I have one machine for Deployer,Cluster Master,Deployment server and license master.Do I really need a seperate installation of these components in same machine?If yes please help me with the steps,if no where the seperate installation on same machine required for testing distributed environment?
↧
Do seperate installation of DM,CM,SHC DP really required on same machine?
↧
perfmon:sqlserver set to disabled, still receiving data on the Indexer ?
I have set Universal.Forwarder on SQL Server to forward all data to heavy forwarder. However, in the search results of the Indexer, for the indexed data from SQL, it shows the "Splunk Server" field as the Indexer and NOT the H.F. I feel, it should show the Splunk server field as Heavy Forwarder as thats the splunk server where the data is coming from. Please let me know if my understanding is wrong.
Could this be because, I have set forwarding defaults in Heavy forwarder, to NOT store local data ?
Second imp question is, I have installed SQL server add-on on the Indexer and the H.F, where all the inputs are set to disabled = 1 for the perfmon:sqlserver data in the inputs.conf file of the local folder of the add-on, however, despite of that I am still getting huge amount of Perfmon:sqlserver data on the indexer.
Can someone please help me in figuring out where i can make the change in stopping this huge amount of unnecessary data ?
Thanks.
↧
↧
Machine Learning Toolkit: importing new algorithm
I followed the procedure in API Guide 2.4.0 to add the CorrelationMatrix algorithm. But an error resulted.
I am using Windows 10.
I first added [CorrelationMatrix] in algos.conf located at ~\etc\apps\Splunk_ML_Toolkit\default\algos.conf
Then, I added a file CorrelationMatrix.py at ~\etc\apps\Splunk_ML_Toolkit\bin\algos
The .py file was copied from the "Finished example" in the API Guide.
Finally, I restarted Splunk and searched "| inputlookup iris.csv | fit CorrelationMatrix petal* sepal*"
The error message was:
Error in 'fit' command: Error while initializing algorithm "CorrelationMatrix": Algorithm "CorrelationMatrix" cannot be loaded
The system log is:
10-08-2017 11:35:38.579 INFO dispatchRunner - Search process mode: freestanding
10-08-2017 11:35:38.580 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0
10-08-2017 11:35:38.580 INFO LicenseMgr - Initing LicenseMgr
10-08-2017 11:35:38.583 INFO ServerConfig - Found no hostname options in server.conf. Will attempt to use default for now.
10-08-2017 11:35:38.583 INFO ServerConfig - Host name option is "".
10-08-2017 11:35:38.604 INFO ServerConfig - SSL session cache path enabled 0 session timeout on SSL server 300.000
10-08-2017 11:35:38.606 INFO LMConfig - serverName=xxxxxxxx guid=xxxxxxxxxxxxxxxxxx
10-08-2017 11:35:38.606 INFO LMConfig - connection_timeout=30
10-08-2017 11:35:38.606 INFO LMConfig - send_timeout=30
10-08-2017 11:35:38.613 INFO LMConfig - receive_timeout=30
10-08-2017 11:35:38.613 INFO LMConfig - squash_threshold=2000
10-08-2017 11:35:38.613 INFO LMConfig - strict_pool_quota=1
10-08-2017 11:35:38.613 INFO LMConfig - key=pool_suggestion not found in licenser stanza of server.conf, defaulting=''
10-08-2017 11:35:38.613 INFO LMConfig - key=test_aws_metering not found in licenser stanza of server.conf, defaulting=0
10-08-2017 11:35:38.613 INFO LMConfig - key=test_aws_product_code not found in licenser stanza of server.conf, defaulting=0
10-08-2017 11:35:38.613 INFO LicenseMgr - Initing LicenseMgr runContext_splunkd=false
10-08-2017 11:35:38.613 INFO LMStackMgr - closing stack mgr
10-08-2017 11:35:38.613 INFO LMSlaveInfo - all slaves cleared
10-08-2017 11:35:38.613 INFO LMStackMgr - partial init only since node has remote master=https://splunk.xxxxxx:8089
10-08-2017 11:35:38.613 INFO LicenseMgr - StackMgr init complete...
10-08-2017 11:35:38.613 INFO LMTracker - Setting default product type='enterprise'
10-08-2017 11:35:38.613 INFO LMTracker - this is not splunkd, will perform partial init
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=Acceleration state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=AdvancedSearchCommands state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=AdvancedXML state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=Alerting state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=ArchiveToHdfs state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=Auth state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=CustomRoles state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=DeployClient state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=DeployServer state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=DistSearch state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=FwdData state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=GuestPass state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=KVStore state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=LDAPAuth state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=LocalSearch state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=MultifactorAuth state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=MultisiteClustering state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=NontableLookups state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=RcvData state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=RcvSearch state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=RollingWindowAlerts state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SAMLAuth state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=ScheduledAlerts state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=ScheduledReports state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=ScheduledSearch state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=ScriptedAuth state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SearchheadPooling state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SigningProcessor state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SplunkWeb state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SubgroupId state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=SyslogOutputProcessor state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LMTracker - Setting feature=UnisiteClustering state=ENABLED (featureStatus=1)
10-08-2017 11:35:38.613 INFO LicenseMgr - Tracker init complete...
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'licenses'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'pools'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'stacks'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'groups'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'slaves'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'localslave'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'licensermessages'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'scriptedwarning'
10-08-2017 11:35:38.618 INFO AdminManagerDispatch - added factory for admin handler: 'licenseusage'
10-08-2017 11:35:38.618 INFO dispatchRunner - Per-process handle limit is 512
10-08-2017 11:35:38.618 INFO dispatchRunner - Increasing per-process handle limit from '512' to '2048'
10-08-2017 11:35:38.618 INFO dispatchRunner - Successfully increased per-process handle limit from '512' to '2048'
10-08-2017 11:35:38.621 INFO dispatchRunner - registering build time modules, count=1
10-08-2017 11:35:38.621 INFO dispatchRunner - registering search time components of build time module name=vix
10-08-2017 11:35:38.621 INFO dispatchRunner - Splunkd starting (build e21ee54bc796).
10-08-2017 11:35:38.621 INFO dispatchRunner - System info: Windows, xxxxxx, 3, 6, x64.
10-08-2017 11:35:38.621 INFO dispatchRunner - Detected 4 (virtual) CPUs, 2 CPU cores, and 16267MB RAM
10-08-2017 11:35:38.621 INFO dispatchRunner - Maximum number of threads (approximate): 8133
10-08-2017 11:35:38.621 INFO dispatchRunner - Arguments are: "search" "--id=xxxxxxxx" "--maxbuckets=0" "--ttl=600" "--maxout=500000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--user=admin" "--pro" "--roles=admin:can_delete:power:splunk-system-role:user"
10-08-2017 11:35:38.621 INFO dispatchRunner - Getting search configuration data from: C:\Program Files\Splunk\etc\modules\parsing\config.xml
10-08-2017 11:35:38.622 INFO BundlesSetup - Setup stats for C:\Program Files\Splunk\etc: wallclock_elapsed_msec=34, cpu_time_used=0.03125, shared_services_generation=1, shared_services_population=1
10-08-2017 11:35:38.625 INFO UserManagerPro - Load authentication: forcing roles="admin, can_delete, power, splunk-system-role, user"
10-08-2017 11:35:38.626 INFO SessionManager - auth tokens will be generated with shpooling shared secret
10-08-2017 11:35:38.626 INFO UserManager - Setting user context: splunk-system-user
10-08-2017 11:35:38.626 INFO UserManager - Done setting user context: NULL -> splunk-system-user
10-08-2017 11:35:38.626 INFO UserManager - Unwound user context: splunk-system-user -> NULL
10-08-2017 11:35:38.627 INFO UserManager - Setting user context: admin
10-08-2017 11:35:38.627 INFO UserManager - Done setting user context: NULL -> admin
10-08-2017 11:35:38.627 INFO dispatchRunner - search context: user="admin", app="Splunk_ML_Toolkit", bs-pathname="C:\Program Files\Splunk\etc"
10-08-2017 11:35:38.631 INFO dispatchRunner - Executing the DispatchThread.
10-08-2017 11:35:38.631 INFO SearchParser - PARSING: | inputlookup iris.csv | fit CorrelationMatrix petal* sepal*
10-08-2017 11:35:38.640 INFO ISplunkDispatch - Not running in splunkd. Bundle replication not triggered.
10-08-2017 11:35:38.644 INFO UserManager - Setting user context: admin
10-08-2017 11:35:38.644 INFO UserManager - Done setting user context: NULL -> admin
10-08-2017 11:35:38.652 INFO ChunkedExternProcessor - Running process: "C:\Program Files\Splunk\bin\python.exe" "C:\Program Files\Splunk\etc\apps\Splunk_ML_Toolkit\bin\fit.py"
10-08-2017 11:35:38.919 INFO ChunkedExternProcessor - stderr: Running C:\Program Files\Splunk\etc\apps\Splunk_SA_Scientific_Python_windows_x86_64\bin\windows_x86_64\python.exe C:\Program Files\Splunk\etc\apps\Splunk_ML_Toolkit\bin\fit.py
10-08-2017 11:35:40.554 ERROR ChunkedExternProcessor - Error in 'fit' command: Error while initializing algorithm "CorrelationMatrix": Algorithm "CorrelationMatrix" cannot be loaded
10-08-2017 11:35:40.554 INFO UserManager - Unwound user context: admin -> NULL
10-08-2017 11:35:40.563 INFO UserManager - Setting user context: admin
10-08-2017 11:35:40.563 INFO UserManager - Done setting user context: NULL -> admin
10-08-2017 11:35:40.563 INFO UserManager - Unwound user context: admin -> NULL
10-08-2017 11:35:40.563 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='xxxxxxxxx', username='admin')
10-08-2017 11:35:40.952 INFO UserManager - Unwound user context: admin -> NULL
10-08-2017 11:35:40.958 INFO ShutdownHandler - Shutting down splunkd
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Begin"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_FileIntegrityChecker"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_JustBeforeKVStore"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_KVStore"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Thruput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput1"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_ExecSendInitialSigterm"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpOutput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_UdpInput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_FifoInput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_WinEventLogInput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpInput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_CacheManager"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Scheduler"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_SyslogOutput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_HTTPOutput"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_ArchiveAndOneshot"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_MainThread"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Exec"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Tailing"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_PeerManager"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_AuditTrailManager"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_AuditTrailQueueServiceThread"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_FSChangeMonitor"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_FSChangeManagerProcessor"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_DeploymentClient"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpClientPollingThread"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_AsyncQueuedMessageDispatcherThread"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_OfflineFlusher"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Slave"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_SlaveSearch"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Captain"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Select"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_IdataDO_Collector"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpOutput2"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_IndexerService"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Database1"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_LastIndexerLevel"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_AWSMetering"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_TcpInput2"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_SearchDispatch"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_LoadLDAPUsers"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_MetricsManager"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Pipeline"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Queue"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_CallbackRunner"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_HttpClient"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_DmcProxyHttpClient"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_Duo2FAHttpClient"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_ApplicationLicenseChecker"
10-08-2017 11:35:40.958 INFO ShutdownHandler - shutting down level "ShutdownLevel_S3ConnectionPoolManager"
10-08-2017 11:35:40.958 INFO ShutdownHandler - Shutdown complete in 0 microseconds
10-08-2017 11:35:40.959 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'fit' command: Error while initializing algorithm "CorrelationMatrix": Algorithm "CorrelationMatrix" cannot be loaded
thanks for enlightenments!
Andy
↧
How can I edit field values?
Hello together,
I have the field *Vegetables* with 5 field values. The field values are cucumber, tomato, onion, carrot and potato.
When I am clicking to the field in the *fields sidebar*, the field values are displayed with a slash (/) - such as **carrot/**. And as well in the pie chart.
**I want to represent the values without the slash in the pie chart.**
That is my search:
sourcetype="notrelevant" | chart count by Vegetables
I have already looked in the documentation and in other questions, but unfortunately I could not find a solution.
Could you please help me?
Thanks in advance!
↧
Fix table header and add vertical scrollbar using CSS and js
Hi All,
I want to display 100 rows results in table per page with vertical scrollbar and fix the header when we move down
I am trying to use `overflow-y: scroll;` on div. so it shows vertical scrollbar but it is showing 10 rows per page with header is not fixed.
can any one please help me...
Thanks.
↧
↧
What is best answer for describing Deployment
I have gone through splunk docs it is like a puzzle for me to know about deployment.
Can anyone give me perfect answer instead of posting links
↧
Unable to save SA-ldapsearch configuration despite of the connection status being successful.
I have configured the setting for SA-ldapsearch (with ssl disabled) and tested the connection successfully. However, I am unable to save the config.
Nothing happens when I click on Save. I have tried this on various browsers but still doesnt save. When I refresh the page, it shows the same settings with ssl enabled.
I have also tried to save through the ldap.conf file in local directory of the add-on.
Is there a workaround for this ?
↧
After forwarding windows event log data into Splunk on Windows 10, how do i see data from Windows Defender?
Hi,
I have installed the SplunkUniversalForwarder and ave sucessfully got data into Splunk. However, i want to view the scan logs from Windows Defender, how should i search it on the search head?
Thanks in advance!
↧
Search query to replace first occurrence word with blank but second occurrence to replace with comma
How do I use regex or replace to remove the first occurrence word found and replace second occurrence onward with comma?
For example, the raw data is:
ubuntu CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0) ubuntu CRON[2907]: pam_unix(cron:session): session closed for user root
I want it to be:
CRON[2907]: pam_unix(cron:session): session opened for user root by (uid=0),CRON[2907]: pam_unix(cron:session): session closed for user root
↧
↧
monitoring failed weebhook(search alert)
In Splunk enterprise search, we can save the search query as alert and a corresponding action will be executed(webhook). I want to monitor failed webhook that Splunk enterprise sends. How can I do that? should I search `index=_internal`
↧
How to remove an entire column from results if all the values of the column are zero?
Is there any possibility to remove an entire column if all the values of the column are zero?
↧
stats values on x-axis and y-axis
basesearch
| rex "(?m)^(?[^:]+):\s+\[\s+(?\d+)K-\>(?\d+)K\((?\d+)K\),\s+(?[^\s]+)\ssecs\]"
| table totaltime,duration
| stats or timechart or chart would like to populate totaltime in x-axis and duration in y-axis
would like to show trend line graph based on the values of "totaltime" in x-axis and "duration" in y-axis . Some how I am using stats and I am getting the values and unable to see the graph.attached is the statistics table image from my search
sample data:
28820.220: [Full GC (System.gc()) 8832K->8624K(37888K), 0.0261704 secs]
29372.500: [Full GC (Allocation Failure) 23984K->8816K(37888K), 0.0013546 secs]
29932.500: [Full GC (Allocation Failure) 24176K->8808K(37888K), 0.0017082 secs]
30492.500: [Full GC (Allocation Failure) 24168K->8960K(37888K), 0.0017122 secs]
31047.500: [Full GC (Allocation Failure) 24320K->8944K(37888K), 0.0020634 secs]
31602.500: [Full GC (Allocation Failure) 24304K->8992K(37888K), 0.0017542 secs]
32157.500: [Full GC (Allocation Failure) 24352K->8968K(37888K), 0.0018971 secs]
32420.247: [Full GC (System.gc()) 16160K->8944K(37888K), 0.0012816 secs]
8186.000: [Full GC (Allocation Failure) 91332K->36212K(246272K), 0.0081127 secs]
8347.676: [Full GC (System.gc()) 42225K->35996K(246272K), 0.0040077 secs]
8347.678: [Full GC (System.gc()) 35996K->21313K(246272K), 0.1147433 secs]
8929.342: [Full GC (Allocation Failure) 76609K->24356K(246784K), 0.0047687 secs]
8952.577: [GC (Allocation Failure) 80164K->29098K(246272K), 0.0053928 secs]
9921.694: [Full GC (Allocation Failure) 84906K->27626K(247808K), 0.0053474 secs]
11567.840: [Full GC (Allocation Failure) 85994K->27730K(247808K), 0.0030062 secs]
11947.795: [Full GC (System.gc()) 41757K->27562K(248320K), 0.0035917 secs]
11947.797: [Full GC (System.gc()) 27562K->22923K(248320K), 0.1237187 secs]
↧
Deployment Server - sending data to a 'specific index'
Hi all,
Just need help understanding deployment servers better and how you are able to forwarder data to a 'specific index'
My current setp:
- 1 index master ( a 'test' index has been configured and 'pushed' to the peer nodes successfully)
- 2 index peers
- 2 UF
- 1 Deployment server ( Clients successfully peered and forward management is working fine)
What I am confused about is when I access the deployment server and
- select 'add data'
- I then select the available host ( and select both my UF)
- I then create a new server class called Linux UF
- I then select source /var/log
- Now I come to the option where I select the 'Index'.... This is were my confusion is as the 'test' indexes I have successfully created with the master are not showing! I just want to be able to send my var/log LOGS to the 'test' index.
Does this mean I need to manual update the inputs.conf to include index = test.
If possible could you please help list the required steps to help give me a better understanding as right now Im condusin myself to much.
much appreciated and thank you!
↧
↧
how can i find someone who diabled the indexes in DB connect app ?
Hi ,
I am currently facing the issue like ,
My indexes created in splunk db connect has been disabled by some means or someone accidentally.
I need to find out the person who disabled this , or how it got disabled .It will be working fine for many days , but suddenly it will disabled one day and we couldn't figure it out.
Can someone help me in this to find the person or means it is disabled.
Regards,
Sundar
↧
splunk alerts email body content color
Hello all,
Help needed .
I have setup some script which generates log and by monitoring that splunk trigger an email alert .
splunk sends email alert of failure and successful execution of script .
What i need to do is can i change the content of alert email body like if failure is there then "failure" word should be in Red color in mail body and if success is there than success should be in "green" color
I know that there is script which handle the send email functionalty "$SPLUNK_HOME/etc/apps/search/bin/sendemail.py"
As i am not aware about python very much .
If there is any other approach for it to do the same . Pleas let me know
↧
Index settings not showing details for latest event, event count etc, but i can see the events on search head for internal index and other indexes as well, how/where can I see the info for all these?
when i m clicking on settings ->indexes then indexes are not showing any details like latest event, earliest event, evetnt count etc. But when checking data on search head it is showing data(latest data).AND when i am checking on monitoring console indexers are working normally
It is showing like this in GUI
Name Actions
App Current Size
Max Size Event Count
Earliest Event Latest Event Home Path
Frozen Path Status
_audit Edit Delete Disable
system 1 MB
488,28 GB 3,68K
2 years ago 2 years ago
$SPLUNK_DB/audit/db N/A
Enabled
_internal Edit Delete Disable
system 1 MB
488,28 GB 0
$SPLUNK_DB/_internaldb/db
N/A
Enabled
_introspection Edit Delete Disable
system 1 MB
488,28 GB 0
$SPLUNK_DB/_introspection/db
N/A
Enabled
_telemetry Edit Delete Disable
system 1 MB
488,28 GB 0
$SPLUNK_DB/_telemetry/db
N/A
Enabled
[1]: /storage/temp/217787-capture.png
↧
OTHER index information
I am observing my license usage in which one index exist which name have "OTHER". Is it by default index or not. Which kind of information it contain? How can see it.
↧
↧
Search strings that qualify for report acceleration but won't get much out of it
Splunk "Manage report acceleration" manual specifies the following:
In addition, you can have reports that technically qualify for report acceleration, but which may not be helped much by it. This is often the case with reports with high data cardinality--something you'll find when there are two or more transforming commands in the search string and the first transforming command generates many (50k+) output rows. For example:
index=* | stats count by id | stats avg(count) as avg, count as distinct_ids
My question is why acceleration won't help much in this case? If the first transforming command generates more than 50K output rows i should not be using report acceleration?
Thank you.
↧
Bar chart color customization - dynamic fields ?
Please help me out here .
I am trying to customize the bar chart color when using the stats command .
my SPL |stats count by CODE
how to set the colors dynamically for the count value in the series .
i have tried [0xe60026,0xffd700,0x66CC66] .its not helping .
↧
How to count the number of request hitting server ?
For the query :
sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated"
I have the following output:
host = aecastle01ran05.awsdev.cloud.com source = http:docker sourcetype = docker
And I have various host for my application. How to calculate the number of request that is hitting different server irrespective of failure or success and present them in a table. Idea is to check the servers are hitting with the same number of request or not ??
I have series of server as follows :
aecastle01ran04, aecastle01ran03, aecastle01ran05,aeperf01cmb01
↧