Hello,
I have created a custom search command in Splunk as a Python script. When I run the command in Splunk SPL, I get the following error message:
ERROR ChunkedExternProcessor - Failed attempting to parse transport header
Does anyone has any suggestions?
This is the output of commands.conf:
[sankey]
chunked = true
enableheader = false
filename = system_python.path
command.arg.1 = sankey.py
↧
REST API Modular Input: After creating a custom search command as a Python script, why am I getting the following "parse transport header" error message?
↧
How do I route based on host and sourcetype?
Hi,
I am routing traffic to a 3rd party. I have done some of this based on a host and others based on the source type.
But I now need to route based on a host and a sourcetype and I can't work out how to do it?
Any tips of where to look?
↧
↧
Does anyone know how to handle the following error while reading messages from queues-JMS modular input?
I am consuming messages using the JMS modular input.
For one connection, I need to refresh the queue connection by disabling it and enabling it again to start re-consuming. I need to do it every 5 min.
It is giving the following error
message from:
"python /opt/splunk/etc/apps/jms_ta/bin/jms.py" Exception in thread "Thread-40" java.lang.OutOfMemoryError: Java heap space
Do you know how to handle this?
@Damien Dallimore
↧
How do we integrate Artifactory Logs into Splunk?
I want to integrate the artifactory with Splunk to see the artifactory logs. Is there any way to do that?
I got a basic idea of installing the Universal Forwarder on the box and pulling the logs into Splunk. Or is there another way, like is it possible to pull the logs with an app or with the HTTP Event Collector? Since i believe Sumo Logic has a dedicated app to pull Artifactory Logs into Splunk...
So if you any procedure kindly let me know
↧
Can you help me with a search which only shows results that do not contain a specific value?
I want to see devices that do not have a specific value. I am organizing my devices by Mac Address, and I am trying to see the ones that do not have a profile named WifiProfile_X.
I keep getting the ones that do contain this profile, but I need to see the ones that dont.. any ideas?
index=nitro_apps source="DATA" | rex "^[^,\n]*,(?P[^,]+)[^,\n]*,(?P[^,]+)(?:[^ \n]* ){4}(?P[^,]+),(?P[^,]+),\w+,(?P[^,]+),\d+,(?P\d+),(?P[^,]+)[^,\n]*,(?P\w+)" | search OG=7 AND Model=180 AND Profile NOT "WifiProfile_X"
|stats list(MacAddress), list(Model), dc(MacAddress)
↧
↧
How do I delete an index with an alert action?
Hello,
I would like to have an alert that would search index "A" , and if the threshold is X , it would delete indexB where fieldA=Z
How do I do this?
I tried with splunk_search alert action add on, but doesn't seem to support the | delete in the search to be performed.
Thanks,
Andreas
↧
How do you make a search rex / regex with a lookup table to extract outcode from UK postcodes?
Hi,
Could anyone help me get further with this please? I have a list of UK post codes in my event data. They will always be in UK postcode format as per this table:
Format Example
AA9A 9AA EC1A 1BB
A9A 9AA W1A 0AX
A9 9AA M1 1AE
A99 9AA B33 8TH
AA9 9AA CR2 6XH
AA99 9AA DN55 1PT
I have got this far " search "postcode" NOT "{postcode}" | rex field=postcode "(?P\w{2}).*" |stats count by area "
And I get
area count
B1 2
B2 1
B4 1
B5 1
BB 1
BD 2
L1 20
L2 5
I have a lookup table that contains data similar to this and I have a definition that points to the file.
outcode,postcode
B1,B
B2,B
B3,B
B4,B
L1,L
L2,L
L3,L
S1,S
S2,S
S3,S
S4,S
I can't work out how the change my search to look at the first 1 or 2 characters and replace them if the are in the table so my end result would be
B 5
BB 1
BD 2
L 25
I have tried rex field=postcode "(?P\b[a-zA-Z]{2}[0-9]{1}\b)" |stats count by area however that just broke down the first part into individual stats and only on postcode where the first two characters were alpha BB9, BH8 etc.....
Many thanks in advance.
Kane.
↧
Can you help me make a query that would return results from last 30 days while also excluding certain days and time ranges?
I currently am pulling in event IDs from Windows events for the purpose of monitoring when servers are being rebooted and for what reasons. However, every Monday at 6AM (local server time), there is a scheduled task that reboots the entire fleet which ranges over every time zone in the U.S, and this throws off the dashboard count panels I have created since all 800+ servers are rebooting.
Example of current search:
source="WinEventLog:System" NOT Message=*Explorer.exe* EventCode=1074
So what I would like to do is search through the past 30 days and exclude Mondays from 5 to 7 AM (local server time). I've tried things like "date_wday!=monday" and it seems to break the search telling me to "expand my search range"(and "NOT date=wday="monday"" or any variant doesn't work either).
I've seen people suggest things like:
| eval weekDay = strftime(_time,"%a")
| eval HourOfDay = strftime(_time,"%H")
But I don't quite grasp what is happening here or how to use it.
Below is an example of one of the events that I can see and how its formatted. I noticed that the "Time" field is different from the time in the "Event" field. Should I (or could I) use the date/time from the event to do this? I would think that would always be accurate for what I'm getting at here.
![alt text][1]
[1]: /storage/temp/256061-return-splunk-data.png
↧
ERROR, could not find an nmon binary suitable for this system, please install nmon manually and set it available in the user PATH
i have installed nmon on linux server. the splunk forwarder is 7.0.2. Am not able to see nmon logs from this servers and all am getting is this error
"ERROR, could not find an nmon binary suitable for this system, please install nmon manually and set it available in the user PATH"
Please suggest any solution if you have faced similar situation. Since we have service account permissions please suggest solution that don now involve root permissions.
Below is the sample inputs.conf
[script://./bin/nmon_cleaner.sh --cleancsv]
disabled = false
index = nmon
interval = 600
source = nmon_cleaner
sourcetype = nmon_clean
[script://./bin/nmon_helper.sh]
disabled = false
index = nmon
interval = 60
source = nmon_collect
sourcetype = nmon_collect
↧
↧
Add days field to date filed
I have a CSV data like below,
---------------------------------------------------
Date1 | WaitDays
---------------------------------------------------
9/24/2018 | 20
8/28/2018 | 160
7/13/2018 | 01
How to add the waitdays to date and show in new column ?
| eval inputDate = relative_time(Date1, "%Y-%m-%d")
| eval expiring = inputDate + WaitDays
| eval expiring = strftime(expiring, "%Y-%m-%d")
Tried this but it is not working as expected.
↧
How do I trigger a report using a script?
I have to generate a report based on an event (say file=EndOfCycle). I am able to set up an alert and get an email when the event comes into Splunk. I will have to invoke a report and send the report.
I can see that we can execute a script as an alert action. But, is it possible to trigger the report to be generated using a script ?
↧
Single Checkbox Checked/Unchecked for searching a YES(/NO) field or all
Dear All,
I have a YES/NO field (named) FIELD2, which I want to search with a single checkbox token named Checkbox1, in the following way:
Checkbox1.checked = TRUE
search: index=db FIELD1= FIELD2="YES"
Checkbox2.checked = FALSE
search: index=db FIELD1= FIELD2="*"
or better
search: index=db FIELD1=
tried with condition and match but not result,
can one advise "from scratch"?
best regards
Altin
↧
In a table using CSV data, how do we add "waitdays" to date and show in new column ?
I have CSV data like below,
---------------------------------------------------
Date1 | WaitDays
---------------------------------------------------
9/24/2018 | 20
8/28/2018 | 160
7/13/2018 | 01
How do we add the waitdays to date and show in new column ?
| eval inputDate = relative_time(Date1, "%Y-%m-%d")
| eval expiring = inputDate + WaitDays
| eval expiring = strftime(expiring, "%Y-%m-%d")
I tried this, but it is not working as expected.
↧
↧
mouse hover function for drill down dashboard.
I am trying find a way to display pie chart for specific period when the user movies mouse pointer on a bar graph.
Here is my requirement to make it clear, I put together a dashboard that displays number of successful transactions and Failed transactions on a bar graph. Time range 24hr with a span 30mins, 1 week with a span of 1day etc.. , I would like to display reasons of failed transactions in a pie chart, when the mouse is hover on Failed transactions in a particular span.
Right now, I am able to display reasons for failed transactions in a suppurate dashboard and drill down by click on the bar graph but, I am unable to find a way to get the above requirement. Your time help is highly appreciated.
Thank you.,
↧
Why am I getting the following error after installing NMON Performance Monitor on a Linux server?
i have installed NMON on a Linux server. The Splunk forwarder is 7.0.2. However, I am not able to see NMON logs from this server and all I am getting is this error:
"ERROR, could not find an nmon binary suitable for this system, please install nmon manually and set it available in the user PATH"
Please suggest any solution if you have overcame a similar problem. Since we have service account permissions, please suggest a solution that don now involve root permissions.
Below is the sample inputs.conf
[script://./bin/nmon_cleaner.sh --cleancsv]
disabled = false
index = nmon
interval = 600
source = nmon_cleaner
sourcetype = nmon_clean
[script://./bin/nmon_helper.sh]
disabled = false
index = nmon
interval = 60
source = nmon_collect
sourcetype = nmon_collect
↧
Comparing two time slices
I have a search that I want to run twice, but for different time slices. The results of the two slices will then be compared to get a measure of the difference. My current code has the same search twice but with different *earliest* and *latest* values, associated using *appendcols*. What I want to know is if there is a way to write the search once (instead of twice) and reuse that code; something like a common table expression in SQL?
↧
How do you get a pie chart for a specific time period to display when a user moves mouse pointer over the bar graph?
I am trying find a way to display a pie chart for a specific time period when the user movies mouse pointer over a bar graph.
Here is my requirement to make it clear. I put together a dashboard that displays a number of successful transactions and Failed transactions on a bar graph. Time range 24hr with a span of 30mins, 1 week with a span of 1day etc.. , I would like to have reasons for failed transactions displayed to a pie chart when the mouse hovers on failed transactions in a particular span.
Right now, I am able to display reasons for failed transactions in a suppurate dashboard and drill down by clicking on the bar graph. But I am unable to find a way to get the above requirement. Your time and help is highly appreciated.
Thank you.
↧
↧
How do I compare two time slices?
I have a search that I want to run twice, but for different time slices. The result of the two slices will then be compared to get a measure of the difference. My current code has the same search twice but with different *earliest* and *latest* values, associated using *appendcols*. What I want to know is if there is a way to write the search once (instead of twice) and reuse that code; something like a common table expression in SQL?
↧
How to group data in a table by 2 or more fields from different sources joined with coalesce?
Hi Guys, I have a question regarding grouping in tables.
I have sets of data from 2 sources monitoring a transaction in 2 systems. At its start, it gets a TransactionID. The interface system takes the TransactionID and adds a SubID for the subsystems. Each step gets a Transaction time.
One Transaction can have multiple SubIDs which in turn can have several Actions.
1 -> A -> Ac1
1 -> B -> Ac2
1 -> B -> Ac3
![alt text][1]
It's no problem to do the coalesce based on the ID and do calculations. It gets tricky when I try to Group them.
serach ....| coalesce ...| stats list (Service) list(Time1) list(Action) by TransactionID SubID
It works fine if I only Group for TransactionID since it exists in both sources. But it doesn't work anymore for a grouping also by SubID.
Then Service and Time1 disappear. I suppose it's because there is no SubID in their source.
So how do you join from 2 sources with subsequent grouping based on 2 or more fields from different sources?
[1]: /storage/temp/255022-grouping.png
↧
How can I generate an alarm if I change the value of a field
Hello, I am trying to create an alarm if the value of a field changes over time.
The value corresponds to the serial number of a device and I want to know how it is possible to generate an alarm if the device's serial is modified or altered.
Thanks for your help.
↧