How can I set a dynamic default value in a dropdown (Simple XML)

January 30, 2014, 8:35 am

≫ Next: Splunk App for Windows Infrastructure - LDAPSearch performance

≪ Previous: Scheduled search for events indexed with _time one day ahead

Is it possible configure the dropdown input to take the first row returned by the populating Search as its default? If I configure the dropdown as follows it just has an empty field as its default.

<input type="dropdown" token="source" searchWhenChanged="true">
  <label>Select a Sourcetype:</label>
  <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype" earliest="-24h" latest="now">
    <![CDATA[index=_internal | stats count by sourcetype]]>
  </populatingSearch>
</input>

Thanks, Chris

↧

Splunk App for Windows Infrastructure - LDAPSearch performance

May 15, 2014, 3:06 pm

≫ Next: multiline event not working

≪ Previous: How can I set a dynamic default value in a dropdown (Simple XML)

I have been testing the Splunk App for Windows Infrastructure. Awesome.

My one disappointment in the app is it's performance in very large Active Directory environments. Specifically, performance of queries about User, Group or Computer state sourced from SA-ldapsearch. LDAPsearch reports are unusably slow taking minutes to render. An equivalent search using the Microsoft-based interfaces to AD (dsa.msc) takes less than a second to render identical results.

Are there any performance tuning options or development activities for SA-LDAPSearch?

↧

multiline event not working

May 15, 2014, 2:17 pm

≫ Next: Graph log attendancy

≪ Previous: Splunk App for Windows Infrastructure - LDAPSearch performance

I am trying to split the following log into two events based on the line feed in between the events:

15-May-2014 11:49:12.563  (2ba825c174c0) LV3<trace>         THandlerUtil::transactionHandlerDispatch: Handle Message Start ==> 
15-May-2014 11:49:12.564  (2ba825c174c0) LV3<trace>         THandlerUtil::transactionHandlerDispatch: Call Sequence:[Scheduled
* 0x683a2e0514bc426aa3d85a3a4c27b76a->TCAutoStageEquipment[05/15/14 11:49:09:EquipId: [W29M6P5400] Workstation:[630PRB_NAND
15-May-2014 11:49:12.565  (2ba825c174c0) LV4<msg>             TCAutoStageEquipment::LotList:  Entering...
15-May-2014 11:49:12.566  (2ba825c174c0) LV3<trace>            Timer::Cancel: Canceled Timer Request for TIMER_malamhstes
15-May-2014 11:49:12.570  (2ba825c174c0) LV3<trace>           TCAutoStageEquipment::LotList: W29M6P5400: No lots to stage
15-May-2014 11:49:12.571  (2ba825c174c0) LV3<trace>            TCMIPCHandler::LogBusinessEvent: BECode:[ASAE21], BEShortDesc:[NothingToStage], BEText:[W29M6P5400: Nothing to stage - 0 lot lists in dispatch list]
15-May-2014 11:49:12.576  (2ba825c174c0) LV4<msg>             TCAutoStageEquipment::LotList:  Exiting...
0x019ffbf889e849a0b87f7dc25d396464->TCAutoStageEquipment[05/15/14 11:49:09:EquipId: [RMAC6M3700] Workstation:[630RDA_MACRO] ScheduleMethod:[RTD] StageToTheMax:[-empty-] FailedLots:[{}] StagedLots:[{}] BadRecipes:[{}] ClaimResource:[-empty-] State:[Running] ExpectedMessages:[{LotList,LotListTimeout}]]
15-May-2014 11:49:12.588  (2ba825c174c0) LV3<trace>         THandlerUtil::transactionHandlerDispatch: Handle Message Start ==> 
15-May-2014 11:49:12.589  (2ba825c174c0) LV3<trace>         THandlerUtil::transactionHandlerDispatch: Call Sequence:[ScheduledEvent

I tried the following in my props.conf and it does not work:

[source::.../trace/AMHSAutoStageSrv/.../AutoStageSrv-TransactionTrace*.trc]
sourcetype = autostagesrv_transactiontrace
TRUNCATE = 0
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = False
 LINE_BREAKER = ^n
BREAK_ONLY_BEFORE = HandlesMessagesStart
MAX_EVENTS = 500

Any ideas?

↧

Graph log attendancy

May 15, 2014, 4:20 pm

≫ Next: Splunk 6.1.1 Upgrade, Distributed Search Key Problem

≪ Previous: multiline event not working

i am going to try to chart the day time check attendance of our employee over the last week. For example i am amble to have this table by week days :

index="asistencia" No=5 earliest=-7d@w0 latest=@w7 | eval myHour=strftime(_time, "%H") | Where (myHour >= 1) | stats values(Date) as entrada by date_mday Name | sort date_mday

1 5 Jonathan 05/05/2014 02:02:47 p.m. 05/05/2014 06:19:58 p.m.

2 6 Jonathan 06/05/2014 05:54:03 p.m. 06/05/2014 08:30:05 a.m.

3 7 Jonathan 07/05/2014 06:04:21 p.m. 07/05/2014 08:38:07 a.m.

4 8 Jonathan 08/05/2014 06:59:31 p.m. 08/05/2014 08:16:02 a.m.

5 9 Jonathan 09/05/2014 06:08:43 p.m. 09/05/2014 08:12:51 a.m.

Dont know how to graph this table for all the employees having plotting the arrival time and the end day time , also we want to be able to plot 2 lines in the chart showing the normal entrance time and end of the day time.

Thanks for your help.

Regards

Daniel

↧

Splunk 6.1.1 Upgrade, Distributed Search Key Problem

May 15, 2014, 5:27 pm

≫ Next: Splunk DB Input causing ORACLE temp space to fill up

≪ Previous: Graph log attendancy

Has anyone experienced this error? I'm using a single deployment not a distributed one.

Since the file was missing, I generated a generic distsearch.conf file and placed it under /opt/splunk/etc/system/local and still get the same error when I try and start splunk.

Migrating to: VERSION=6.1.1 BUILD=207789 PRODUCT=splunk PLATFORM=Linux-i386

* BEGIN PREVIEW OF CONFIGURATION FILE MIGRATION *

Unable to generate distributed search keys.

An error occurred: no 'tokenExchKeys' stanza exists in distsearch.conf. Your configuration may be corrupt or may be corrupt or may require a restart.

↧

Splunk DB Input causing ORACLE temp space to fill up

May 15, 2014, 7:50 am

≫ Next: How to configure sql server app

≪ Previous: Splunk 6.1.1 Upgrade, Distributed Search Key Problem

We have a weird case our DBA and splunk team is trying to resolve;

Our DBAs are seeing 124M of usage increasing roughly 124M a day; We have multiple data inputs running on a schedule; two run a tail every 15minutes with another doing a full read every night at Midnight;

DBAs think the issue is because the JDBC connection is never dropped and would like us to cycle the JDBC connection daily if we can't configure the client to drop the connection after the scheduled job runs;

Anybody else experiencing this issue? If so, any ideas on how to resolve it? is it possible to "cycle" javabridge to reset jdbc connections?

Any help would be appreciated.

↧

How to configure sql server app

May 15, 2014, 7:43 pm

≫ Next: Concurrent searches in Splunk (System wide & user specific)

≪ Previous: Splunk DB Input causing ORACLE temp space to fill up

I installed sql server app on windos 7. How to configure the app. I cannot get any data into it.

I followed installation guide but it's not working

https://www.dropbox.com/s/hazqkuj6jpuoua5/sql.png

↧

Concurrent searches in Splunk (System wide & user specific)

May 15, 2014, 7:46 pm

≫ Next: The download script doesnot run automatically.

≪ Previous: How to configure sql server app

I do have Search head with 16 cores & 2Gb RAM Memory , using Splunk 5.x
As , per the calculation for Concurrent search , My system wide Concurrent search is 22

max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
max_hist_searches = 1 x 16 + 6 => 16 + 6 => 22

22 is the maximum number of concurrent search that my search hear can handle.

I do see for 'admin' role the values are as below :

Limit concurrent search jobs = 50
Limit concurrent real-time search jobs =100

These values are present by default in the Splunk web under authrorize.conf file.

How does the maximum concurrent search jobs limit can be 50 , when the system wide range itself 22 ?

Also , if I do specify the a count greater than the system wide limit does Splunk overrides the value within the allowed range ?

In this case , how do other users are affected , when 'admin' user takes the full control when he has maximum concurrent search limit ?

I am confused in this. Please advise on how to limit the users on concurrent search , considering the system wide limit.

↧

The download script doesnot run automatically.

May 15, 2014, 7:47 pm

≫ Next: How to Create Chargeback Reports in Splunk.

≪ Previous: Concurrent searches in Splunk (System wide & user specific)

Hi,

The download script doesnot seem to run automatically on my environment (Redhat, Windows) as the setting in Symantec threatlist ip reputation feed, what should I need to do? Do any of *.conf need to be updated for this?

the download script: $SPLUNK_HOME/apps/TA-Symantec-DeepSight/bin/DSDownload.py

the setting: Splunk app for Enterprise Security > Configure > Data Enrichment > Threat List > Symantec threatlist ip reputation feed (Enabled)

I could run the script manually and download data successfully to my environment.

Thank you in advance.

↧

How to Create Chargeback Reports in Splunk.

May 13, 2014, 10:22 pm

≫ Next: Tiered Deployment Servers, is it possible?

≪ Previous: The download script doesnot run automatically.

Hi, Can anyone help me how do we identify data elements that can help generate charge back report. Is it possible in Splunk to generate Chargeback Report ?

Thanks in Advance.

↧

Tiered Deployment Servers, is it possible?

January 10, 2011, 10:40 pm

≫ Next: Use one forwarder to act as deployment manager to other forwarders

≪ Previous: How to Create Chargeback Reports in Splunk.

Hi, We are working on planning for a large splunk deployment, I would like to know if it is all possible to set up a deployment server, which pushes out configurations / apps to another deployment server, which in turn pushes these out to lightfowarders & indexers on the other side of a firewall (from the original deployment server).

Also is it possible for an instance to be both a light forwarder and a deployment server?

Cheers

↧

Use one forwarder to act as deployment manager to other forwarders

May 15, 2014, 8:30 pm

≫ Next: How does splunk eat newly copied edition of a file

≪ Previous: Tiered Deployment Servers, is it possible?

Hi,

I have a couple of heavy forwarders to monitor a particular platform, each one for a specific context (dev / test / prod). there is a central indexer with a working deployment manager where, for various reasons, I prefer not to put the config I want to be deploying to my above-mentioned forwarders.

This appears to be a problem in the forwarder management setup on my "main" forwarder as the host names of the "other" forwarders do not appear to be recognized. I can't find anything in the docs that would hint at a restriction, but I can't find either where to define my "other" forwarders as clients to the "main" one. I can see serverclass.conf has been added after I saved the "Edit Clients" page, I also tried bouncing the forwarder but no list of possible client hosts are coming up.

What am I missing pls?

Thanks Vincent.

↧

How does splunk eat newly copied edition of a file

May 12, 2014, 1:41 am

≫ Next: Latest 6.1.1 lookup attribute definition UI for data models broken?

≪ Previous: Use one forwarder to act as deployment manager to other forwarders

I mean e.g. if i manually copy and overwrite a "message.log" to splunk monitoring path, the new one contains some growth at end than the old one. How could i make sure splunk ignore the already indexed data, and just eat the increased part?

↧

Latest 6.1.1 lookup attribute definition UI for data models broken?

May 15, 2014, 12:44 pm

≫ Next: How to confirm logs are forwarded from Universal forwarder ?

≪ Previous: How does splunk eat newly copied edition of a file

With latest 6.1.1 installation, the UI for adding a lookup attribute to the data model seems not working any more. Not able to attach the screenshot to post (due to insufficient Karma), but this issue is 100% reproducible. Just create a new data model and add an attribute using the default dnslookup. Is this a known issue?

↧

How to confirm logs are forwarded from Universal forwarder ?

May 15, 2014, 10:25 pm

≫ Next: Love Marriage > SPeciaList Baba ji+91-9915202880

≪ Previous: Latest 6.1.1 lookup attribute definition UI for data models broken?

Temporarily I dont have access to search head. I had set the inputs.conf to forward windows eventlogs to Splunk indexer. How do i confirm that my logs are forwarded to Splunk indexer from Universal forwarder?

I tested this :

> splunk list forward-server
Splunk username: admin
Password:*****
Active forwards:
        10.xxx.xxx.xxx:9997
Configured but inactive forwards:
        None

SO , from this can i confirm logs are forwarded successfully ?

↧

Love Marriage > SPeciaList Baba ji+91-9915202880

May 15, 2014, 10:58 pm

≫ Next: dbconnect timestamp

≪ Previous: How to confirm logs are forwarded from Universal forwarder ?

All Love problem Solution baba ji +91-9915202880 all type problems solve by vijay pandit ji only 10 hours….he can get result your hand…specialist..forigen tarvling,husband wife distance,love marriage,green card,vashikaran etc… note – all your problem and your family problem solution in 10 mints.. 1. Like jadu-tona. 2. Business related problems. 3. Husband and wife relationship. 4. Be free from enemy / 2nd wife 5. Settle in foreign. 6. Desired love. 7. Disputes between husband / wife. 8. Problems in study. 9. Childless Women. 10. Intoxication. 11. Physical problems. 12. Domestic contro versy 13. Problems in family relations.- 14. Promotions or willful marriage. only10 hours ???? ???? ???? ?? ??? ???? ????? , ?? ?? ??? ??? ???. Get all solutions in your life as you desire. Call to vijay pandit ji and get advise from him. there is no Consultation Charges. Any problems in the life get solution as your desire GURANTEED RESULT WITHIN 10 hours.. 91-9915202880

↧

dbconnect timestamp

April 5, 2013, 1:14 am

≫ Next: SpeCiaList == Love problem solution baba ji+91-9915202880

≪ Previous: Love Marriage > SPeciaList Baba ji+91-9915202880

I've a DBconnect on a MSSQL

My Timestamp in the DB looks like this : 2013-04-04 15:24:36.7170000

I've defined the folowing output.timestamp.format = "yyyy-MM-dd HH:mm:ss.SSS" output.timestamp.parse.format = "yyyy-MM-dd HH:mm:ss.SSS"

The output from Splunk is 1970-01-01 00:59:59.999 !

I've tried to truncate the input to 2013-04-04 15:24:36.717 first, but same result

↧

SpeCiaList == Love problem solution baba ji+91-9915202880

May 15, 2014, 10:59 pm

≫ Next: Add Field Value AVG

≪ Previous: dbconnect timestamp

↧

Add Field Value AVG

May 15, 2014, 4:33 pm

≫ Next: wrong host

≪ Previous: SpeCiaList == Love problem solution baba ji+91-9915202880

I have a bunch of searches I am having to do to get totals for a new value. as in below I have the first field that has values I get the avg of. name1 and name2 are added through addcoltotals to create the new value name3. I only need name3. I have doing this for 12 different new fields values I need created. You can see my search as well. Is there a better eval way I can use to combine name1 and name2 to get the name3 values in such a way I can just create a search to display all the new values I need?

source=/app6/log/extrahop.log eh_event=TMAG* tname=QV2Watson OR tname=Login | stats avg(ctime) as avg_ctime avg(cntime) as avg_cntime avg(rtt) as avg_rtt by tname eh_event | table eh_event tname avg_ctime avg_cntime avg_rtt | addcoltotals labelfield=tname label=Logins

tname avg_ctime avg_cntime avg_rtt

QV2Watson 10 120 24

Login 12 13 26

Logins 22 133 50

↧

wrong host

May 15, 2014, 9:01 pm

≫ Next: Transaction not grouping all events

≪ Previous: Add Field Value AVG

Hello, please help me. I through splunkforwarder try to load a look log:

May 16 03:36:57 corosync [CMAN  ] daemon: sending reply 40000005 to fd 32
May 16 03:36:57 corosync [CMAN  ] daemon: read 20 bytes from fd 32
May 16 03:36:57 corosync [CMAN  ] daemon: client command is 7
May 16 03:36:57 corosync [CMAN  ] daemon: About to process command
May 16 03:36:57 corosync [CMAN  ] memb: command to process is 7
May 16 03:36:57 corosync [CMAN  ] memb: get_all_members: retlen = 880

And splunk changes host name for corosync how to bypass it?

↧