Videos

  • Add Videos
  • View All

Top Content 

1 Count failures and success via transaction

Count failures and success via transaction

Latest Activity

Profile IconWilliam S and Please... Dee Esssss :-) joined splunkninja
1 hour ago
Amine Recoba is now a member of splunkninja
yesterday
Welcome Them!
Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
Friday
Linus Myrefelt updated their profile
May 22
Marie updated their profile
May 21
Marie is now a member of splunkninja
May 21
Welcome Them!
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
Atul Mistry
  • Cambridge, MA
  • United States
Share on Facebook Share on Facebook Share Twitter

Atul Mistry's Discussions

splunk-search.exe process
3 Replies

Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder?I'm noticing that it starts up roughly every 30 seconds, and runs for for about…Continue

Started this discussion. Last reply by Michael Wilde Mar 25, 2010.

Need Help with Automate Archiving
4 Replies

I'm testing out automatic archiving, but i can't seem to get it to work.Here is what i'm doing:i added the following stanza to my etc\system\local\indexes.conf file[main]frozenTimePeriodInSecs = 3600…Continue

Started this discussion. Last reply by Atul Mistry Mar 4, 2010.

Reformatting the message in an WinEventLog:Application event
7 Replies

I have a situation where I need to combine events from an older version of an application with a newer one, while both are live in production. The newer version produces Windows Event log events in…Continue

Started this discussion. Last reply by Michael Wilde Jan 29, 2010.

 

Atul Mistry's Page

Gifts Received

Gift

Atul Mistry has not received any gifts yet

Give Atul Mistry a Gift

Latest Activity

Michael Wilde replied to Atul Mistry's discussion splunk-search.exe process
"Weird. Splunkd.log might contain some evidence of what was going on."
Mar 25, 2010
Atul Mistry replied to Atul Mistry's discussion splunk-search.exe process
"no saved searches, but I was able to resolve the issue by re-enabling the SplunkLightForwarder. thanks,"
Mar 25, 2010
Michael Wilde replied to Atul Mistry's discussion splunk-search.exe process
"Check to see if that forwarder has any scheduled searches running and disable them. Some apps have scheduled searches in them."
Mar 24, 2010
Atul Mistry posted a discussion

splunk-search.exe process

Can someone tell me what the splunk-search.exe process is doing on a client that is configured for SplunkLightForwarder?I'm noticing that it starts up roughly every 30 seconds, and runs for for about 2-5 seconds using 80-95% of the cpu during that time.is splunk-search.exe needed when running a SplunkLightForwarder? If it can't be disabled, can is it possible to throttle it back?thanks,  See More
Mar 23, 2010
3 Comments
Atul Mistry replied to Atul Mistry's discussion Need Help with Automate Archiving
"i figured my time span was too short, so i reconfigured the archive settings to one day and hot span to 4 hours: [main] frozenTimePeriodInSecs=86400 maxHotSpanSecs=14400 coldToFrozenScript = WindowsCompressedExport.bat "$DIR" Waited a…"
Mar 4, 2010
Atul Mistry replied to Atul Mistry's discussion Need Help with Automate Archiving
"i'm just using 1 hour for testing purposes. in production we will be using 45 days. nothing in the splunkd.log jumps out at me. is there a component i should filter or focus in on? i attached a 2 hour sampling of the splunkd.log."
Mar 2, 2010
Michael Wilde replied to Atul Mistry's discussion Need Help with Automate Archiving
"Atul... 3600 seconds.. you really only want 1 hour worth of data in your indexer?. Whats splunkd.log saying.. check with this search: index=_internal source="*splunkd.log""
Mar 2, 2010
Atul Mistry replied to Atul Mistry's discussion Need Help with Automate Archiving
"i noticed a typo and made the following change. [main] frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExport.bat "$DIR" and restarted splunk. still no luck. is the time period too short? do i need to set a tie…"
Mar 1, 2010
Atul Mistry posted a discussion

Need Help with Automate Archiving

I'm testing out automatic archiving, but i can't seem to get it to work.Here is what i'm doing:i added the following stanza to my etc\system\local\indexes.conf file[main]frozenTimePeriodInSecs = 3600 coldToFrozenScript = WindowsCompressedExport.bat %DIR%i placed the WindowsCompressedExport.bat file in C:\Program Files\Splunk\bin (i also put it in C:\Program Files\Splunk\bin\scripts and C:\Program Files\Splunk\etc\system\bin to cover all of the bases)the script i'm using is a version off the…See More
Mar 1, 2010
4 Comments
Atul Mistry replied to yanu pratomo's discussion take log windows to splunk without forwarder
"If you install the "Windows" app (http://www.splunk.com/apps/windows) on the linux server, you will see the windows specific sources and sourcetypes. once you do that, splunk may be able to eat the *.evt files properly. also, you may…"
Feb 1, 2010
Michael Wilde replied to Atul Mistry's discussion Reformatting the message in an WinEventLog:Application event
"WIN!..."
Jan 29, 2010
Atul Mistry replied to Atul Mistry's discussion Reformatting the message in an WinEventLog:Application event
"I found the reason the message was getting split, it was because it exceeds the 10000 default limit. I set the TRUNCATE = 0 and now the message stays together. now that the messages are not getting split, xmlkv is working like a champ. thanks for…"
Jan 29, 2010
Atul Mistry replied to yanu pratomo's discussion take log windows to splunk without forwarder
"If you can place the log on a network drive that is accessible by the splunk server you should be able to eat the log without the forwarder."
Jan 29, 2010
Michael Wilde replied to Atul Mistry's discussion Reformatting the message in an WinEventLog:Application event
"Atul.... Splunk has a scrubber command built in. Dump that stuff to a file, run "/splunk anonymize file -source /path/to/[filename]" It usually does a pretty good job of getting rid of PHI and other private…"
Jan 28, 2010
Atul Mistry replied to Atul Mistry's discussion Reformatting the message in an WinEventLog:Application event
"unfortunately the events i'm having a problem with have PHI (protected health information), and I can't post it with out some scrubbing. i'll try what you suggested tonight. i'm going to Splunk Live today! If I still can't…"
Jan 28, 2010
Michael Wilde replied to Atul Mistry's discussion Reformatting the message in an WinEventLog:Application event
"upload a sample of those events if you want... but what you will need to do is give Splunk some education on where to break your events.. most of the time its pretty smart, but I like that it lets me take over and tell it what to do when i want…"
Jan 27, 2010

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
Development Architect

Comment Wall

  • No comments yet!

You need to be a member of splunkninja to add comments!

Join splunkninja

 
 
 

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service