater]
This is not a licensing issue. Any inputs on what's causing this issue will be greatly appreciated.
Cheers,
Pam
↧
↧
In splunk to find percentage difference for each column
I need to find the difference between each date for each App_name in splunk
Right now my query just show the today number of record recieve each day per topic name/ Appname. I want to find out the percentage difference of record for each day from its previous day.
index="platform" sourcetype="logs" | rex "sent:\s(?\d+)\sfrom the file\s:\s(?[\w\.\/\_\-]+)\s" | rex field=source "\.(?[\w\/\_\-]+)\." | timechart span=24h sum(record) as records by topic_name
Can someone help
↧
[BUG] Submit button does not seem to work as expected for inputs in Splunk 6.6 +
Expected behavior for Submit button in Simple XML Dashboard is to `prevent Input changes to be reflected until Submit button is clicked`, provided `searchWhenChanged` for the input/s is/are set to `false` and they do not have their `` event handlers defined.
However, when I tested small piece of run anywhere example in `6.6.3` and `7.1.2`, Submit button does not seem to enforce the right effect. Whenever input was changed the tokens got the updated values even before clicking on the Submit button. (PS: I also tested for `radio` input but have not added the code for keeping the example simple).
Requesting Splunk Team to confirm if the `Submit` button is truly obsolete or not. If so, it would be better to remove Submit button as Input option.
(PS: An `` `
↧
What are the best methods to develop dashboards for Websphere apllication server SystemOut.log ?
Hi All …,
Send me some useful links about WebSphere application log monitoring in splunk , Found one link dated back in 2010 which is not working now( http://www.splunkbase.com/apps/Splunk+for+WebSphere+Application+Server )
for websphere application.
The log format is SystemOut.log consists for info,error,warn type of events, any ideas about parsing it and apps for the dashboards ?
Thank you all ..
↧
↧
Huge number of unclosed "TIME_WAIT" connections from Splunk logging for JavaScript
I have a data providing customer using the "Splunk logging for javascript" code located here : http://dev.splunk.com/view/splunk-logging-javascript/SP-CAAAFCV
We have identified that their hosts when using this code create ~200k of ungracefully closed connections. These cause issues throughout the network as they pass firewalls and load balancing devices as these connections need to timeout naturally.
I am trying to understand if this is because of incorrect use of this code OR a bug in which the connections are not nicely closed.
↧
docker container monitoring performance with splunk commands?
I have configured splunk logging driver on . docker through HEC , I want to monitor each container health in the form of cpu utilization, memory and etc. how create dashboards for the docker containers? thanks.
↧
How to put two pictures in one line
How to put two pictures in one line
![alt text][1]
[1]: /storage/temp/254667-一行显示图形.png
↧
transaction command: How to group events ONLY on specific conditions?
We have got a system, whereby an event-pairing occurs only for specific type of messageId
event=1 messageId=100 requestor=human1
event=2 messageId=200 requestor=human2
event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4
In above example, we need to group the events ONLY if the messageId is 20* (ie in 200's)and based on requestor.
Currently the simple query is:
... | transaction requestor
Looking for output something like.. So event=2 and event=3 will be a single transaction
event=1 messageId=100 requestor=human1
event=2 messageId=200 requestor=human2 event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4
I'm looking for something
... | transaction requestor where messageId=20*
PS: I **don't** want to group for messageId=300 even if its same requestor (event 5 & 6)
Ideally looking for transaction to be done only on specific events without needing multiple queries on raw data
Any ideas/tricks to do this?
↧
↧
I see the elow error message could please help in this case
Indexer Clustering: The search process with sid=rt_md_1533830226.207365 on peer=XXXXXX may have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running the search again. Learn more.
↧
Transforms, REGEX and FORMAT issues
Hi,
I want to use REGEX and FORMAT strings for an xml sample as given without using KV_MODE=xml
So i am trying to use different regex to get hold of parsing fields but failing
Please find the sample log for your reference and help
-80.03107887624853,25.351308629611 Interdiction 6 Assured 2013-11-03 04:40:00 Infiltrators:
Savanna Carrera,
Gregoria Farías,
Julina Abeyta,
Mariquita Alonso,
Urbano Briseño,
Victoro Montano 3 Raft -80.33045250710296,24.93574264936793 Interdiction 9 Pompano 2013-05-04 04:22:00 0 -80.30497342463124,24.07890526980327 Rustic -79.94720757796837,24.82172611548247 Interdiction 12 Barracuda 2013-01-01 05:22:00 Infiltrators:
Cristian Caballero,
Vicenta Olivares,
Leonides Cintrón,
Ascencion Betancourt,
Alanzo Arenas,
Primeiro Sánchez,
Serena Monroy,
Madina Mojica,
Consolacion Cordero,
Faqueza Serrano,
Grazia Quesada,
Ivette Partida 0 Rustic )
TIME_PREFIX =
TIME_FORMAT = %Y-%m-%d<\/ActionDate>[\r\n]\t+%H:%M:%S
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 2500
SEDCMD-aremoveheader = s/\<\?xml.*\s*\\s*//g
SEDCMD-bremovefooter = s/\<\/dataroot\>//g
REPORT-f = dream_attack
KV_MODE = none
**transforms.conf**
[dream_attack]
REGEX = (?m)^[^<]+.(.*?)\>([\S\s]*?)\<(?=[^\s])
FORMAT = $1::$2
Please suggest me why i am failing?
Thanks
↧
動的なアラート条件は作れますか?
毎日9時と21時に12時間以内に取り込んだデータから該当するモノがあった場合メールを送るようなアラートを想定しています。
その際の検索条件なのですがローカルファイルにある対象製品リストから製品名を取得し検索を掛ける事は可能でしょうか?
また製品リストは複数あり、それぞれメール送信先を分けたいと考えています。
上手い実装方法が思いついていないのですがScriptなどを作らないと対応出来ないのでしょうか。
↧
How to add custom icons in charts
One of my dashboard design having lots of charts. In that, I am using a few icons. So how to add custom icons in Splunk chart
↧
↧
Timechart all values and one specific
Hey guys and girls,
I am trying to create a diagram witth follwing input:
I have two queries
*search index= blabla host =* | timechart sum(bytes)
search index=blabla host="*youtube*"| timechart sum (bytes)*
for both of the searches i get a wonderfull timechart.
My issue is to combine them in a one time chart
Y -Axis amout of bytes
X- Time
and two bars: all hosts and a specific (youtube).
------------------------------------------------------------------------
I tried append/ appendcols
I tried *index...| where host=* OR host =youtube | timechart...*
Did not work
↧
How to throttle alerts for 15 min delay?
I have used this query for the alert creation.
index = xyz sourcetype=abc |table _time response_time|search response_time>50
I have used corn schedule for 5 min. But this creates lot of noise. So I want to use throttle for this alert for 15 min. Means after the first alerts triggered, it will take a 15 mins dealy.
I have used below configuration for each result triggered.
Throttle : "Checked"
Suppress results containing field value: "response_time"
Suppress triggering for : 15 mins
But this is not working. Please help.
↧
Can you skip the first x rows returned in a search
Hi,
If I have a query which returns 100 rows I'd like to be able to only get rows 11-100 shown (and if 200 only rows 11-200)
I have looked for an `offset` command similar to `head` or `tail` but I can't see one. Do you know how I could go about this?
Thanks
↧
"Returned partial results" error message
Indexer Clustering: The search process with sid=rt_md_1533830226.207365 on peer=XXXXXX may have returned partial results due to a reading error while waiting for the peer. This can occur if the peer unexpectedly closes or resets the connection during a planned restart. Try running the search again. Learn more.
↧
↧
Javascript, css documentation for Splunk
Hello everyone. I'm looking for a tutorial, documentation for javascript and css in Splunk. I mean, something that help me to know properties, methods and something like that for javascript in Splunk. In the other hand, something that help me to know id names, class names for css customization. I'm looking for in internet but I don't good results.
Can you help me?
Thank you in advance
P.D: Sorry my english is not well, I'm chilean.
↧
Kinesis Firehose - Could not connect to the HEC endpoint
We are trying to send data to Splunk HEC via Kinesis Firehose but for some reason Firehose keeps logging "Could not connect to the HEC endpoint. Make sure that the HEC endpoint URL is valid and reachable from Kinesis Firehose." We've tried a combination of the following with no luck:
https://hostname.test.com:8088
https://hostname.test.com:8088/services/collector
https://hostname.test.com:8088/services/collector/raw
We are referencing this post: [Power Data Ingestion into Splunk][1] which indicates the first https://hostname.test.com:8088 with a raw endpoint should have worked. I'm able to post events via curl using batch and the raw endpoint and json and the event endpoint. This tells me the ELB is working and forwarding events. So I'm wondering what others have set for their Splunk Cluster Endpoint and Splunk endpoint type in Firehose?
Raw Endpoint:
curl -k "https://hostname.test.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" -H "Authorization: Splunk token" -d '127.0.0.1 - admin [28/Sep/2016:09:05:26.875 -0700] "GET /servicesNS/admin/launcher/data/ui/views?count=-1 HTTP/1.0" 200 126721 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.917 -0700] "GET /servicesNS/admin/launcher/data/ui/nav/default HTTP/1.0" 200 4367 - - - 6ms 127.0.0.1 - admin [28/Sep/2016:09:05:26.941 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 4ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.954 -0700] "GET /services/apps/local?search=disabled%3Dfalse&count=-1 HTTP/1.0" 200 31930 - - - 3ms
127.0.0.1 - admin [28/Sep/2016:09:05:26.968 -0700] "GET /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 HTTP/1.0" 200 58672 - - - 5ms'
Events Endpoint:
curl -k "https://hostname.test.com:8088/services/collector?channel=00872DC6-AC83-4EDE-8AFE-8413C3825C4C" -H 'Authorization: Splunk token' -d '{"event": "Hello"}'
[1]: https://www.splunk.com/blog/2018/01/12/power-data-ingestion-into-splunk-using-amazon-kinesis-data-firehose.html
↧
Dahsboard Drill-down not working correctly with conditions
Hey all, I am trying to make a conditional drill down for a table. The problem is it only ever picks up the hostname condition by itself. The severity condition it acts like it is not even there. For example, the hostname when clicked will pen a new tab, when clicked on a severity it just runs the auto search and completely bypasses the condition that is set. Is there something wrong with my XML? I am a bit of a novice at this...$click.name2$ $click.value$ search?q=index=NIM sourcetype=message severity!=clear severity!=severity hostname=$selected_hostname$ severity=$selected_severity$&earliest=$TIME.earliest$&latest=$TIME.latest$$click.value$ search?q=index=NIM sourcetype=message severity!=clear severity!=severity hostname=$selected_hostname$&earliest=$TIME.earliest$&latest=$TIME.latest$
↧