Is there any module or solution within splunk that can take in any form of data and come up with points based on the data trend all on itself without us trying to tell splunk whats required..
i understood splunk was supposed to do exactly that, but in our environment its setup in a way where in we need to tell splunk what to do with data, just trying to understand if its a feature within splunk to do what i mentioned above ...
and what kind of training that i need to do to understand on how this can be achieved...
↧
Splunk intelligence on handling data
↧
How to fix "Error rendering (Legacy) Clustered Single Value Map Visualization visualization" in leaflet Maps app
how to fix this "Error rendering (Legacy) Clustered Single Value Map Visualization visualization"
i am getting the above error on sometimes and facing slow loading .
↧
↧
Got the below Error while trying to run .jar file of SPLUNK JAVA SDK
C:\WINDOWS\system32>cd C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples
C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples>java -jar explorer.jar
Exception in thread "AWT-EventQueue-0" java.lang.RuntimeException: Received fatal alert: handshake_failure
at com.splunk.HttpService.send(HttpService.java:451)
at com.splunk.Service.send(Service.java:1295)
at com.splunk.HttpService.post(HttpService.java:348)
at com.splunk.Service.login(Service.java:1124)
at com.splunk.Service.login(Service.java:1103)
at com.splunk.Service.connect(Service.java:189)
at com.splunk.examples.explorer.Program$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$300(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.splunk.HttpService.send(HttpService.java:445)
... 20 more
↧
Multiple Forecast Time Series - one search
I want to run a forecast time series multiple times using one search on the remaining freespace of a number of our databases (data collected on within Splunk) - in this case, around 900 with 5 days worth of historical data - predicting whether the freespace will run below 60% in the next 90 days. I can use the map command but it just times out after about an hour... any suggestions?
sourcetype="mysource" | stats count by Database| map search="search sourcetype=mysource Database=$Database$ | timechart span=24h avg(MainPercFree) | fit ARIMA _time avg(MainPercFree) order=1-0-0 forecast_k=90 holdback=0 conf_interval=95 as prediction |where prediction < 60 | stats earliest(_time) as First |eval Database=$Database$" maxsearches=900 |eval First=strftime(First,"%+")
↧
count the number of the occurences / buckets when the given event happened
Hello,
I am trying to count the time buckets when the specific search returns values and alert on it. My current search looks as follows:
`index=mlbso sourcetype=BWP_hanatraces "Out of memory for Pool/JoinEvaluator" | timechart count span=1m as OOM_Pool | eval Occurence = if (OOM_Pool > 0,1,0)`
For alerting I am only interested in the Occurence being 1 or 0, not in the number of events (count) per time bucket. Then, I want to alert when the Occurences increase with time, which I set in the alert trigger options (> 5 in the last 30 minutes).
The problem is that this is not working and the alert takes not only the Occurence but also a Count and adds both up. So if I have the 25 events (OOM_Pool) in one minute, then the Occurence is 1, Count 25 and the alert gets triggered. I tried to overcome this by setting the Custom triggering condition condition:
` search Occurence > 5"`
but this does not seem to work.
How would I do it properly?
Kind regards,
Kamil
↧
↧
Selecting first and second match as separate fields using Rex
Hello,
I have 1 field in Splunk which contains 2 short email headers in plain-text, for example:
**From**: Me (me@me.com)
**Sent**: 28 September 2018 17:42
**To**: You (you@you.com)
**Subject**: This is the first email
**From**: Me (me@me.com)
**Sent**: 28 September 2018 18:42
**To**: You-aswell (you-aswell@you.com)
**Subject**: This is the second email
There is more text after the 2 short email headers.
I would like to use Rex to select the 2 Sent times, i.e:
rex field=output "Sent: (?.*)"
rex field=output "Sent: (?.*)"
How do I select in the rex function which match to select? As an FYI, there may be text before the headers so selecting the line number wouldn't be an option.
Thanks,
↧
Splunk SDK for pyhton, splunklib.modularinput.EventWriter, event split issue
Hi,
I'm facing a random data loss issue when i split an event (list) into many events (one per element).
Here is a snippet of my code :
for element in json_response:
try:
data = json.dumps(element)
event = helper.new_event(data=data, source=source, index=index, sourcetype=sourcetype)
ew.write_event(event)
except Exception as e:
raise e
My json_response contains 8 elements, i added counters before and after the for loop, i always got 8 (in log file) but when i try a search for the same time-range i find only two or one event.
Could you please help ?
Many thanks in advance.
Regards,
--
Mohammed
↧
Problem on starting existed Splunk
Dear Support,
Trying to start but Splunk won't load on my side. This is the message I get:
*Validating databases (splunkd validatedb) failed with code '254'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue*
Anybody know what I should do?
[root@ splunk]# ./bin/splunk start --accept-license
Splunk> Be an IT superhero. Go home early.
Checking prerequisites...
Checking http port [:8000]: open
Checking mgmt port [:8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [:8191]: open
Checking configuration... Done.
Checking critical directories... Done
Error getting component configuration data from /tmp/splunk/etc/myinstall/splunkd.xml.cfg-default
Validating databases (splunkd validatedb) failed with code '254'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
[root@ splunk]#
↧
How do you stop displaying a timechart line when value is 0?
I'm trying to display a timechart based on count by a type.
But, for a certain type, the value will always be 0 for a certain time.
is it possible to tell Splunk to simply stop displaying the line from a certain datetime ? or when the count is 0 ?
The screenshot below shows the different lines and the part I marked is supposed to be hidden.
![alt text][1]
[1]: /storage/temp/255078-2018-10-01-15h53-37.png
↧
↧
How do I run forecast time series multiple times using one search?
I want to run a forecast time series multiple times using one search on the remaining freespace of a number of our databases (data collected on within Splunk) — in this case, around 900 with 5 days worth of historical data — predicting whether the freespace will run below 60% in the next 90 days. I can use the map command, but it just times out after about an hour... any suggestions?
sourcetype="mysource" | stats count by Database| map search="search sourcetype=mysource Database=$Database$ | timechart span=24h avg(MainPercFree) | fit ARIMA _time avg(MainPercFree) order=1-0-0 forecast_k=90 holdback=0 conf_interval=95 as prediction |where prediction < 60 | stats earliest(_time) as First |eval Database=$Database$" maxsearches=900 |eval First=strftime(First,"%+")
↧
count the number of the occurrences / buckets when the given event happened
Hello,
I am trying to count the time buckets when the specific search returns values and alert on it. My current search looks as follows:
index=mlbso sourcetype=BWP_hanatraces "Out of memory for Pool/JoinEvaluator" | timechart count span=1m as OOM_Pool | eval Occurence = if (OOM_Pool > 0,1,0)
For alerting, I am only interested in the occurrence being 1 or 0, not in the number of events (count) per time bucket. Then, I want to alert when the Occurrences increase with time, which I set in the alert trigger options (> 5 in the last 30 minutes).
The problem is that this is not working and the alert takes not only the Occurrence but also a Count and adds both up. So if I have the 25 events (OOM_Pool) in one minute, then the Occurrence is 1, Count 25 and the alert gets triggered. I tried to overcome this by setting the Custom triggering condition condition:
search Occurence > 5"
but this does not seem to work.
How would I do it properly?
Kind regards,
Kamil
↧
Does Splunk sell training vouchers?
Hello,
Does any know if Splunk sells vouchers for their training class ?
Thanks
↧
Why am I getting the following "needs splunkd to be up" error when applying a cluster command?
I downloaded an app and placed it in the shcluster/apps folder in the deployer and ran the apply bundle command and I got the below error:
This command [POST /services/apps/deploy] needs splunkd to be up, and splunkd is down.
I checked the status of the captain and it is up and running. What could be the problem?
↧
↧
How can I run splunk enterprise as a docker image on KUbernetes?
Hi,
I found a splunk enterprise docker image which I need to run in kubernetes. I am trying to find a Helm chart to install the image on docker. Could any one help me on this ?
Kind regards
Amira
↧
When trying to start Splunk, why am I getting the following "validating databases" error?
Dear Support,
Trying to start but Splunk won't load on my side. This is the message I get:
*Validating databases (splunkd validatedb) failed with code '254'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue*
Anybody know what I should do?
[root@ splunk]# ./bin/splunk start --accept-license
Splunk> Be an IT superhero. Go home early.
Checking prerequisites...
Checking http port [:8000]: open
Checking mgmt port [:8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [:8191]: open
Checking configuration... Done.
Checking critical directories... Done
Error getting component configuration data from /tmp/splunk/etc/myinstall/splunkd.xml.cfg-default
Validating databases (splunkd validatedb) failed with code '254'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
[root@ splunk]#
↧
How to create an alarm if a value stored in a CSV changes.
Hi, I have a CSV file with the following structure:
NAME DiskSerial ProcSerial MachineSerial
PC-ID-0007 null BFEBFBFF000306F2 MJ044SGB
PC-ID-0088 WD-WX11DC7JHUV0 BFEBFBFF000306F2 MJ044SH9
PC-ID-5177 NA8GAPCF BFEBFBFF000306F2 58Y0KB2
I need to create a search to identify if any of the series that have been stored changes.
taking into account the last event that enters the indexer.
↧
Can you help me make a Splunk Search for all Splunk Clients using TLS1.2?
Is there any way we can frame a Splunk query which we can run on a search head to get the list of all the Splunk clients/universal forwarders and their respective SSL version they are using to communicate like TLS1.1, TLS1.2?
Much appreciated with any suggestions. Thank you.
↧
↧
Why is my JSON format log getting truncated to 26 lines?
I have a log file which has JSON format lines in the middle. The log looks fine but the JSON lines are getting truncated to 26 lines out of around 200 lines.
Is there a way I can extract the full log without any truncation?
↧
Splunk Add-on Builder: Can you help me with Splunk SDK for Python, splunklib.modularinput.EventWriter, event split issue?
Hi,
I'm facing a random data loss issue when i split an event (list) into many events (one per element).
Here is a snippet of my code :
for element in json_response:
try:
data = json.dumps(element)
event = helper.new_event(data=data, source=source, index=index, sourcetype=sourcetype)
ew.write_event(event)
except Exception as e:
raise e
My json_response contains 8 elements. I added counters before and after the for loop. I always got 8 (in log file), but when i try a search for the same time-range, i find only two or one events.
Could you please help ?
Many thanks in advance.
Regards,
--
Mohammed
↧
How do I fix this "Error rendering (Legacy) Clustered Single Value Map Visualization visualization" in leaflet Maps app?
How do I fix this "Error rendering (Legacy) Clustered Single Value Map Visualization visualization"?
i am getting the above error sometimes and facing slow loading...
↧