The solution is by clicking "Roll" on "Action" of each bucket? Is it the best way to fix?
It's seen on Master Node under the Fixup Buckets Pending menu.
↧
How to fix: Cannot replicate as bucket hasn't rolled yet?
↧
Older Windows beyond Windows XP, can they forward their logs to Splunk Serverwith any other method?
Older version like:
- Windows NT 4.0
- Windows 95
- Windows 98
- Windows 2000
Can they still forward logs to Splunk with other method? Since no Universal Forwarders for such Windows are found.
↧
↧
Unable to use regex to index logs
Hi, I wish to configure splunk forwarder to pick logs from a directory that match any of the below patterns. Essentially anything that matches the regex "/^(jacket.)?[^\.]*-[^\.]*(.jvm)?.log$/". I tried to make below changes to inputs.conf but it is not working as expected. Can someone help guide how to debug further ?
- may start with “jacket.”
- must have at least one hyphen
- must end in “.log” or “.jvm.log”
- must not have any other “.” characters
#Inputs.conf
[monitor:///base/apps/logs]
disabled = false
index = test
sourcetype = _json
whitelist = ^(jacket.)?[^\.]*-[^\.]*(.jvm)?.log$
blacklist = \.gz$
↧
Mismatch in License Query and actual license Utilization.
I have ran some query for Data coming through all of the forwarders and matched it with actual daily license utilization.
some of the queries are,
1. index=_internal group=* group=per_host_thruput | bucket _time span=1d|bin _time |eval time=strftime(_time,"%m/%d/%y") | eval kb=(kb/1024/1024) | stats sum(kb) as SUM by time series | xyseries series time SUM |sort -SUM
2. index="_internal" source="*metrics.log" group="per_host_thruput" | chart sum(kb) by series | sort - sum(kb)
Its weird that results the search are showing is far greater than the actual utilzation, ran it for today accounting all forwarders & the sum shows almost 500Gigs of data where as license utilization is 280+Gigs only.
Is it something wrong with the search or am i missing out something?
↧
Do splunk deployment officialy supported inside Docker Containers ?
Hi team,
We are considering deploying Splunk Solution inside Docker containers for Production Workload??. We found though docker has support for splunk , but not sure if Splunk supports it officially.
Could you please confirm. Apology, in case it has been answered in the forum earlier.
Thanks much
↧
↧
how to create custom statuses and workflow rules?
Hi!
I tired Alert Manager recently and I think it's a great app!
Now I need to customize the statuses and provide some simple workflow defining rules on who can change from a status to another one.
Any ideas or anyone already did it?
Thanks a lot!
Marco
↧
NetApp Data OnTAP 8.1.4 support in Splunk App for Data OnTAP
Dear All,
I have a NetApp Data OnTAP 8.1.4 7-mode server and I need to monitor it with Splunk and the Splunk App for Data OnTAP (current version 2.1.5). However, the current version only supports OnTAP 8.2 and above.
Is there an old version of the Splunk App that does support Data OnTAP 8.1.4 7-mode?
Kindest regards,
BlueSocket
↧
Historic average of last 30 days
I have a type of event that happens about 20 times a day. Each event carry a numeric value. Meaning is found in the sum of this value for each day.
To be able to compare the current day sum, I want an average of this sum, for the past 30 days. But not only that, I want a historic of this average sum for each span of past 30 days from now.
We are the 10/5, I want to see the average of the daily sum for 10/05 -> 09/05, 09/05 -> 08/05, 08/05 -> 07/05 , etc for the past 6 months.
So far I've done this :
sourcetype=BatchLog name=OperationInsertionBatchJob entitiesProcessed > 0 | bucket _time span=day | stats sum(entitiesProcessed) AS totalEntitiesProcessed BY _time | eval kTotalEntitiesProcessed = totalEntitiesProcessed / 1000 | timechart avg(kTotalEntitiesProcessed) span=30d
Back to reality, I only have data since a few days ago, so the result should only show me one metric : the last 30 days.
But unfortunately, as we are the 10/05, it shows me a value for 2017-09-29 and for 2017-08-30.
The time interval I selected is from now to last 6 months, no snap-to/now
↧
How to run a search with undefined token
Hello,
I have a panel on a dashboard with a search using a token to exclude events with some field values.
Search is something like `index=myindex sourcetype=mysourcetype $exclude$`
The "exclude" token is generated from a checkbox input which generate a string like "myfield!=value1 myfield!=value2 ..."
This is working fine if at less one entry on checkbox is selected but a have the message `Search is waiting for input... `if no entries are selected.
I open the panel in search and see `undefined` on search bar.
Is it possible to run the search even if the token is not defined or to have an empty defined token if all entries on checkbox are unchecked?
Thanks
↧
↧
Help me with the search command for usescases
Hi All,
I would like to find a way out for the below Cisco ISE use-case scenarios . It would be great if you can help me with the search queries,
• New devices connecting to the wired network
• Legacy known devices (e.g. printers) connecting from a different network port
• Known devices connecting from two different network ports at the same time
• Monitor logins by device type to understand unusual or rare device type authentications
• Baseline successful and unsuccessful logins to identify anomalies
These use-cases are for Cisco ISE Devices.
Thanks in advance.
↧
How to collect performance statistics about search-time field extractions?
I'm trying to collect performance information about search-time field extractions happening on different search-peers, but even if I can see the total search duration for the available peers (e.g. ) I didn't find yet anything specific for the field extraction process.
The only "close-enough" bits of information that seem to be related with what I'm looking for are:
| rest /services/search/jobs splunk_server=local summarize=false | fields label, performance.*field*.duration_secs
And more in particular:
performance.command.fields.duration_secs
performance.command.search.calcfields.duration_secs
performance.command.search.fieldalias.duration_secs
performance.dispatch.evaluate.fields.duration_secs
Nevertheless those don't seem to be officially documented and seem to only refer to something happening on the search-head.
The thing is... from time to time I've seen some warning messages like `Field extractor name=blablabla is unusually slow (max single event time=1036ms, probes=422 warning max=1000ms)` so Slunk is actually collecting information about the field extraction process, now the question is how can I retrieve them for my analysis? :)
↧
add custom component name in web_service.log
Hi
I'm working on an splunk base app (Uploader). In this app, the python code upload.py calls splunk logger.
When I have log I can find them in web_service.log like this:
2017-10-02 10:21:50,312 WARNING [59d1f71e4a7fc12c396e90] :111 - #################################File extension is not a csv
Instead of `` I would like to have at least application name or filename (ie Uploader or upload.py). So I will see in log:
2017-10-02 10:21:50,312 WARNING [59d1f71e4a7fc12c396e90] upload.py:111 - #################################File extension is not a csv
For yet I haven't find how to achieve this. Does anyone have an answer or an idea?
↧
SSL error on non-SSL forwarder connection
We're trying to add a new Forwarder (6.6.1) to our indexer (non-SSL connection), we're able to connect to the forwarder just fine and everything seems correct but we're not seeing the forwarder on the deployment server.
In Splunkd.log we see the following error for the forwarder:
WARN HttpListener - Socket error from x.x.x.x while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
What can be the cause of this error?
↧
↧
Windows Events Not showing Up on Indexer
A UF was installed on 2 Windows domain Controllers. These are in a different windows forest than my other devices. I had to manually add these to the windows_eventlog class by IP as the DNS name can't be resolved. I now see them sending to the indexer but I can't search any of the events. How can I trouble shoot this?
Thanks!
↧
integration of RMS data in Splunk
Hi All
I'm looking for informations or methods on integrating RMS (Rights Management service/Office365) into Splunk (Linux).
I'am not sure if we can use the APT (powershell) ....
I checked online - But not able to find any informations.
Thanks
↧
comparing min, max and avg of a field by host and application
Hi All,
I have been working on a search query but couldn't able to get desired results.
I'm looking for a search which will give me min(field1), max(field1) and avg(field1) of field1 per host per applicationID
My results should have applicationID in the row, and the columns should have hosts and min, max and avg of each host
**Results**
Host1 Host2 Host3
min(field1) max(field1) avg(field1) min(field1) max(field1) avg(field1) min(field1) max(field1) avg(field1)
appId1
appId2
appId3
Any help on this is greatly appreciated
Thanks
↧
dashboard input - if single value available - choose it
Hi,
I have a dashboard that in it there is a multiselect input.
sometimes the multiselect search results only 1 result.
can I automatically choose it when there is only 1 option?
Thanks.
↧
↧
souce names in the 2nd column
Hi,
I'm searching multiple sources in a single index and getting the result as a table. I want to display the sourcename next to the first column for each row. How can I do that ?
↧
SCOM & Splunk
Hi,
RE: https://splunkbase.splunk.com/app/2729/
We have SCOM installed on a server, and have Splunk Enterprise installed on another server. I am trying to get them both to intergrate.
I have followed the guide from the above link, but I cant seem to configure the forwarder. It says that Universal forwarder is not supported, but then how do I configure a heavy forwarder or a search head on the server that SCOM is installed on?
Please advise.
Many thanks
Abdul
↧
Sendind data from Splunk dashboard to some external API\any ticketing tool
Hi All,
I have a dashboard which will list out all the errors along with some more fields in a table view.
So now what I need to do is I need to have a integration\API that should allow me to right click on the selected row of table data to send to API\Any ticketing tool.
Could you please help me on this?
Regards,
Thippesh
↧