Whats the best way to get data from IBM data power into Splunk. I understand that it does not have an OS, so cannot install a UF in IBM data power.
Thank you in advance
↧
How to ingest data from IBM data power
↧
Why do the fields on datamodel "ns_waf" doesn't exist?
Hi.
Fields present on datamodel "ns_waf" doesn't exist.
Anyone have these fields extracted? nswaf_action, nswaf_appliance, nswaf_company, etc.
This app doesn't have any extraction defined on props.conf.
Regards,
Bruce Campos
↧
↧
Optimizing Accelerated Data Models
My company is heavily using CIM accelerated data models for our security monitoring. We are currently experiencing performance issues and we think that data model acceleration is contributing to them. The searches that accelerate these data models are consistently the top memory-using searches, they run for a long time, and they are often behind. Is there a way to optimize these searches so that they aren't as taxing on the system? Here's how we have the CIM macros set up:
(index="index1" AND sourcetype="sourcetype1")
OR (index="index2" AND (sourcetype="sourcetype2" OR sourcetype="sourcetype3")
OR (index="index3" AND sourcetype="sourcetype4")
And so forth. Any suggestions? We are on version 7.0.4.
↧
How do you parse JSON from a specific field?
I tried search in the community support section for something similar to my issue.
I am trying to parse a specific field which is actually in JSON format. Is there a way to parse out anything within the message section. Below is a sample.
Field name is errorMessage_Field and contains the info below:
{"level":"error","schema":{"loadingURI":"#","pointer":"/definitions/blah"},"instance":{"pointer":"/blah"},"domain":"validation","keyword":"required","message":"object has missing required properties ([\"presosBlahID\"])","required":["presosBlahID"],"missing":["presosBlahID"]}
Using the JSON entry above, im trying to show a table that just shows:
Count | Detailed Error Message
3 | Object has missing required properties: presosBlahID
I realize that using spath is the way to do it but i have not been successful.
index=index_name sourcetype="sourcetype_name errorMessage_Field="errorMessage earliest=-15h
| bucket span=1m _time
| stats count by errorMessage_Field
| fields count errorMessage_Field
| rename count AS "Error Count"
| rename errorMessage_Field AS "Detailed Error Message"
Any assistance is greatly appreciated.
Thanks!
↧
Map a group with the hash (#) character in the group name
Hello!
We have some AD groups with start with a hash (#) e.g. #Managers.
Is it possible to include these in group mappings for LDAP?
Thanks!
↧
↧
multiple dashboards on a single monitoring screen and auto scrolling enabled
How to put multiple dashboards on a single monitoring screen with only one visible at a time and auto scroll enabled.
is there a way if this can be done ?
Please advise.
↧
KVStorageProvider --- saveBatchData:upsert --- No collection available
i keep seeing this error in the internal logs
kvstorageprovider - an error occurred during the last operation ('savebatchdata:upsert', domain: '0', code: '0'): No collection available.
we aren't using KVStores, i've enve gone in and disabled the kvstore via web.conf. it's still kicking this error. i found a similar post about empty bulk data and tried the recommended query against splunkd_access sourcetype. i have ZERO with code 500 as the other post indicates to check for.
also, no servers in the cluster have the KVStore role.
↧
Create Dashboard
![alt text][1]
[1]: /storage/temp/255729-0.jpg
Dear all.
I need support create Dashboard same this pictute .
I not use Splunk App for AWS.
I want to display format fraction result (Total login / Error Login).
Thanks
↧
A Clean "| table *"
Given that my search criteria is this: `index=some_index sourcetype=some_sourcetype`, is there a shortcut to piping the `| table *` command where splunk-created fields are automatically excluded? (Basically wanted to do this: `| fields - _raw, _time, eventtype, host, index, sourcetype, source, linecount, splunk_server, splunk_server_group, timestamp, punct` in the shortest possible way.
↧
↧
Assign keys to tokenised string
Hi there,
Can someone help me with reading the tokenized string and assign the keys to each index retrieved. It is difficult for me as it is not key/value format to read.
Log sample:
CustomerService`getPointDetails`6686`435`52`8`52`xmlgw_client_mrs_USAA`0x00000000`Successful Response`2`3`0`/CN=services.mclocal.int/OU=xmlgw-common-client/O=MasterCard WorldWide - Common ProdInfra SSL/L=Saint Louis/ST=Missouri/C=US`/mrswebservices/CustomerService/b2c/v2` `PRODESB6_STL|18234799|180817043259896`SAML`0`0`
I know which values is for what field in the sequence they appear in the logs. It does has space as a value too. " ` " is token in the string.
I did tried below but since there are more than 20 fields I have to extracts, the query becomes very long and ugly and can cause performance too.
index=app sourcetype = audit
| eval tokenString=mvindex(split(mvindex(split(_raw,"gtid("),1),"): `"),1)
| eval temp=split(tokenString,"`")
| eval field0=mvindex(temp,0)
| eval field1=mvindex(temp,1) and so on for all the fields with incremental index values.
I did check few regex option on web, that was also long query too.
Please advise.
Thanks,
↧
Moved Status Overview dashboard to new app now missing the js and css niceness
Hey,
I used the status overview search in my custom app and it works apart from the css and js parts for example when we get a 401 or 501 error - this is not highlighted.
added the form details to my dashboard :
and copied the `/appserver/static` contents accross also
`
↧
Upload File vs. Index-once Monitor File
![upload vs monitor file (index once)][1]
[1]: /storage/temp/254722-upvsmonit.png
Would like to get some enlightenment on what's the difference between the two. TIA
↧
Splunkd service will not start
After upgrading Splunk App for Windows Infrastructure to latest version from splunkbase (https://splunkbase.splunk.com/app/1680/) it asked for a restart of splunk. I accepted the restart and then alot of time went by while I was waiting for it to complete the restart.
After some time I tryed to access splunk in another browsertab, but got an error connection refused.
I cheched the server and found that the splunkd and splunkweb services where not running, but I'm not able to start them either.
Splunkd - tryes to start but seems to stop imideatly as it starts. Windows gives an error box stating that. I can not see it change status to running before the error box appears.
Splunkweb - gives an error 1053, assuming that is sort of normal as splunkd isn't running.
I have serched thru alot of simular problems here on answers and tryed several solutions with no luck.
I have restartet server several times.
I can not find anything matching timestaps in logs in the \var\log\splunk\ folder
Can not find anything in event viewer on the server that seems related.
Any suggestions?
Running Splunk Enterprise on a Windows Server,
One server for everything.
↧
↧
Unable to get count when variable names has a "-"
One of the queries i'm using has a variable with a "-" and splunk is unable to get me the stats count using the variable.
Example : your search | stats count by Order-Type
Is there a limitation on the variable names to be used in splunk?
Note: I did get the final result by using regex.
Example: your search | rex field=_raw "Order-Type\=(?[\"A-Z_ ]+)" | stats count by type
↧
How can I split multi values in a single value ?
Hi guys,
I wanna get 2 values in a single value (visualization) as picture.
![alt text][1]
Please help me.
Thanks
[1]: /storage/temp/255732-splunk.png
↧
how to calculate Throughput
how to calculate Throughput if i have this data.
index=perf host=prod-* sourcetype=tc_metric earliest=-10min
| eval host_type=case(host LIKE "%wap%", "WAP", host LIKE "%web%", "WEB", host LIKE "%task%", "TASK", host LIKE "%iin%", "IIN", host LIKE "%gen%", "GEN", host LIKE "%ion%","ION", host LIKE "%int%", "INT", host LIKE "%out%", "OUT", host LIKE "%rpt%", "RPT", host LIKE "%rpo%", "RPO", host LIKE "%mssg%", "MSSG")
| bucket span=10min _time
| stats count(R) as Requests, max(THREAD_WALL_MS) as "TotalResponseTime", avg(THREAD_WALL_MS) as avg_rt by host_type _time
|eval avg_rt=round(avg_rt,2)
|eval TotalResponseTime=round(TotalResponseTime,2)
|rename avg_rt as "AvgResponseTime"
|eval Throughput=(TotalResponseTime/Requests) (this is what i have tried it is not working.
|dedup 1 host_type
|rename host_type as "Server"
|sort Server
Out put is
Server _time Requests TotalResponseTime AvgResponseTime Throughput
GEN 2018-08-17 07:00 137209 60076.00 121.31 0.4378430
IIN 2018-08-17 07:00 35905 60090.00 342.87 1.673583
INT 2018-08-17 07:00 34878 36154.00 201.43 1.036585
ION 2018-08-17 07:00 4281 3631720.00 5571.65 848.334501
MSSG 2018-08-17 07:00 . 445 3299.00 75.66 7.41348
OUT 2018-08-17 07:00 40911 379040.00 302.00 9.2649899
as per definition of the Throughput is measured as total number of transaction or requests in a given time or TPS (transaction per second). but here is it not coming right output. pls help
↧
how to combine more than three types of charts in one chart.
hello everyone,
I'd like to know how to combine three types of charts in one chart.
I'd like to make just one chart using column chart, line chart, area chart.
I've known that if overlay option , two types of charts can combine in one chart.
But I've never seen the chart that more than three types of charts are combined in one chart.
I appreciate if you give me some information.
Thank you in advance.
↧
↧
Extracting Key value pair
I have data like
**Data: {"code": "abc", "version": "2018.6", "name": "testdata", "group": "QA", "DB": "oracle"}**
in the field **Message**.
How can I export the key and value pair in a table.
So, I would need code, version, name, group, Db in a table.
I tried using spath but it didn't work as the data is not exactly in json format.
How can I get the data in tabular format.
↧
Failed to reap - because of directory not empty
We have a lot of theese errors in splunked.log, I have searched a lot to find an solution but to no success.
*ERROR DispatchReaper - Failed to reap /data/splunk/var/run/splunk/dispatch/scheduler__admin_c3BsdW5rX2FwcF93aW5kb3dzX2luZnJhc3RydWN0dXJl__RMD5ce1429bf7fcd63ea_at_1529591400_160 because of Directory not empty*
Im not sure what details is needed for helping me. Its a singleserver setup and Splunk is running on RHEL. Splunk is running as the user splunk (not root), and i have checked permissions on the folders mentioned in the log.
I would appreciate any pointers you can help with, thanks!
↧
search template ??
Hi i need to create a search template using splunk so i want to know what are the steps that i have to follow ? must i creaet an apps ? are there any easy way without using xml ?
↧