Forums: Posted by Burana400
| Topic | Author | Replies | Latest Post |
|---|---|---|---|
|
Strange Events
In: SplunkAdministration
(Not tagged)
Nope... this is on a Unix Box and I checked that the is no \x0 character in the file....
|
mborner
Posts |
3
|
24 days ago... |
|
REPEAT_MATCH does not repeat
In: SplunkAdministration
(Not tagged)
I have something like this in my logs:
bw_relayhost_abc.ch@test.ch=adjsfsdfsf bw_relayhost_cde.ch@test2.ch=adjsfsdfsfbw_relayhost_abc.ch@test.ch=adjsfsdfsf
My ...
|
Burana400
Posts |
1
|
25 days ago... |
|
Help with transaction
In: SplunkAdministration
(Not tagged)
I want to search for following transaction:
Logfile1:
20081104 23:55:17 6E/28-07006-952A0194 ECINFO ...
|
Burana400
Posts |
1
|
25 days ago... |
|
Fields with data and spaces
In: SplunkReporting
(Not tagged)
I have the same problem.
The interactive field extraction proposes I should use something like:
[smtp_subject]
REGEX ...
|
cdillardhsp
Posts |
15
|
25 days ago... |
|
Multi-Value fields
In: SplunkAdministration
(Not tagged)
I tried to index some multi-value fields
transforms.conf:
[mgr-subject]
REGEX = Subject:\s(.*)
FORMAT ...
|
Burana400
Posts |
1
|
2 months ago... |
|
Preprocessing a log file
In: SplunkAdministration
(Not tagged)
From props.conf:
invalid_cause = <string>
* Can only be set for a [<sourcetype>] stanza.
...
I have tried the unarchive_cmd command and it does absolutly nothing. How can I debug what the problem ... |
stonor
Posts |
5
|
2 months ago... |
|
Multiline match
In: SplunkAdministration
(Not tagged)
Hmm, but I was not looking for a multi-valued field, instead I was looking for fields in multiline events.
It ...
Yeah, but this was a question about multiline match :-) I'm trying to index mail headers like this: Received: from host.domain.com (111.11.1.111 by host2.domain.com ... |
Burana400
Posts |
3
|
2 months ago... |
|
Repeating Entries
In: SplunkGeneral
(Not tagged)
Hi
Syslog and ipfilter are aggregating repeating entries
Like "Last message was repeated x times" ...
|
Burana400
Posts |
1
|
7 months ago... |
|
Search modifiers
In: SplunkPreview
(Not tagged)
Stranger than fiction...
I tried a simple [tail:///var/adm/messages] in a separate bundle.
The ...
On Preview 3 Solaris/SPARC it seems like the search modifiers maxresults and readlimit do not work. Without ... |
Burana400
Posts |
1
|
10 months ago... |
|
Suggestion: Audit for Windows Registry
In: SplunkPreview
(Not tagged)
Auditing the windows registry would be a neat function.
I'm thinking about a feature similar to ...
|
Burana400
Posts |
1
|
11 months ago... |
|
WinEventLog
In: SplunkPreview
(Not tagged)
Hi Ledio
I'm running WinSplunk on WinXP just to get a feeling.
About additional fields to be extracted, ...
How does the WinEventLog processor work? I guess some fields are extracted automatically (event metadata ... |
Burana400
Posts |
9
|
11 months ago... |
|
multikv.conf example
In: SplunkPreview
(Not tagged)
Still no multikv.conf.example in Preview 3 :-(
Anyone? Can anybody give me a multikv.conf example? I guess this can be used for "iostat"-like output? Would ... |
Burana400
Posts |
2
|
11 months ago... |
|
File System Monitor
In: SplunkPreview
(Not tagged)
I've installed Preview 3. Thanks for fixing the bugs so far...
Unfortunatly, I've found a new one:
On ...
Thanks Rob White/Blacklisting seems to work now. I have a new problem with following stanza: [fschange:/etc] pollPeriod=60 fullEvent=true recurse=false signedaudit=false followLinks=false The ... More to come... :-) Shouldn't it be possible to set also set host and sourcetype in the fschange ... I have another problem: Sun Dec 16 19:19:49 2007 action=update, path="/home/myhome/mdf.zip", isdir=0, ... Never mind, just found the deletion event... BTW: I've just deleted a monitored file. Shouldn't it create some kind of event for this? Or is this ... First kudos to you! It's really great having access to preview functions... I've got a problem with ... |
Burana400
Posts |
9
|
12 months ago... |
|
Fixed fields extraction
In: SplunkAdministration
(Not tagged)
Is there another update regarding this bug? It should be possible to index fields containing spaces....
Just wanted to ask if you found out if this is a bug or not... Cheers Burana Do you have an update on this issue? Thanks! Thanks Alex for your efforts. I was able with some effort to write a single effort. I'm still convinced, ... Hi Alex The sample I've sent you had 4 spaces, yes, but the problem is not solved...but I'm getting ... New case opened CASE [10275] I have opened a case (no answer yet). I've played a little bit around with the regex and the logfile. If ... I'm having trouble with extracting a log file with fixed fields... The log file has following format ... |
araitz
Posts |
15
|
14 months ago... |
|
Reporting zero events
In: SplunkReporting
(Not tagged)
I just found out that I have to add "where count < 1" to my query.
The problem seems to be, that a ...
I'm trying to report based on missing events. My report looks currently like this sourcetype::nb enddaysago::1 ... |
Burana400
Posts |
2
|
14 months ago... |
|
Multiline syslog event
In: SplunkGeneral
(Not tagged)
Is there a way to tell splunk to read ahead?
In Syslog I often see multiline events like this:
Oct ...
|
Burana400
Posts |
–
|
14 months ago... |
|
Sucking config files in
In: SplunkGeneral
(Not tagged)
I just found the error. The parameter CHECK_METHOD = entireMD5 should read CHECK_METHOD = entire_MD5
Thanks ...
The entireMD5 sound logical, but it doesn't work. -I added a hash to the end of the file => an event ... The settings under the config bundle already contain the CHECK_METHOD and DATETIME_CONFIG settings. ... Now that I played a little bit with this feature I found two little glitches... I tailed /etc/hosts ... Thanks for your answer. It seems that in 3.0 there are a lot of new properties available... There ... I'm trying to suck configuration files into splunk. I want to do this with the batchloader. The batchloader ... |
Burana400
Posts |
12
|
17 months ago... |
|
Authorization
In: SplunkRequest
(Not tagged)
Are there any plans to implement authorization into splunk? (=> e.g. who is allowed to see what logfiles).
I ...
|
Burana400
Posts |
1
|
17 months ago... |
|
Splunk-2-Splunk over TLS/SSL
In: SplunkRequest
(Not tagged)
Any update on this topic? Is TLS/SSL coming in 3.0 oder 3.1?
While SSH tunneling is nice, it is still an additional thing to administrate. I guess it would not be ... |
Burana400
Posts |
3
|
22 months ago... |