hello, When I search on Splunk Web, I get results. However, when I search with CLI on my splunk local instance connected to the search peer, I get nothing. any help is appreciated thanks
↧
Why do I get no results when searching with CLI on Splunk local instance connected to search peer?
↧
How to set alert emails to send in plain text in splunk 6?
Hi,
In Splunk 5, there was an option for sending plain text for emails. I don't see that option anywhere in Splunk 6. How do I set that? The system settings had "Results format when included inline". That option is now gone.
↧
↧
Using eval to generate a dollar value and 2 decimals
Hey Splunkers,
I am attempting to run a search to generate a dollar value my current search is:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<settlement>d+)" | top 50 settlement | stats first(settlement)
This search produce the most recent transaction to happen. The data is currently displayed as just a number value without the decimals. If you look below results like 3500 should actually be $35.00
My question is how can i get splunk to insert both the decimal and the dollar?
Below is a broad search using:
index=pfe_os_messages sourcetype="log4j" | head 10000 | rex "getSettle(?:Now|ment)Total.+?(?<settlement>d+)" | search settlement="*"
1 35:40.7 log4j 3500
2 35:40.6 log4j 0
3 35:40.6 log4j 3500
4 35:40.4 log4j 3500
5 35:40.4 log4j 3500
6 35:40.3 log4j 3500
7 35:40.3 log4j 3500
8 35:40.3 log4j 3500
9 35:40.3 log4j 3500
10 35:40.3 log4j 3500
any information will be helpful, thanks in advance splunkers!
↧
Is there a way to limit the thruput of my forwarder?
I don't want my forwarder to consume too much bandwidth or other server resources sending out data. How can I limit thruput?
↧
Reload separate element within HTML dashboard
Hi Splunk community,
I am working on a HTML dashboard for deeper customization of the data for displaying on large screens and unattended. I have pretty good knowledge of CSS and HTML so customization works good so far.
I am trying to set dashboard to auto refresh without reloading the whole page (which is somewhat easy with either meta. tag or JavaScript.
But what I would rather have is to refresh each element (that way I can choose which elements I want to refresh and how often)
I've played with various methods, but cannot find a way to reload each element on a dashboard. I've tried Ajax's .load() function, but it doesn't load data when reloading the element.
Any help will be appreciated.
Thanks
↧
↧
Limiting Forwarding Throughput
Hi, We are trying to limit the maxKBps of a couple forwarders to 30 KBps. We are doing this because the app on those servers keeps messing up and logging gigabytes upon gigabytes per hour, which violates our license usage.
In limits.conf in the system local directory I have specified the following stanza:
[thruput]
maxKBps = 30
(30 kbps is more than enough to let this server index their logs at a good pace while not breaking our bank when their app screws up)
Now, when I parse through our log files, I keep getting KBps thruput higher than this.
grep tcpout_connections /lcl/logs/splunk/metrics.log | awk '{print $12}' | tail -17
_tcp_KBps=0.01,
_tcp_KBps=0.01,
_tcp_KBps=0.01,
_tcp_KBps=0.01,
_tcp_KBps=0.07,
_tcp_KBps=0.01,
_tcp_KBps=0.01,
_tcp_KBps=0.01,
_tcp_KBps=0.71,
_tcp_KBps=162.86,
_tcp_KBps=289.25,
_tcp_KBps=284.02,
_tcp_KBps=303.00,
_tcp_KBps=307.52,
_tcp_KBps=307.61,
_tcp_KBps=303.70,
_tcp_KBps=303.26,
This is not an isolated incident, I have seen it shoot up to 912, or 168, etc. It shouldn't go higher than 30 KBps. Any assistance or input in this matter would be appreciated (And no, we dont want to go to a lightweight forwarder, we just want the throughput limited)
↧
Where to find SA-nix
I need to install SA-nix on the Search Head and Indexer.
Where can I find SA-nix. It is not in apps and I have not been able to find a reference that explains where to get it or how to create it.
↧
how to exclude a certain field value from results
Search query: list the last known user (userid) on each host.
sourcetype=syslog source=/var/log/secure "pam_unix(sshd:session)" | rex "(?i) user (?P<userid>[^ ]+)" | stats latest(userid) as userid by host, _time | dedup host
I then want to exclude a particular user "system" from the result list.
I tried the NOT and "!=" in every part of the query but not working, can you help me with the search query
↧
Poking TCP Ports
A vendor is requesting that we Poke several TCP ports and send specific text to capture application status. "Poke 8080, send http GET for / and Poke TCP 5222 and send string 'test123'".
I know how to use powershell to initiate a telnet connection to the ports and monitor port status that way:
$Port = 8080,5222,5223
foreach ($P in $Port) {
$Socket = New-Object Net.Sockets.TcpClient
$Computer = "LocalHost"
$RunTime = get-date
# Suppress error messages
$ErrorActionPreference = 'SilentlyContinue'
# Try to connect
$Socket.Connect($Computer, $P)
# Determine if we are connected.
if ($Socket.Connected) {
"$RunTime Port $P is open"
$Socket.Close()
}
else {
"$RunTime Port $P is closed"
}
}
$Socket = $null
How can I modify this code to also pass a text string or command?
↧
↧
Error in 'databasePartitionPolicy': Max Raw Size Limit Exceeded
Getting Error in 'databasePartitionPolicy': Max Raw Size Limit Exceeded on the overview page of the modsecurity app when I switch to longer timeframes.
My modsecurity audit log is about 220 megs.
Anyone know what this error means and how to fix it? Haven't been able to find anything regarding the Raw Size Limit..
↧
Displaying the count of events over varying time spans
All,
I want to create a search that will return the count of events over the last 5 minutes, 30 minutes, hour, 6 hours, and day. I was able to develop a search that nearly gets me there, but the rows and columns are reversed.
Unfortunately, the "transpose" command doesn't quite work, since it messes up the column names and I can't easily replace them.
The search I have so far is below. Does anyone know how I can achieve this? Maybe my search needs to be changed completely. Not sure.
<mySearch>
| eval span1=if(_time>relative_time(now(),"-5m"),1,0)
| eval span2=if(_time>relative_time(now(),"-30m"),1,0)
| eval span3=if(_time>relative_time(now(),"-60m"),1,0)
| eval span4=if(_time>relative_time(now(),"-360m"),1,0)
| eval span5=if(_time>relative_time(now(),"-1d@d"),1,0)
| chart sum(span1) as Last5Mins, sum(span2) as Last30Mins, sum(span3) as LastHr, sum(span4) as Last6Hrs, sum(span5) as Today by instance
| transpose 50
So, I want the columns to be all the values for instance and the rows to be Last5Mins, Last30Mins, etc.
↧
DB Query with app Splunk DB Connect inside of Eval Expression
So, I'm trying to run DB queries with the Splunk DB Connect app inside of the eval "case" function. So, something like this:
index=eph | rex "(?P<Type>PaymentInstruction)"| rex "(?P<Type>OPIC)" | rex "(?P<EPHID>EPH\d+)"
| eval EPHID = case( isnull(Type), EPHID, Type == "PaymentInstruction", dbquery "mysql" "SELECT DISPLAYTRANSACTIONID FROM XXXX WHERE paymentinstructionkey = 'EntityKey'", Type == "OPIC", dbquery "mysql" "SELECT DISPLAYTRANSACTIONID FROM XXXX WHERE opickey='EntityKey'")
| table EPHID Type _raw
So if the event has a Type, I want to query the database to get its EPHID and plug it into the table to completely fill the table. However, I keep getting the following issue:
"Error in 'eval' command: The expression is malformed. Expected )."
Any ideas?? Thanks!!!
EDIT:
Note, this search works properly:
index=eph sourcetype=websphere_trlog_sysout AND ("*EPH14*" OR "*Entitykey*") AND (`EPH-HPOV-Keyword` OR EPH-alerts) | rex
"EDT] (?P<TaskID>\w{8})" | where TaskID != "" | rex "Entity Key: (?P<EntityKey>\d+)" | rex "entityKey=(?P<EntityKey>\d+.\d+.\d+)"
| rex "EntityKey:(?P<EntityKey>\d+)" | rex "(?P<EPHID>EPH\d+)" | rex "(?P<Type>PaymentInstruction)"| rex "(?P<Type>OPIC)" |convert ctime(_time) as timestamp
| eval EPHID = case( isnull(Type), EPHID, Type == "PaymentInstruction", "PI", Type = "OPIC", "OP")
| table EntityKey EPHID TaskID Type timestamp _raw
So I don't think that passing fields is the issue. It must be something with the DB query clause.
↧
Include stop/pause button in views?
Hello,
I am looking for a way to have a stop/pause button for some of my views. What I mean is that a user who felt like a search in the view was taking too long could press a button which would stop/pause a search (and all the postprocess searches downstream) and leave the results thus far up. I was thinking I would put the button right next to my search button. The search button would start a fresh search as expected, while the other button would be able to stop or pause the search and leave the results that had already been retrieved up as I've specified. Any help with this would be much appreciated.
P.S. As far as my attempts thus far go, I've tinkered around with a few Sideview modules such as Gate, but to no avail. I was looking through the documentation and wondering whether the CustomBehavior module might be the only way to do something like this.
↧
↧
How to display timechart as area chart over last 4 hours with span of 1 hour?
I will try my best to formulate my question as I couldn't find anything similar asked already.
I am trying to display timechart as AreaChart over the last 4hrs with a span of 1h
source="*searchstring*" index=main | timechart span=1h dc(user_id) as "Users"
At a time this posted, my time was 4:50pm. I am applying custom time of: -4h@h to @h
Very simple task and pretty straight forward.
The challenge is that my chart has blank space on the left edge of it and missing information from the 4:00pm.
Any help will be appreciated. (I cannot upload screenshot, but I hope my explanation makes sense)
↧
Correct stanza for Physical Disk perfmon
I am in evaluation of Splunk and am trying to the Windows infrastructure App. When viewing the Performance Monitor dashboard I am not gathering any data in the Physical Disk metrics panel. I believe the problem lies with not knowing the correct stanza to use for the Physical Disk indexing, but I am still pretty green all around.
Below is a sample from my inputs.conf file, a section for logical disk that was automatically built during the Universal Forwarder installation and functional; the second part is my attempt to add some physical disk monitors. I cannot find anywhere in the documentation what I should use for the stanza (first line if i am using the term incorrectly), and I think that is the problem I have with getting the data into the panel.
[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk
[PERFMON://Physical Disk] <---- I think this is where I am wrong
counters = Avg. Disk Write Queue Length;Disk Reads/sec;Disk Writes/sec;Avg. Disk sec/Read;Avg. Disk sec/Write
instances = *
interval = 3600
object = PhysicalDisk
Additionally, I also have blank panels for "System Metrics" and "Process Metrics". Correct stanza for these would also be appreciated.
↧
How to get detailed report of installed forwarder on Windows deployment Server?
Dear All,
We have installed some forwarders on windows machine and made them as deployment client and we want to know all the reports of forwarder on deployment server (Including the version of the forwarder is installed) How to get these type of information.
Thanks in Advance.
Gajanan
↧
How to get sum and charts of usage time values for corresponding fields?
I'm using splunk 6.0.3
When I search for: "has been closed after being in use" I have a series of hits like shown in the 4 sample lines below:
2014-06-17 18:26:47.219765 (UTC) Camera SITENAME-1.camera.CAMERANAME-1 has been closed after being in use for 175 seconds in automatic mode
2014-06-18 14:48:30.241732 (UTC) Camera SITENAME-2.camera.CAMERANAME-2 has been closed after being in use for 281 seconds in manual mode
2014-06-18 15:52:53.974993 (UTC) Camera SITENAME-3.camera.CAMERANAME-3 has been closed after being in use for 5494 seconds in Unknown mode
2014-06-18 15:53:10.312491 (UTC) Camera SITENAME-4.camera.CAMERANAME-4 has been closed after being in use for 5511 seconds in watching mode
How can a do a search, to report the total usage time, for each camera, at each site, in each mode?
and.. print pretty charts and plots? thanks!
Fred.Ziegler@alum.mit.edu
↧
↧
Is Cisco Security Suite compatible with Splunk 6.1? It only lists 6.0 on the app page.
If not, is there a timeline for 6.1 support?
↧
How to render a table with more than 40 columns using Sideview Utils?
I want to render a table with more than 40 columns. I use chart command with limit=50. However sometimes still all columns are not rendered and columns like NULL show up which are not present there in the data. Is there any other way to render more columns without columns like NULL or 'unknown' showing up in the table?
↧
Why is configured prod_forwarder getting serverClass blacklist/whitelist configs from other environments?
So I seem to be having an issue with blacklists and whitelists. I've got the following configured below, but for some reason, my prod_forwarder keeps getting configs for other environments. I'm trying to blacklist the specific indexers/sh/heavy fwd for each 'environment' and only have each environment pull down it's respective configs, notably their specific outputs.conf file
Help.... ?
Let's take my prod env for example:
[serverClass:prod_forwarder]
filterType = blacklist
blacklist.0 = *
blacklist.1 = 10.1.5.169
blacklist.2 = 10.1.5.170
whitelist.0 = 10.1.*.*
This config for some reason also pulls down the dqp and the bak below.
[serverClass:bak_forwarder]
filterType = blacklist
blacklist.0 =
blacklist.1 = 10.4.5.169
blacklist.2 = 10.4.5.169
whitelist.0 = 10.4.*.
[serverClass:bak-forwarder:app:bak-forwarder_outputs]
restartSplunkd = True
^^ this will get loaded to prod and dqp environments, where it should not be
[serverClass:dqp_forwarder]
filterType = blacklist
blacklist.0 =
blacklist.1 = 10.2.5.
blacklist.2 = 10.1.*.
blacklist.3 = 10.4.*.
whitelist.0 = 10.6.*.
whitelist.1 = 10.7.*.
whitelist.2 = 10.8.*.
whitelist.3 = 10.9.*.
[serverClass:dqp-forwarder:app:dqp-forwarder_outputs]
restartSplunkd = True
^^ gets loaded onto prod and bak
↧