Till now in our environment we have monitored only the log files which are in '.log' format in the Universal Forwarder Server as follows :-
***In inputs.conf*** :
[monitor:/Home_DB/Oracle/webcenter/logs/sites.log]
index = cms_clb
sourcetype = log4j
[monitor:/Home_DB/Oracle/webcenter/logs/cas.log]
index = cms_clb
sourcetype = log4j
Now as a part of the security requirement, we need to monitor a few more log files from the path `/Home_DB/Oracle/Middleware/user_projects/domains/webcenter/servers/webcenter-delivery1/logs/webcenter-delivery1.out`, but here the logs were in `.out` format. How do I add this path in inputs.conf and if added, what would be the source type for `.out` format?
Please help me out ASAP.
Thanks in Advance.
↧
How to configure '.out' files in inputs.conf?
↧
How to feed .xml data into Splunk to run searches on?
I have some .xml files at a location say: `C/test/logs`
How can I configure Splunk to fetch those xml files and show results during a search operation?
↧
↧
Will Lookaheads/Lookbehinds Hurt Search Performance?
I have an index which processes around 10 million events per day. I did a few field extractions which had lookaheads and lookbehinds. Will this hurt my search performance with such massive volumes?
↧
How to configure a monitor stanza on a Windows universal forwarder for two shared folders if I only have read/write permissions for 1?
Hi,
Need help to setup a monitor stanza for the below scenario,
I have one universal forwarder installed on a Windows machine and there are two shared folders with a different user access on the same machine say
C:\Users\splunkUser\Desktop\splunkShareFolder1 - RW permission to user1
C:\Users\splunkUser\Desktop\SplunkShareFolder2 - RW permission to user2
How do I monitor/index source files from these shared folders from my Windows local workstation as I logged in as user1?
Any pointers would be helpful.
Regards,
Badri Srinivas B
↧
How do I edit this regex for proper field extraction dealing with both single and double spaces?
Having issues getting field extraction on Cisco ASA lines to work consistently without getting invalid information. Field extraction generates the following regex:
"^(?:[^ \n]* ){8}(?P[^:]+)"
The events that are skewed report the value as CDT. When the field extraction is performed on this set of events, the regex is:
"^(?:[^ \n]* ){9}(?P[^:]+)"
It appears to be counting spaces. The example where {8} is has a single space between the Aug and the 10, where the {9} has a double space between the Aug and the 9. I have attempted several manipulations on the regex without success.
Example where {8}
Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group "aclname" [0x0, 0x0]
Example where {9}
Aug 9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group "aclname" [0x0, 0x0]
![alt text][1]
[1]: /storage/temp/52193-2015-08-10-12-54-00.png
↧
↧
How to deploy updates to inputs.conf, outputs.conf, and deploymentclient.conf files to the "C:\Program Files\Splunk\etc\system\local" directory?
I have created an app (which includes updates for the inputs.conf, outputs.conf and deploymentclient.conf files), an associated Server class, and have successfully deployed the app to all clients I have listed in the Forwarder Management section. On the server-side, the app resides in the `/opt/splunk/etc/deployment-apps` directory. On the client side the apps are downloaded to the `C:/Program Files/Splunk/etc/apps directory`. In order for my forwarders to pass on the relevant information to my indexer, I need the .conf files contained in the app to be pushed out to the `C:\Program Files\Splunk\etc\system\local` directory. How can I make this happen?
Thank you,
Tom Forbes
↧
Configuration for Identify & Index events with future date
Hi Splunker's,
Events coming for future dates, how to identify the future events and index them.
Thanks,
↧
How to add a row into table?
How can I add a row into a table either manually or through a look-up table? I would like to insert the row right below the column headers, and will use them to include descriptions of each column.
↧
How to plot durations in a stacked area chart?
Hey,
I'm a first time user and I'd like to use splunk for observing performance issues in an application. We want to see how much time an application uses to fetch the data and render the data.
Basically the planning application fetches data from a DB backend and renders it onto the screen. Sometimes the user wants to view the data in a grid, sometimes in a graphical chart, sometimes even both (multiple windows can be open at the same time). In case both views are open, the system only retrieves data once.
The app produces the following log at the moment:
2015-08-31 10:29:02:666 1 start-total Next Day
2015-08-31 10:29:02:686 1 start-data refresh function
2015-08-31 10:29:04:284 1 end-data refresh function
2015-08-31 10:29:04:333 1 start-render planning grid
2015-08-31 10:29:08:114 1 end-render planning grid
2015-08-31 10:29:09:227 1 end-total Next Day
2015-08-31 10:30:12:444 2 start-total planningblock
2015-08-31 10:30:12:485 2 start-data refresh function
2015-08-31 10:30:14:333 2 end-data refresh function
2015-08-31 10:30:14:356 2 start-render planning chart
2015-08-31 10:30:18:986 2 end-render planning chart
2015-08-31 10:30:18:999 2 start-render planning grid
2015-08-31 10:30:24:324 2 end-render planning grid
2015-08-31 10:30:24:554 2 end-total planningblock
2015-08-31 10:32:01:464 3 start-total active planningblock
2015-08-31 10:32:01:470 3 start-data refresh function
2015-08-31 10:32:03:001 3 end-data refresh function
2015-08-31 10:32:03:011 3 start-render planning chart
2015-08-31 10:32:09:975 3 end-render planning chart
2015-08-31 10:32:10:015 3 end-total active planningblock
I started by extracting fields:
time: 2015-08-31 10:29:02:666
id: 1
timeindicator: start-total
action: Next Day
I played around with the transaction command, but I can't get it quite right. Ideally the output is a stacked chart with the cumulative duration per id over the time entries. In the example data for id=2, there are two render actions, i.e. the application is rendering a "planning grid" view and a "planning chart" view (using the same data, hence only one data refresh)
I would like to produce a result similar to this chart: https://www.dropbox.com/s/i9vztu04fqilkmi/Screen%20Shot%202015-08-10%20at%2023.46.35.png?dl=0
(note that the chart I prepared in Excel is using slightly different demo data)
thank you already in advance
Erik
↧
↧
Why am I getting c# oneshot search exception "Object reference not set to an instance of an object"?
Hello,
I got this exception lately, and I have no idea why. 2 days ago everything was fine, and I have absolutely no idea what is going on now. I would be thankful for help with this:
(in image: Form1.cs:line 45 is using (var stream = service.Oneshot(oneshotQuery, outArgs)) )
using Splunk;
private void Form1_Load(object sender, EventArgs e)
{
try
{
var connect = new ServiceArgs
{
Host = "myip",
Port = 8089,
Scheme = "https"
};
Splunk.Service service = new Splunk.Service(connect);
var oneshot = new Splunk.Client.JobArgs();
//oneshot.EarliestTime = "2015-08-09 10:25:00";
//oneshot.LatestTime = "2015-08-09 11:25:00"
String oneshotQuery = "search * | head 10";
var outArgs = new JobResultsArgs
{
OutputMode = JobResultsArgs.OutputModeEnum.Xml,
Count = 0,
};
using (var stream = service.Oneshot(oneshotQuery, outArgs))
{
using (var rr = new ResultsReaderXml (stream))
{
foreach (var @event in rr)
{
richTextBox1.Text += "Event:" + Environment.NewLine;
foreach (string key in @event.Keys)
{
richTextBox1.Text += " " + key + " -> " + @event[key];
}
}
}
}
button1.BackColor = Color.Green;
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString() ,ex.Message.ToString());
}
![alt text][1]
[1]: /storage/temp/51195-exception.png
↧
How to calculate a duration percentage in a transaction search for non-existent events?
I have this specific issue where I'm trying to calculate percentage of online time for a set of devices.
I created following search:
...| transaction startswith="offline state start" endswith="offline state end" | stats sum(duration) as total_offline | eval online=100*(86400-total_offline )/86400
This works fine if "offline state start" and "offline state end" exists in the logs and I can calculate online state percent based on that, but if those strings do not exist in logs, then how can I calculate online percent? Ideally, it should be 100% online if everything is fine (meaning if it could not find offline events) but how can I successfully execute eval to 100% if the logs do not have "offline state start" and "offline state end"?
↧
Is there any special procedure for using fschange for file integrity checks on AIX using Splunk 5?
Hi,
I am using Splunk 5. We are using fschange for file integrity check in Linux and Solaris, but when I try using in AIX, I am unable view file changes. Is there any special procedure when we use in AIX for fschange.
Thanks,
Jay
↧
Splunk App for Web Analytics: I've imported data and can see it in the data summary, but why do dashboards show "No results found"?
I've imported my data, I've done my generate pages and generate user sessions. I can see everything in the data summary, but when I go to behaviour or any of the dashboards, I get "No results found". What the heck am I doing wrong? so frustrating!
↧
↧
User uploading data via Search head cluster web UI
I migrated to Search Head clustering from pooling a while ago. Way back when, I advised a user that they would be able to upload files via the web interface when they had said data. Now, months later, this user is wondering where the "Add Data" option disappeared to.
Presumably it's intentional that it's gone from SHC systems (it's still available on our other systems for instance). I was wondering if there would be issues with enabling it via the "temp show all setting screens" thing? The SHC systems all forward all data they get to the indexers anyway, so even if they index it, it should pass to the back end. I assume there's a solution. Otherwise the cloud offering wouldn't have the file upload capability.
Thanks.
↧
What is the recommended architecture for a Windows universal forwarder to an indexer cluster?
What's the recommended best practice to architect a Windows universal forwarder to an indexer cluster? Is it better to forward all the Windows UF data to a VIP or just have them go straight to the indexers?
↧
inputlookup not returning all rows
I have a csv file as a lookup, named "resources.csv." Looking at the actual file, it has about 30,000 lines. In the Splunk search, I am only getting about 15,000 results, though. I'm using the following command to view the lookup table:
|inputlookup resources.csv
The csv file is updated through a script I have running each morning. I have restarted the searchhead that this lookup file is being read by. Nothing has seemed to work. Still only about 15,000 results from the inputlookup command.
Any suggestions?
↧
Can the Splunk App for Unix and Linux be installed on Splunk Cloud?
If so, can it be installed by the user, or does this require a ticket to install on the server?
Thanks,
Mark
↧
↧
Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error."
Question 1: Is there a centralized place to search for all Splunk error messages? Searching answers.splunk.com I've not been able to find a reference to, or solution for,
"Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector."
Question 2: Why does this rex query work fine in a search, but then fail when used in both a primary and a subsearch? I need to parse fields in both places. I built an initial query that worked fine alone, then created a subsearch and copied/pasted the rex into it. It now fails with
"Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector."
What do you think is going on, and how do I fix it? The purpose is to find Devices with Tasks that failed at one time, but where a later Task succeeded. Thanks so much.
Here is the code, although for some reason the * asterisks after each dot (.) in the regexes don't seem to come through in the preview window:
source="File1.csv" index="inventory-legacy" | regex Notes="^Succ.*" | transaction Description | rex field=Description "^(?[^-]+).*" | rex field=Description "^[^-]+-(?.*)" [ search source="File1.csv" index="inventory-legacy" | regex Notes="^Fail.*" | transaction Description | rex field=Description "^(?[^-]+).*" | rex field=Description "^[^-]+-(?.*)" | dedup DeviceName, TaskID | fields DeviceName ] |sort -_time, +TaskID, +DeviceName | table _time, TaskID, DeviceName, Description, Notes
↧
rolling hot db to warm in 6.2: getting Unknown search command 'oldsearch'
I am following this documentation: http://wiki.splunk.com/Community:BestPracticesForBackingUp to try to force a hot-to-warm db rolling. The splunk version is 6.2.2, free version.
./splunk search '| oldsearch !++cmd++::roll' -auth splunk
Unknown search command 'oldsearch'
Any ideas what I am missing?
Thanks!
Xueshan
↧
How to monitor file changes in Splunk?
Hi guys,
I need to monitor file changes in Splunk. I have a file that is updated constantly, and I need to know when there's a update. And if is possible, where it changed.
Any help, i'll be grateful.
Regards
↧