Our central Splunk server is Linux, running (now) the latest as I suspected there was a bug involved in this situation. I've deployed the Windows universal forwarder to a bunch of Windows Server 2008 machines, and due to a known bug in the installer (as shown to me by Splunk support) they had to be installed with no options, and configured after. Since there are a lot of machines, I'm attempting to automate everything.

Whenever I attempt to add in a monitor via the splunk command on our Linux server, I get an error. This is what it is: splunk add monitor <windows path=""> -uri https://<server>:8089 -auth <creds> In handler 'monitor': Parameter name: Path does not exist.

It sounds like the monitor is only validated against what's valid for the local OS. Is this expected behavior or a bug? I've attempted the usual UNIX tricks -- encased the path in quotes, escaped the special characters, etc.

Hello,

I'm tying to add more apps to our Splunk Web GUI. Every time I click "Find More Apps" I get an error message saying "Splunk is unable to connect to the Internet to find more apps." We are running Splunk on Centos 6.5 and I'm not sure what to do. I'm fairly new to using both *nix and Splunk so any help would be appreciated.

Thank You JS

Hi,

I am trying to pull data from a MSSQLSERVER table that updates in real time. This is a remote source. From my research I believe I will have to put a script in my input files. If someone could point me in the right direction it would be greatly appreciated!

This will have to be done without the use of Splunk's log forwarders...I am running Splunk 5.0.4.

-Brian

I upgraded my distributed environment to Splunk 6.0 and now my Indexers are continually crashing. I looked in the log and the crashing thread is "FwdDataReceiverThread". Has anyone else seen this? What can be done to fix or work around the problem?

Hi friends

I am developing an small app to dashboard HP Service manager incident/change/catalog data by db connect to the database. Has anyone done something like this before? If we have something already done, i can expand it.

Thanks in advance

Is there an easy way to auto-refresh a search manager in web framework every 2 minutes for example.

Basically run a .search() every 2 minutes on the search manager(django)

Or do I need to create my own timer within javascript?

I have a cluster of 2 peers, 1 master and one search head using splunk version 6. The 2 indexers receive logs sending from forwarders. Assuming the index name is accees_log and it was sent from host name apachehost123.

I am able to perform search and get results using either index=accees_log OR host=apachehost123 in the 2 search peers. However, the search result is empty on the search head or master unless I use index=accees_log

I checked the listbox in "Indexes searched by default" for the search head but the index -- access_log is not displayed in the listbox.

Please advise where it could be wrong.

Thanks in advance!

We have a script that splunk executes every minute on the minute...only problem is we do not have this scheduled as an alert or saved search. We cannot figure out why it is executed on the minute every minute. We can see the process in the aplunkd log however we do not see what/why it is being started. We have checked all alerts and no alerts are referencing this script. Anyone have a similar issue? How did you correct?

Hello,

I have data that shows the number of items I'm counting by item number. Is there a way to count when I have a certain amount of items, then reset the count back to zero? I could do something like | eval number=sum(field)/value, but then I wouldn't get the timestamp of when that count rolled over.

For example, I want to know when I have at least 5 items. So for this data I would want it to show a graph with values on day 2, day 3, and day 5, since that's when the count got high enough to be 5.

day1   2
day2   3
day3   6
day4   1
day5   5

This should be an easy one:

From a config file perspective, how do I define an app's knowledge object (a savedsearch for example) as being shared globally?

Thus far, I have been unable to find them in the local.meta and viewstates.conf

[Were running v6.0.1]

Hi, quick question please, from the documentation if we want to disable a user-role from being able to enabe report-acceleration on saved-searches -- we have to disable the schedule_search capability as well.

e.g. from the docs -- schedule_search: Schedule saved searches, create and update alerts, review triggered alert information, and turn on report acceleration for searches.

However, is there a way to allow a user-role to schedule saved searches, etc. - however NOT be able to enable report-acceleration on their searches?

Appreciate any tips

thanks

Hi is anyone experiencing that the font-size parameter on css doesn't affect the views on Splunk 6? Or its just me. I'm currently applying my custom css for views I can see splunk can load my css but the font-size parameter is not working for me. Put the css files on the proper location still font-size parameter not working. Is it just me?

Hi All,

I am currently trying with no success to convert the view "Table Icon Set (Inline)" provided by the app Splunk 6 Dashboard Examples into a django / javascript view using the new Web framework.

This view provides a very interesting way (and important to our requirements) to add custom icon visualizations of specific values ranges into a table to much improve its visibility:

This uses a Javascript code (file: table_icons_inline.js) as follows (with fields name adapted to my requirements):

    require([
    'underscore',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/tableview',
    'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc, TableView) {

    var CustomIconRenderer = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            return cell.field === 'Percent_Used';
        },
        render: function($td, cell) {
            var Percent_Used = cell.value;

            // Compute the icon base on the field value
            var icon;
            if(Percent_Used > 90) {
                icon = 'alert-circle';
            } else if(Percent_Used > 70) {
                icon = 'alert';
            } else {
                icon = 'check';
            }

            // Create the icon element and add it to the table cell
            $td.addClass('icon-inline numeric').html(_.template('<%- text %> <i class="icon-<%-icon%>"></i>', {
                icon: icon,
                text: cell.value
            }));
        }
    });

    var CustomIconRenderer2 = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            return cell.field === 'Percent_OverProvisionning';
        },
        render: function($td, cell) {
            var Percent_OverProvisionning = cell.value;

            // Compute the icon base on the field value
            var icon;
            if(Percent_OverProvisionning > 90) {
                icon = 'alert-circle';
            } else if(Percent_OverProvisionning > 70) {
                icon = 'alert';
            } else {
                icon = 'check';
            }

            // Create the icon element and add it to the table cell
            $td.addClass('icon-inline numeric').html(_.template('<%- text %> <i class="icon-<%-icon%>"></i>', {
                icon: icon,
                text: cell.value
            }));
        }
    });

    mvc.Components.get('table1').getVisualization(function(tableView){
        // Register custom cell renderer
        tableView.table.addCellRenderer(new CustomIconRenderer());
        // Force the table to re-render
        tableView.table.render();
    });

    mvc.Components.get('table1').getVisualization(function(tableView){
        // Register custom cell renderer
        tableView.table.addCellRenderer(new CustomIconRenderer2());
        // Force the table to re-render
        tableView.table.render();
    });

});

This works very well into my simple xml view, but when i try to add it into my django view, the table works ok but not the icon customization.

Inspecting the page using my browser, i can see some related errors into the console which i don't have when launching the simple xml page that works fine:

Failed to load resource: the server responded with a status of 404 (Not Found) http://guilhem-xxxxx:8000/en-us/splunkd/__raw/servicesNS/admin/xxxxxxxxxxxxxx/data/ui/views/HDS_Dashboard?output_mode=json&_=1388709272893
event.returnValue is deprecated. Please use the standard event.preventDefault() instead. mvc.js:1
Uncaught Error: Load timeout for modules: splunkjs/mvc/simplexml/ready!_unnormalized4,splunkjs/mvc/simplexml/ready!
http://requirejs.org/docs/errors.html#timeout config.js:1
4
Uncaught TypeError: Object [object Array] has no method 'attrTween' d3chartview.js:1

I tried to adapt and play with library launched inside the js code (require...) with no success.

I'm unfortunately not (yet) a javascript expert, that is why i would appreciate your help on this, i guess the javascript is maybe not totally compatible with a django view and has to be adapted...

The error message shown in the console talks about the splunkjs/mvc/simplexml/ready! library that cannot be loaded, off course if i delete loading this library, then other error will append (ex. Uncaught TypeError: Cannot call method 'extend' of undefined )

I notably tried replacing require with and example coming from django views:

require([
        "splunkjs/ready!", 
        "splunkjs/mvc/utils",
        "underscore",
        "jquery",
        "splunkjs/mvc/tableview"

With no success.

Last thing, the simple xml view can be converted into an html view that works perfectly, in this html view the js code is called differently like:

<script src="{{SPLUNKWEB_URL_PREFIX}}/static/app/xxxxxxxxxxxxxx/table_icons_inline.js" type="text/javascript"></script>

I also tried to integer this into my django view javascript block with no success...

Here is an example of js code part i tried with no success :

{% block js %}
{{ block.super }}
<script>
    require([
        "splunkjs/ready!", 
        "splunkjs/mvc/utils",
        "underscore",
        "jquery",
        "splunkjs/mvc/dropdownview"
        ], 
        function(
            mvc, 
            utils,
            _, 
            $,
            DropdownView
                ){

                var chart = mvc.Components.getInstance('chart-info-pool');
                chart.settings.set("setup", function(chart){
                chart.showLabels(true);
                chart.showLegend(false);                
                });

    });
</script>

<script>
require([
    'underscore',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/tableview',
    'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc, TableView) {

    var CustomIconRenderer = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            return cell.field === 'Percent_Used';
        },
        render: function($td, cell) {
            var Percent_Used = cell.value;

            // Compute the icon base on the field value
            var icon;
            if(Percent_Used > 90) {
                icon = 'alert-circle';
            } else if(Percent_Used > 70) {
                icon = 'alert';
            } else {
                icon = 'check';
            }

            // Create the icon element and add it to the table cell
            $td.addClass('icon-inline numeric').html(_.template('<%- text %> <i class="icon-<%-icon%>"></i>', {
                icon: icon,
                text: cell.value
            }));
        }
    });

    var CustomIconRenderer2 = TableView.BaseCellRenderer.extend({
        canRender: function(cell) {
            return cell.field === 'Percent_OverProvisionning';
        },
        render: function($td, cell) {
            var Percent_OverProvisionning = cell.value;

            // Compute the icon base on the field value
            var icon;
            if(Percent_OverProvisionning > 90) {
                icon = 'alert-circle';
            } else if(Percent_OverProvisionning > 70) {
                icon = 'alert';
            } else {
                icon = 'check';
            }

            // Create the icon element and add it to the table cell
            $td.addClass('icon-inline numeric').html(_.template('<%- text %> <i class="icon-<%-icon%>"></i>', {
                icon: icon,
                text: cell.value
            }));
        }
    });

    mvc.Components.get('table1').getVisualization(function(tableView){
        // Register custom cell renderer
        tableView.table.addCellRenderer(new CustomIconRenderer());
        // Force the table to re-render
        tableView.table.render();
    });

    mvc.Components.get('table1').getVisualization(function(tableView){
        // Register custom cell renderer
        tableView.table.addCellRenderer(new CustomIconRenderer2());
        // Force the table to re-render
        tableView.table.render();
    });

});
</script>

{% endblock js %}

Many thanks in advance for any help !!!

I have an indexer on linux on a physical server, with 100+ forwarders, and local files indexing, it's also my deployment server, and my search-head, with all the users from my AD.

I beefed-up the disk size, multiple cores, RAM... But I still see some complains at startup. How can I tune it ?

here is my starting log in splunkd.log

03-03-2011 21:50:09.027 INFO  ulimit - Limit: virtual address space size: unlimited
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data segment size: 1879048192 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: resident memory size: 2147482624 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: stack size: 33554432 bytes [hard maximum: 2147483646 bytes]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: core file size: 1073741312 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data file size: 2147483646 bytes
03-03-2011 21:50:09.027 ERROR ulimit - Splunk may not work due to low file size limit
03-03-2011 21:50:09.027 INFO  ulimit - Limit: open files: 1024
03-03-2011 21:50:09.027 INFO  ulimit - Limit: cpu time: unlimited
03-03-2011 21:50:09.029 INFO  loader - Splunkd starting (build 95063).

Got a fun question - what is better for performance generally, event types or collect statements? I'm building alerts that track state transitions, and have done this with event types indicating good and bad as well as a collect statement writing to a somewhat transient index indicating good and bad (both per event).

The basic alerting logic follows:

1) Something tags an event with a field indicating "good" or "bad" based on defined thresholds.

-A "good" and "bad" event type takes care of this in one instance, and in the other a new field is eval'd and added to the events collected to the transient index.

-In the case of the transient index, a saved search runs at a defined interval which populates the transient index with events containing state data

2) An alert runs at an appropriate interval and evaluates the state fields added by the event types, or in the other case runs against the state fields collected in the transient index.

There are some natural limitations to using event types as they don't allow piping, so it seems both methods are needed. However, any suggestions on what would be a better approach to use? Will one generally perform better than the other?

Hi there,

We are currently running 2.2.0 and would like to upgrade to 3.0.

What is the upgrade procedure and is there an upgrade cost?

Thanks, Joe.

I have an admin that was messing with permissions on the objects in the DBX app. I went back and made sure everything was set the same "global, All:Read, Admin:Write"

All the functions seem to be working on all the costume searches and dashboards.

When I go to "https://Mysystem.com:8000/en-US/app/dbx/home" I get redirected this link "https://Mysystem.com:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fdbx%2Fhome" and it brings my browser to the login page I cant seem to get to any of the APP views by typing in the URL.

Has anyone seen this issue before?

I have installed Splunk on a Linux box and is listening for incoming on 9997. Our linux boxes send its syslog to it and work fine. The Windows boxes however do not send any event viewer logs. I installed SplunkForwarder on it and followed the prompts where I entered the Receiver server and port 9997. Also restarted the splunk service just in case. What additional configurations are to be done to ensure Event Viewer logs/AD monitoring start to populate my Splunk sitting on the Linux box. I'm able to telnet to 9997 from Windows to Linux so it is not an access issue.

1) If I run a regular timechart command against normal rows.

* | timechart span=1h count by sourcetype limit=500

then for timebuckets and sourcetypes where no data existed, the timechart command fills in a "0" for me. All is well.

2) If I use timechart however with data that's already been aggregated.

ie (forgive the artificial example here)

* 
| bin _time span=1h
| stats count by _time sourcetype 
| timechart span=1h sum(count) by sourcetype limit=500

or

| tstats prestats=t count WHERE index=*  GROUPBY sourcetype _time span=1h
| stats count by _time sourcetype 
| timechart span=1h sum(count) as count by sourcetype limit=500

Then it's weird. I get the same chart obviously but the timechart command fails to fill in the zeros. Instead I get null values everywhere there should be a zero.

This is throwing things off for me, and I'm curious if anyone knows the root cause or if there's any way to work around the problem so I get my zeros back.

Notes:
* I actually need the zeros back in the actual search result data, rather that just being graphed as zeros in the charting stuff. ) * if I didn't have a split-by field I could just do fillnull, but I don't know the values of all the split-by field's field values in advance.

Splunk newbie here.

I need to extract fields from our JSON logs, sample _raw output below:

2014-01-22 21:25:33,802 [xid=,fn=] INFO [pool-9-thread-1] tion.rts.RTSConsumer | Processing RTS JSON=RTSJsonEvent{value(m)='279732640,CardYellowHome,0104400000|279736050,CardYellowHome,0304000000|279738003,GoalHome,0404000000|279745927,GoalHome,0593900000', match id(t)='123456', type id(tp)='112', key(k)='CardYellowHome,No Player|CardYellowHome,No Player|GoalHome,No Player|GoalHome,No Player', parent id(p)='', id(i)='279746011', servertime='2014-01-23 02:25:33.619'}

I want the output in table format wherein it contains the values for match id, type id, key, parent id, id, and server time.

Thanks for the help.