Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all 47296 articles
Browse latest View live

Why are my JSON logs getting combined together in Splunk when using Bunyan?

September 17, 2018, 3:38 pm
$
0
0
I am using Bunyan (https://www.npmjs.com/package/bunyan) as a logger for my node Java Script application and the log output is in the below format. {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Time: 1537221680271","time":"2018-09-17T22:01:20.271Z","v":0} {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Cache flag is set to===> true","time":"2018-09-17T22:01:20.272Z","v":0} {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Response status---> 200","time":"2018-09-17T22:01:20.272Z","v":0} The data gets to logstash and then to Splunk. When I pull the data in to Splunk, I see them as below (grouped together) 10:01:25.505 PM { [-] @timestamp: 2018-08-17T22:01:25.505Z LOGLEVEL: UNKNOWN kubernetes: { [+] } log: {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Time: 1537221680271","time":"2018-09-17T22:01:20.271Z","v":0} {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Cache flag is set to===> true","time":"2018-09-17T22:01:20.272Z","v":0} {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Response status---> 200","time":"2018-09-17T22:01:20.272Z","v":0} tags: [ [+] ] type: ms_Log } I want each log entry to appear separately in Splunk as below (even better if it can be formatted). Any inputs are appreciated? @timestamp: 2018-09-17T22:01:20.271Z LOGLEVEL: INFO kubernetes: { [+] } log: {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Time: 1537221680271","time":"2018-09-17T22:01:20.271Z","v":0} tags: [ [+] ] type: Microservice_Log @timestamp: 2018-09-17T22:01:20.272Z LOGLEVEL: INFO kubernetes: { [+] } log: {"name":"Product list page","hostname":"plist","pid":24,"level":30,"msg":"Cache flag is set to===> true","time":"2018-09-17T22:01:20.272Z","v":0} tags: [ [+] ] type: Microservice_Log
Search

When pushing HTTP Event Collector(HEC) configurations to Heavy Forwarders (HF), we received the following error : "WARNING: web interface does not seem to be available!"

September 17, 2018, 4:04 pm
$
0
0
After HEC configurations are pushed to our HF, Splunk service fails to start. This is happening to all the HF that received the new HEC configurations.

Help with Palo LINE_BREAKER

September 17, 2018, 5:24 pm
$
0
0
I'm trying to pull in some information via REST and can't seem to figure out the LINE_BREAKER. Maybe I've been staring at the screen too much today! Example: 013201000081yesnoDDDDDDDDDDDD02P11.11.111.11118 days, 6:12:345200PA-52208.0.108064-49852737-3244280074-2826658064-4985paloaltonetworks20180914.802168.0.160.0.0passive013201004595nonormal0132010000812028/08/28 17:40:552018/08/30 09:14:30nonovsys18afc8500662247516786c9fb70c36607009401111180yesnoAAAAAAA01P10.10.100.10067 days, 20:05:19500PA-5008.0.108064-49852737-3244280074-2826658064-4985paloaltonetworks20180917.202448.0.160.0.0nonormal0094011111802027/06/15 16:46:082018/08/16 10:23:37nonovsys105c64ee28115fd234f79d606912f2e11...011111001100yesnoABC1111A01Q22.222.222.22246 days, 21:21:19220PA-2208.0.108064-49852679-3176263191-2657198064-4985paloaltonetworks0000.00.00.0008.0.160.0.0nonormal0111110011002028/06/28 21:18:232018/09/17 14:16:29nonovsys130ea477bf4d60197513c682029fd4f41418511332ABC111yesnonoAQCEW12FRAB01T22.33.55.5546 days, 15:09:27vmPA-VM7.1.188064-49852737-3244280072-2826638064-4985paloaltonetworks20180917.202427.0.90.0.0yesyesnonormal418511332ABC1112027/05/17 22:08:142018/08/23 08:18:17nonovsys13968de60f644f99a912fae048bd9c176

splunk vs cloudwatch

September 17, 2018, 6:39 pm
$
0
0
we are recently migrating our environment to AWS. but we're not sure if we should still stick with splunk or we can move to cloudwatch. our 'basic log tool' requirements are log searching and alerts if someone can provide us the differences or pros/cons between them, it would be really helpful

Can not collect google drive logs by using G Suite For Splunk

September 17, 2018, 6:50 pm
$
0
0
I setup G Suite app and TA in single Splunk server (7.0.0) to collect google drive access log among of all team usage. I setup step by step like below 1. Install App and TA 2. Setup Client ID and Client Secret 3. Setup Authorized step1 and step2 4. Create a new input (check only Activity - Drive) ![alt text][1] 5. Error messages was appeared ![alt text][2] What is the meaning of ga.py error? When I type below command with CLI, then no response after a minute and type Ctrl+C, error message was appeared. [root@ip-172-31-16-21 bin]# /opt/splunk/bin/splunk cmd python ga.py ^CTraceback (most recent call last): File "ga.py", line 246, in run() File "ga.py", line 74, in run MI.start() File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 468, in start self.run() File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 477, in run self._config = self._get_config() File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 387, in _get_config config_str = sys.stdin.read() KeyboardInterrupt Does anyone know how to solve this type of error? [1]: /storage/temp/254972-スクリーンショット-2018-09-18-103719.png [2]: /storage/temp/254973-スクリーンショット-2018-09-18-104030.png

Sitecore integration

September 17, 2018, 7:34 pm
$
0
0
Hi, I would like to know what is the best way to get data from sitecore azure to a splunk environment. I am new to splunk and not sure on what data or logs does sitecore outpus. Thanks in advance .

how to run ldap query in splunk

September 17, 2018, 10:46 pm
$
0
0
how to run ldap query in splunk .Does it involve LDAP authentication as i have configured SAML authentication in my system

Webex Usage report

September 17, 2018, 11:37 pm
$
0
0
Hi All, I have to create a dashboard in which i need toshow webex usage report. Is there any add-on for this to integrate with Splunk. Thanks.
Search

UX Design idea/bug - for the "search" button

September 17, 2018, 11:46 pm
$
0
0
Hi All... This is not a bug or big issue or anything.. this is from my User Experience Design training classes thought.. i would like to see your views on this. i am not sure if this was there on previous Splunk Versions or not. (i had a six months break from my job and i am back as a splunk consultant..). currently i am using Splunk 7.0.3. The case study - Lets say i enter a SPL query, i choose the time on timepicker.. once i picked the time, i expect the search query to start running. Most probably, after choosing the time, we wont edit anything else, right. so, after choosing the time, if the query starts running automatically, then, it would save a "mouse-over" and "a click" on the search button. Please provide your views/suggestions. thanks.

Why I cannot save to summary index using sistats

September 18, 2018, 2:12 am
$
0
0
I'm on Splunk Enterprise 6.6.1. I run this search | makeresults | eval _time=now() | bucket span=1d _time | eval value=1 | sistats avg(value) as value by _time but I'm not able to save its result to summary index. I've also tried to run it inside a report, which I've run it manually, but I obtained the same behaviour. Why?

Can we disable splunk app bar based on a role?

September 18, 2018, 2:21 am
$
0
0
Hello, Whenever a user logins to splunk with some role, he should not be able to see splunk app bar, only for specific roles? can we do this based on a role that user has? Thanks.![alt text][1] [1]: /storage/temp/256028-splunkappbar.png

Replace Charachter with Blank/Space value

September 18, 2018, 3:19 am
$
0
0
My field name is fName and the values it contains are like this, PVOLFEPCL-00515+Berger+Profile+Settings.docx Intake3++B2N+Lan+07492018.xlsm I want it to be like this, PVOLFEPCL-00515 Berger Profile Settings.docx Intake3 B2N Lan 07492018.xlsm The ''**+**" has to be replaced by Space . I tried the following , but it doesn't work host="*evilcorp*.fantasy.com" "affirative" | rex field=_raw "^[^&\n]*&\w+=(?P[^ ]+)(?:[^ \n]* ){3}(?P.+)" | table userid fileName ttr | replace "+" WITH "" IN fileName

How to create a search string to get data from multiple *.txt files

September 18, 2018, 4:54 am
$
0
0
Dear Team, I'm trying to to get data from two *.txt files into a single Line Chart. For example, with the following string I get the data into the Line Chart: (host=jp) source="/home/jp/pings/targets/googledns.txt" & timechart avg(time) But what I am trying, is to get also data from another file, at the same time: (host=jp) source="/home/jp/pings/targets/defaultGateway.txt" & timechart avg(time) ... so in Line Line Chart, shows the data from both files. Thank you in advance. Kind regards JP

fetching data from summary index taking longer than exected

September 18, 2018, 3:28 am
$
0
0
i have 2 indexes Index= test index =test _summary. i have summarized the data from test index to test_summary index. I execute the SPL query index= test |head 20000 the time taken for the job completion is 2 seconds and then i execute the query index= test_summary |head 20000 the time taken for the job completion is 12 seconds . Why is the time taken for the job completion is different for different indexes even though the search time range and the mode of search is same? How so i slove this issue ?

Regex question

September 18, 2018, 3:39 am
$
0
0
Hi All, I'm trying to extract a field. However, the field I want to extract isn't at the same location each time. I though I would try to do a regex on the string only without the field number. The string I am trying to match is similar to below: ABCS-3-ABCD_A ABCDS-2-DFESAC OSBFSASD-9-SDS_DSA This is what I came up with, but it's not working: ^(?:[^[\w+]-\d-[\S+]*)(?P[^:]+) Any help would be appreciated.
Search

Issue with Data Model Data Set

September 18, 2018, 5:03 am
$
0
0
I have created a root event dataset, for which constraint is index=abc. Here whatever there in index abc are coming in this data set, but when the index has new data. this new data is not appearing in the data set or data set pivot report. Data set wont have real time data or new data? how to solve this? Thanks

Does DB connect app is compatible with MS SQL 2016 ?

September 18, 2018, 5:22 am
$
0
0
hi All, We would like to check if DB connect app is compatible with MS SQL 2016 ? https://splunkbase.splunk.com/app/2686/#/details http://docs.splunk.com/Documentation/DBX/3.1.3/ReleaseNotes/Releasenotes#Known_issues Thanks, Sree

How to setup a time range from 7 pm to 2 pm for hourly report

September 18, 2018, 5:28 am
$
0
0
We had setup report which triggers on hourly basis from 8PM to 2PM (earliest = -1d@d+20h & latest = -1d@d+20h) but we are getting correct reports starting from 12:00 AM only and before that its taking last 24 hours report (9PM, 10PM, 11PM reports). Thanks, Shaik Hussain

Add buttons on table view

September 18, 2018, 6:47 am
$
0
0
Goodmorning, I have a Simple-XML with following search index=_internal source=*metrics.log group="per_sourcetype_thruput" | head 1000 | stats sum(kb) as totalKB by series | eval actions="PLACEHOLDER" | streamstats count | eval showme=if(count=="2","true","false") I would like to add a button in each rows based on "showme". If "showme=true" link a url " and if "showme=false" link a different url. How can I do it please? many thanks and regards Antonio

How to display a static text or string in dashboard panel and change background color of same panel based on some value?

September 18, 2018, 7:01 am
$
0
0
I want to have just static text or string in dashboard panel. The background color of same panel should change based on some other field value? I can see there is one single digit panel but that display digit and change color based on that. I want text to be displayed instead of digit.
Viewing all 47296 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>