splunk

问题 I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count. I tried below query but didn't get any success. It is always giving me 0. sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as

问题 can anyone provide me with a way to have Splunk convert an extracted field which is currently in milliseconds to HH:MM:SS? 回答1: ...| fieldFormat inSeconds = tostring(inMS/1000,"duration) where inMS is the name of the extracted field and inSeconds is the result you want add | fields - inMS to remove the original field 来源： https://stackoverflow.com/questions/9828540/splunk-convert-extracted-field-in-currently-milliseconds-to-hhmmss

问题 I deployed Splunk Forwarder in my kubernetes cluster using this blog. http://jasonpoon.ca/2017/04/03/kubernetes-logging-with-splunk/ I have 4 files at /opt/splunk/etc/system/local inputs.conf server.conf limits.conf outputs.conf my inputs.conf looks like this. [default] host = testtest [monitor:///usr/local/tomcat/logs] whitelist=test.log|.log_WHITELIST_|test index= abc sourcetype=log4j [splunktcp://9997] compressed = false I am not able to get the log in Splunk UI. when I am deploying it as

问题 I'm having trouble programmatically running a local script over ssh. I'm unsure if this is a problem with the shell variable substitution on the local host. When manually running, ssh monit@server1 'bash -s' < /u02/splunk/splunk/etc/apps/Splunk_TA_nix/bin/cpu.sh I get the expected output, CPU pctUser pctNice pctSystem pctIowait pctIdle all 11.21 0.00 1.50 0.31 86.98 0 0.00 0.00 0.00 0.00 100.00 1 3.00 0.00 1.00 0.00 96.00 .... but I get bash: /u02/splunk/splunk/etc/apps/Splunk_TA_nix/bin/cpu

问题 I am VERY new to using Splunk and have a very basic question. Is it possible to use the REST API to query Splunk without using an already saved search? Thanks. 回答1: You can specify the search string as a parameter to the export endpoint and get the results without having a saved search on the server. curl -ku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 3" -d output_mode=csv output_mode is an optional parameter.

问题 folks ! i'm trying to log server logs over my splunk cloud, can you please explain how to implement this, i have setted up splunk with universal forwarder and my client side logs are working fine, but how to put server side logs, i have idea about log4j.properties file but what to write in it, and in other files to reflect server logs on splunk site as well. If you could help in simple terms that would be helpful. Thank You so Much. !! 回答1: I'm not sure I totally understand your question.

问题 I have created a custom Splunk forwarder image. Image name: vrathore/splunkuniversalforwarder I have verified that the log is pushing to the server. I am using dummy log present in my host ( c/Users/var/log ). If I run this Docker command: docker run --name splunkforwarder -d -v /c/Users/var/log://var/log/messages -p 8089:8089 -p 8088:8088 -e SPLUNK_SERVER_HOST=splunk-prodtest-gsp.test.com:9997 -e FORWARD_HOSTNAME=kubernetes vrathore/splunkuniversalforwarder Now I wanted to use the same image

问题 I need to run a python script from javascript (html file), the project is deployed in splunk 回答1: Via NodeJs we can communicate with python script. i used this python-shell plugin to run python script from JS. Very Useful one. 来源： https://stackoverflow.com/questions/25240847/how-to-execute-a-python-script-from-javascript-in-splunk

问题 I am trying to create a custom app for my usecases in splunk. One of my usecase is to get some data from AWS for which I already have a working code written in python and I am using boto3 SDK. The same code I was trying in Splunk and it didn't work because Splunk doesn't have information of boto3. Any suggestions please. The sample code is here. import boto3 import json def ec2_client(): client = boto3.client('ec2') """ :type : pyboto3.ec2 """ return client; def perform_ec2_operation(): ec2

问题 When executing a query via the splunk SDK, apparently the results are clipped after 100 entries. How to get around this limit? I tried: >job = service.jobs.create(qstring,max_count=0, max_time=0, count=10000) >while not job.is_ready(): time.sleep(1) >out = list(results.ResultsReader(job.results())) >print(len(out)) 100 but the same query in the splunk web interface produces over 100 lines of results. 回答1: Try job.results( count=0 ) count=0 means no limit. 回答2: Here is a hack which appears to