splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Atul Mistry
  • Cambridge, MA
  • United States
Share
Share on Twitter
Share on Facebook

Atul Mistry's Discussions

splunk-search.exe process
3 Replies

Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder? I'm noticing that it starts up roughly every 30 seconds, and runs for for ab…

Started this discussion. Last reply by Michael Wilde Mar 25.

Need Help with Automate Archiving
4 Replies

I'm testing out automatic archiving, but i can't seem to get it to work. Here is what i'm doing: i added the following stanza to my etc\system\local\indexes.conf file [main] frozenTimePeriodInSec…

Started this discussion. Last reply by Atul Mistry Mar 4.

Reformatting the message in an WinEventLog:Application event
7 Replies

I have a situation where I need to combine events from an older version of an application with a newer one, while both are live in production.   The newer version produces Windows Event log events…

Started this discussion. Last reply by Michael Wilde Jan 29.

 

Atul Mistry's Page

Gifts Received

Gift

Atul Mistry has not received any gifts yet

Give Atul Mistry a Gift

Latest Activity

Michael Wilde replied to Atul Mistry's discussion 'splunk-search.exe process'
Weird. Splunkd.log might contain some evidence of what was going on.
March 25
Atul Mistry replied to Atul Mistry's discussion 'splunk-search.exe process'
no saved searches, but I was able to resolve the issue by re-enabling the SplunkLightForwarder. thanks,
March 25
Michael Wilde replied to Atul Mistry's discussion 'splunk-search.exe process'
Check to see if that forwarder has any scheduled searches running and disable them. Some apps have scheduled searches in them.
March 24
Atul Mistry added a discussion
splunk-search.exe process
Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder? I'm noticing that it starts up roughly every 30 seconds, and runs for for about 2-5 seconds using 80-95% of the cpu during tha…
March 23
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i figured my time span was too short, so i reconfigured the archive settings to one day and hot span to 4 hours: [main] frozenTimePeriodInSecs=86400 maxHotSpanSecs=14400 coldToFrozenScript = WindowsCompressedExport.bat "$DIR" Waited a day, and eve…
March 4
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i'm just using 1 hour for testing purposes. in production we will be using 45 days. nothing in the splunkd.log jumps out at me. is there a component i should filter or focus in on? i attached a 2 hour sampling of the splunkd.log.
March 2
Michael Wilde replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
Atul... 3600 seconds.. you really only want 1 hour worth of data in your indexer?. Whats splunkd.log saying.. check with this search: index=_internal source="*splunkd.log"
March 2
Atul Mistry replied to Atul Mistry's discussion 'Need Help with Automate Archiving'
i noticed a typo and made the following change. [main] frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExport.bat "$DIR" and restarted splunk. still no luck. is the time period too short? do i need to set a tie period to move…
March 1
Atul Mistry added a discussion
Need Help with Automate Archiving
I'm testing out automatic archiving, but i can't seem to get it to work. Here is what i'm doing: i added the following stanza to my etc\system\local\indexes.conf file [main] frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExp…
March 1
Atul Mistry replied to yanu pratomo's discussion 'take log windows to splunk without forwarder'
If you install the "Windows" app (http://www.splunk.com/apps/windows) on the linux server, you will see the windows specific sources and sourcetypes. once you do that, splunk may be able to eat the *.evt files properly. also, you may want to set t…
February 1
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
WIN!...
January 29
Atul Mistry replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
I found the reason the message was getting split, it was because it exceeds the 10000 default limit. I set the TRUNCATE = 0 and now the message stays together. now that the messages are not getting split, xmlkv is working like a champ. thanks for…
January 29
Atul Mistry replied to yanu pratomo's discussion 'take log windows to splunk without forwarder'
If you can place the log on a network drive that is accessible by the splunk server you should be able to eat the log without the forwarder.
January 29
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
Atul.... Splunk has a scrubber command built in. Dump that stuff to a file, run "/splunk anonymize file -source /path/to/[filename]" It usually does a pretty good job of getting rid of PHI and other private stuff. http://www.splunk.com/base/Docum
January 28
Atul Mistry replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
unfortunately the events i'm having a problem with have PHI (protected health information), and I can't post it with out some scrubbing. i'll try what you suggested tonight. i'm going to Splunk Live today! If I still can't get it to work, i'll post…
January 28
Michael Wilde replied to Atul Mistry's discussion 'Reformatting the message in an WinEventLog:Application event'
upload a sample of those events if you want... but what you will need to do is give Splunk some education on where to break your events.. most of the time its pretty smart, but I like that it lets me take over and tell it what to do when i want to.…
January 27

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
Development Architect

Comment Wall

You need to be a member of splunkninja to add comments!

Join splunkninja

  • No comments yet!
 
 
 

Videos

Latest Splunk Community Postings

Latest Splunk Forum Posts

Adding additional servers to *Nix app?

Create new Field and Assign existing field in transforms.conf

How do I remove Sources?

Clear Windows Logs?

Create new Field and Assign existing field in transforms.conf

© 2010   Created by Michael Wilde.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!