Forums: Posted by pstein

...and I know I can match the string by doing the following but would rather have a shorter search....if ...
We are running v3.4.9....Hopefully Q1 will bring us up to v4.x
I have a search string that needs to be matched and only alert when the numbers in the string pair match. Example: local ...

I am searching for a host but would also like to add in all the host's hosttag associated with it. A ...

**Thanks**....this is what I used to index data on the NAS by the server name and no others, removing ...
....ah come again!? Any type of example or link to this knowledge would be beneficial. Thanks.
I need to somehow get Splunk to use a variable in the dir path: [monitor:///n01/oraadmin1/diag/tnslsnr/$HOSTNAME] ...
Splunk v3.4.9 I have an oracle RAC cluster that has the following inputs.conf file [monitor:///n01/oraadmin1/diag/tnslsnr/] disabled=false _whitelist=.*\/(alert|trace)\/(log.xml|listener\_[\w]+\.log)$ crcSalt=<SOURCE> and ...

....now that's what I am talking about //**Willis!**// /n01/oraadmin1/diag/tnslsnr ...
Yes....I am using this on a LightForwarder. I was unaware that you could break out multiple [source::.../<file>] ...
I am trying to index a log.xml file and have had NO luck unless I specify the full directory and file ...

ChaChing!....with the forwarders in place and the messages coming from each forwarder the changes needed ...
With the changes above and a restart of Splunk on the indexing server I am still unsuccessful on removing ...
So here is what I have setup on my indexing server: Props.conf [oracle_host] TRANSFORMS-oracle_host=pruneoraclestatusmsg Transforms.conf [pruneoraclestatusmsg] REGEX ...
Like the other nullQueue entries, I put this on the indexer that was seeing the message. But, you may ...
Even though I doubt that would have any affect, I tried it and the same result. Splunk is still indexing ...
I have the following line I am trying to REGEX by pulling the following "sent status msg to all nodes" ...

I have no idea where the timestamps came from. All I know is they were being indexed on 03-01 and when ...
Yesterday we saw our host count rocket from ~6000 servers to over 24,000 servers and looking at the ...

I have the following line from a WAN device and would like to understand how to better manipulate the ...

I am attempting to search via the UI for the following IP: 167.68.150.1 What I am looking for is "just" ...

As always, **Spot on!** Thank you. PStein
I have looked through the docs and browsed the online sites to no avail. I have Splunk setup on my SuSE ...

I have a client that currently has a grep/awk tool for looking up LAN WAN data and also searching ACL's ...

Found out it was actually the MIME type settings. Found under the ***known issues*** section from the ...
Is Splunk supported on ***SLES10 sp1 - (x86_64), Kernel 2.6.16.46-0.12-smp***? Currently when I install ...

Thank you for following up. Please post this under Thomson Reuters. Love to see it in v4.0 major re...
I know you can setup multiple indexes for different types of data, but can you search against both in ...

Thanks. This helps, and I also determined using "splunk start --debug" to find out Splunk was reporting ...
Alex, Sorry this is dragging on so long but this is critical to getting our Oracle team onboard with ...
Keep in mind the bold setting in reply 11 is due to the asterisks in the data strings. Thanks.
This is a typical entry in the *.dat file pine:/u01/app/oracle/osw/archive/oswvmstat # more pine_vmstat_09.13.08.0900.dat zzz ...
Despite my ../bundles/local/props.conf file looking like this: # Adding in line for Oracle Data and ...
I don't know if it matters, but the way time was listed in my example was changed due to this GUI interface ...
A little follow-up. Now that I can get the _whitelist to expand and check the file list with ../splunk ...
ChaChing! The /.../ path wildcard did the trick. As always, ARaitz, you are ** the best!**
I am trying to build a _whitelist for a path and the second to last directory has multiple

Thank you for the clarification. That did it. Regards.
If I read that correctly, with 3.2.3 we should be putting the files in /opt/splunk/etc/bundles/default? And ...
...and another Follow-up. From Splunks own docs I found the following: http://www.splunk.com/doc/3.3/admin/inputsconfspec ../inputs.conf ...
Follow-up question: why do you add these entries to seperate inputs.conf and props.conf files and not ...
I have looked through previous forums and tried to modify what I have <see below> to match what as in ...

I doubled back and added in DNS entry versus IP and yes, it works. IP is misleading and should be renamed ...
Thanks. I was using the Splunk GUI and it only has setting for IP setup. I will look further into where ...
No. I would like to send it to a DNS name....Splunk only offers the ability to send to an IP address...
I am trying to setup a pair of VCS servers and would like to push the engine_A.log to our production ...

Well....kind of. I am looking to reorder the data that we receive, but I don't want to have to write ...
When we capture a Live Search and an email goes out to our support groups they are requesting that I ...

Patience Yago.......Patience. After waiting about 45 minutes I started to see the tails finally kick ...
I guess it was a short term solution. After believing it worked I doubled back and added the remaining ...
ARaitz, Considering that you need to edit the ../local/inputs.conf file in order to get the **index ...
ARaitz, This solved my issue. One simple heads up, after adding the "Oracle" Data Store the three ...
I have a client running Oracle and have the Splunk forwarding data from the client only to the Splunk ...

I have a /dir that has both *gz files and *txt in it. I only want to add the couple hundred *.txt files. ...

I have a client server that is simply forwarding smtp log data via **Splunk** and **Distributed Forward ...

ARaitz - Kachiga! Kachiga! (for those who have seen Cars, the Movie).....yes. That worked for this ...
With a live search setup to watch for memory errors in Solaris I get multiple hosts answering for the ...