API search limits to 1000 results

April 24, 2014, 2:16 pm

≫ Next: Proper input.conf setup - Apache Tomcat

≪ Previous: Various Manager pages fail to render, shows error "Mako failed to render" after upgrading to 6.1

$

0

0

When I use the Splunk API (from node.js) to query a given sid, I only get back 1000 results, even when supplying the count=0 argument. This particular sid happens to return a great many records -- over 6 million. When trying with an sid that returns much fewer records, say 5,000, they all are returned.

Here is my code:

var Request = require('request');  // 2.34.x

var options = {
    url: 'htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=0',
    method: 'GET',
    auth: {
        user: 'hector',
        pass: 'wouldntyouliketoknow'
    },
    rejectUnauthorized: false,
    requestCert: true,
    agent: false
};

Request(options, function(err, response, body) {
    err && console.log('Error calling Splunk: ' + err);
    body = JSON.parse(body);
    body && body.results && console.log('query result count: ' + body.results.length);
});

Output:

query result count: 1000

I've also tried using pagination like this:

var Request = require('request');

var internals = {};

var options = {
    url: 'htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset={offset}',
    method: 'GET',
    auth: {
        user: 'hector',
        pass: 'wouldntyouliketoknow'
    },
    rejectUnauthorized: false,
    requestCert: true,
    agent: false
};

internals.querySplunk = function (options, offset, callback) {

    options.originalUrl = options.url;
    options.url = options.url.replace('{offset}', offset);
    console.log(options.url);

    Request(options, function(err, response, body) {

        err && console.log('Error calling Splunk: ' + err);

        body = JSON.parse(body);
        var resultCount = body.results.length;
        console.log('query result count: ' + resultCount);

        if (resultCount === 0) {
            console.log('Done getting results.');
            return callback();
        }

        offset += 300;
        options.url = options.originalUrl;
        internals.querySplunk(options, offset, callback);
    });
};

internals.querySplunk(options, 0, function () {
    console.log('Exiting.');
});

Output: htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset=0 query result count: 300 htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset=300 query result count: 300 htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset=600 query result count: 300 htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset=900 query result count: 100 htttps://splunksvr:8089/servicesNS/hector/search/search/jobs/[sid]/results?output_mode=json&count=300&offset=1200 query result count: 0 Done getting results. Exiting.

As you can see, it still only pages to 1,000 results. What gives?

---

Proper input.conf setup - Apache Tomcat

May 12, 2014, 1:22 pm

≫ Next: How can I find out about Splunk app updates?

≪ Previous: API search limits to 1000 results

$

0

0

Hello,

I'm trying to find out why only one sourcetype (the last one) is being monitored. Could someone please tell me how to configure input.conf? I'd like to capture some apache/tomcat logs and set different sourcetypes. When I let splunk automatically set sourcetypes it appends the dates to the sourcetype field.

[default] host = NDV-MWWEB01

[monitor://C:Program FilesApache Software FoundationTomcat 7.0_Tomcat7.0.42logs] disabled = false index = test whitelist = catalina.* sourcetype = catalina

[monitor://C:Program FilesApache Software FoundationTomcat 7.0_Tomcat7.0.42logs] disabled = false index = test whitelist = localhost.(.*) sourcetype = localhostApache

[monitor://C:Program FilesApache Software FoundationTomcat 7.0_Tomcat7.0.42logs] disabled = false index = test whitelist = localhost_(.*) sourcetype = localhostApacheAccess

[monitor://C:Program FilesApache Software FoundationTomcat 7.0_Tomcat7.0.42logs] disabled = false index = test whitelist = tomcat7.0.42-stderr(.*) sourcetype = stderrApache

[monitor://C:Program FilesApache Software FoundationTomcat 7.0_Tomcat7.0.42logs] disabled = false index = test whitelist = tomcat7.0.42-stdout(.*) sourcetype = stdoutApache

How can I find out about Splunk app updates?

October 8, 2013, 11:27 am

≫ Next: user role and permission

≪ Previous: Proper input.conf setup - Apache Tomcat

$

0

0

When an app updates on apps.splunk.com how can I find out right away?

user role and permission

May 8, 2014, 12:08 pm

≫ Next: Integration with Cisco ISE version 1.2

≪ Previous: How can I find out about Splunk app updates?

$

0

0

We have multiple department and its data indexed into splunk indexer, how can we define roles / permission to access their specific department content / search / indexes / sourcetype. if a user "A", belong to department "D1" and "D2", User "A" should have only permission to their SourceType / content / search / dashboard belongs "D1" and "D2".

Can you please suggest the optimized solution for this in splunk user management?.

Integration with Cisco ISE version 1.2

May 12, 2014, 2:05 pm

≫ Next: SOS topology icons are not loading behind a reverse proxy

≪ Previous: user role and permission

$

0

0

How to integrate the Cisco ISE logs not syslog to splunk with 4.3.5 version? I am trying to create a dashboard and i am not able to do it. Is this a Splunk-ISE integration issue or permission issue

Regards, Kiran

SOS topology icons are not loading behind a reverse proxy

October 25, 2013, 9:10 am

≫ Next: Find All fieldnames for fields which contain a specified value

≪ Previous: Integration with Cisco ISE version 1.2

$

0

0

After running a trace with HTTPfox behind my browser, I found out the reason why I wasn't able to see the icons in the "topology" view.

Icons in this view are referenced as relative to the "root" of the URL server. For instance,

/static/app/sos/images/Forwarder_orange.png

Problem is that this URL is not caught up by the reverse proxy as belonging to splunk. Indeed, I had to define the "root_endpoint" parameter in web.conf and my reverse proxy is relying on it. Eventually, I obtain a 404 HTTP error message from the reverse proxy.

Without a reverse proxy, Splunk is nice and redirects the previous URL to "http://$splunk_server/[$splunk_root/]en-US/static/app/sos/images/Forwarder_orange.png" but unfortunately my browser is not talking to splunk directly so won't get redirected.

By the way (but probably out of scope for SoS), the redirection appears to be hard-coded to "en-US", even if your locale in the URL was "en-GB".

Find All fieldnames for fields which contain a specified value

May 12, 2014, 12:06 pm

≫ Next: Documentation: default installation path for R

≪ Previous: SOS topology icons are not loading behind a reverse proxy

$

0

0

Hello,

My question is whether or not I can, via sp, return a list of all fieldnames which contain a specified value.

For instance, if I was looking for "superstar", can I construct a search which will return all fields which contain "superstar" as a value?

Thanks

Documentation: default installation path for R

May 12, 2014, 2:16 pm

≫ Next: Indexer refusing connection

≪ Previous: Find All fieldnames for fields which contain a specified value

$

0

0

FYI, the documentation for the R Project app states that "For Mac OS X and Linux or Unix, [the default installation path is] probably /usr/bin/R."

This is not correct. According to the official documentation at the CRAN R Project, "The default installation path for R.framework is /Library/Frameworks".

---

Indexer refusing connection

November 12, 2013, 7:16 am

≫ Next: Splunk and Citrix admin logs

≪ Previous: Documentation: default installation path for R

$

0

0

After upgrading to splunk 6 I am getting the following types of errors in the splunkd.log on the forwarders:

11-08-2013 14:28:53.337 -0500 ERROR TcpOutputFd - Connection to host="IPADDRESS":9997 failed 11-08-2013 14:28:53.338 -0500 INFO TcpOutputProc - Detected connection to "IPADDRESS":9997 closed 11-08-2013 14:28:53.338 -0500 INFO TcpOutputProc - Will close stream to current indexer "IPADDRESS":9997 11-08-2013 14:28:53.338 -0500 INFO TcpOutputProc - Closing stream for idx="IPADDRESS":9997 11-08-2013 14:28:56.510 -0500 WARN TcpOutputFd - Connect to "IPADDRESS":9997 failed. No connection could be made because the target machine actively refused it.

I replaced the actual IP address wth "IPADDRESS"

Is there something else on the indexer side that might have been turned off during the upgrade? Receiving is enabled on 9997 on the indexer.

EDITED TO ADD:

On the server side am getting lots of timeout errors like: 11-12-2013 08:52:44.061 -0500 ERROR TcpInputProc - Error encountered for connection from src="ANIPADDRESS":49886. Timeout Timed out after 600 seconds. 11-12-2013 08:55:51.927 -0500 ERROR TcpInputProc - Error encountered for connection from src="ANIPADDRESS":64594. Timeout Timed out after 600 seconds.

Splunk and Citrix admin logs

May 7, 2014, 10:04 am

≫ Next: Using Single Value Decorations

≪ Previous: Indexer refusing connection

$

0

0

Hello everyone! I am currently trying to figure out an effective way to capture "Administrative logs" in Citrix Xenapp 6.5 via SPLUNK. I was going to install the forwarder on the Secure Gateways but now I am not sure.

Basically, any changes to the farm along with the admins login and login failures including timestamps will need to be captured....somehow.

As stated earlier, we are running xenapp 6.5 and Splunk 6.0.3. If anyone has any ideas, thoughts, or have went down this road before, please let me know.

Thank you.

Using Single Value Decorations

November 16, 2013, 2:53 am

≫ Next: How to estimate the splunk storage size

≪ Previous: Splunk and Citrix admin logs

$

0

0

I'm building a dashboard panel and want to use the Single Value Decorations.

Dashboard :

<dashboard stylesheet="single_decorations.css">
    <label>Single Value Decorations</label>
 <row>
    <single>
        <searchString>| stats count as value | eval value = 550 | rangemap field=value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none</searchString>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
        <option name="classField">range</option>
        <option name="field">value</option>
    </single>
....................................

The dashboard and single_decorations.css are placed in ../local/data/ui/views

When the dashboard is displayed the icons are not displayed, and I guess that i have to provide a bunch of other js files to use the Simple XML Extensions, but I'm able from the documentation to find any reference on what is needed - files etc. to use the extensions. What css, js a.s.f has to be copied where.

How to estimate the splunk storage size

May 12, 2014, 11:31 am

≫ Next: PerfmonMK support inSplunk App for Windows Infrastructure

≪ Previous: Using Single Value Decorations

$

0

0

I will be feeding in 10 GB per day to 2 splunk indexers (clustered environment) Replication Factor = 2 Searchable Factor = 2

How to estimate the storage size for index data on each indexer?

Assuming data retention policy for search will be around for 1 year.

PerfmonMK support inSplunk App for Windows Infrastructure

May 12, 2014, 3:02 pm

≫ Next: ps_sos.ps1 Microsoft.PowerShell.Commands.WriteErrorException

≪ Previous: How to estimate the splunk storage size

$

0

0

Hello,

Is there any information about a timeline for PerfmonMK support within the Splunk App for Windows Infrastructure? We upgraded half our environment to Splunk 6 and the much more efficient new inputs only to find that they fell off the performance dashboard within the new application. Please advise. Thanks,

-Frank

ps_sos.ps1 Microsoft.PowerShell.Commands.WriteErrorException

May 12, 2014, 2:09 pm

≫ Next: Eval to find current time in another timezone

≪ Previous: PerfmonMK support inSplunk App for Windows Infrastructure

$

0

0

I am getting the following in splunkd.log for ps_sos.ps1:

 D:\Splunk\etc\apps\sos\bin\powershell\ps_sos.ps1 : Exception of type 'Microsoft
 .PowerShell.Commands.WriteErrorException' was thrown.
 At line:1 char:2
 + . <<<<  'D:\Splunk\etc\apps\sos\bin\\powershell\ps_sos.ps1'
     + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep 
    tion
     + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio 
    n,ps_sos.ps1

I am running 6.1.1 (free license) and SOS 3.2. Any ideas on what's going on and how to fix it????

Eval to find current time in another timezone

May 12, 2014, 3:50 pm

≫ Next: splunk list deploy-clients error ospath_fopen

≪ Previous: ps_sos.ps1 Microsoft.PowerShell.Commands.WriteErrorException

$

0

0

I'm familiar with strftime and starptime command and timezones, but cant seem to manipulate now() and convert to a known timezone. As an example now() returns in PDT timezone and I would like to convert now() to CST6CDT. I tried using eval to do a diff but it doesnt return the field. Any idea why?

| eval time_diff=strptime("CST6CDT", "%Z")

---

splunk list deploy-clients error ospath_fopen

October 29, 2013, 1:16 pm

≫ Next: REST API Python example

≪ Previous: Eval to find current time in another timezone

$

0

0

I'm seeing the below behavior in a Windows 7 environment. Any ideas?

C:Program FilesSplunkbin>.splunk list deploy-clients Operation "ospath_fopen" failed in .conf-mutator-locking.c:254, conf_mutator_lo ck(); No error

REST API Python example

May 12, 2014, 1:32 pm

≫ Next: WinEventMon::processLogChannel unable to checkpoint

≪ Previous: splunk list deploy-clients error ospath_fopen

$

0

0

http://docs.splunk.com/Documentation/Splunk/6.1/RESTAPI/RESTsearches

I am testing out this script and it works with a few modifications on the endpoints I changed.

/services/search/jobs','POST'

I changed the endpoint to:

/services/search/jobs/%s/results' % (sid),'GET'

My results are great, but they appear in xml format. Would I have to add "output_mode=csv" in the body argument?

body=urllib.urlencode({'search': searchQuery}))[1]

WinEventMon::processLogChannel unable to checkpoint

March 31, 2014, 3:14 am

≫ Next: Is it safe to downgrade from 6.1 to 6.0.3?

≪ Previous: REST API Python example

$

0

0

Hello, I have all my Splunk Universal Forwarders on Windows 2008 R2 machines that are generating this error:

ERROR ExecProcessor - message from ""C:Program FilesSplunkUniversalForwarderbinsplunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security'

The only modification that I have made is to the inputs.conf file adding:

[WinEventLog://Security] disabled = 0 whitelist = 4624,4625,4634,4656,4659,4660

Any suggestion?

Regards Danilo Massa

Is it safe to downgrade from 6.1 to 6.0.3?

May 12, 2014, 6:35 pm

≫ Next: Count of users in a month who cross a threshold of usage?

≪ Previous: WinEventMon::processLogChannel unable to checkpoint

$

0

0

I've found some show stopping deployment server bugs and would like to know if its safe to downgrade from 6.1 to 6.0.3 on both search heads and indexers in a distributed environment?

My concern is that there are some data model related changes that might break badly with a reversion.

Count of users in a month who cross a threshold of usage?

May 12, 2014, 3:23 pm

≫ Next: Distributed search scheduled alerts on SH

≪ Previous: Is it safe to downgrade from 6.1 to 6.0.3?

$

0

0

Hello Splunk Community,

I am trying to answer this question: How many users have logged into the system on at least 4 separate days during the last 30 days?

So far I’ve generated this search:

sourcetype="LogFile" ActionType="Login” earliest=-30d@d | chart dc(StartTime) as xcount by UserId | where xcount>4 | stats count as "Users >= 4 logins"

The issue that I’m facing is that I cannot determine how to count Logins by day. My current Search simply counts number of Logins although those logins may have all occurred on the same day, but I want to find out how many have logged in on at least 4 separate days.

Our StartTime data element is in the following format: dd/mm/yy H:M:S. I can truncate the StartTime down to dd-mm-yy with the following eval statement: eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|eval StartTime=strftime(StartTime,"%d-%b-%Y"). However, I cannot figure out how get the login counts associated with unique days. i.e: I have not yet been successful in moving the truncated date into my Search.

Thank you,

Mike