Videos

  • Add Videos
  • View All

Latest Activity

Profile Icon
Greg Vallenari is now a member of splunkninja Sunday
Welcome Them!
Profile Icon
Mike Hartford commented on Michael Wilde's video
Got it thanks
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Michael Wilde commented on Michael Wilde's video
Sure...  When you do group mapping, map them to groups that don't have the domain admins in them.  I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk.  Can I keep the domain admins out of Splunk if I have LDAP authentication???
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 7
Profile Icon
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,   Glad to have another Splunker.  I've been useing Splunk for 2 years and am hooked.  I leared how to spell splunk and | transaction too.  you'll learn that one soon.   Go over to Splunk…
Feb 7
Profile Icon
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
  Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!   The team that found them must have special bat senses and highly tooned Splunking skills   I like to wear Extra Lovable…
Feb 7
Profile Icon
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
Status posted by Jonathan Hawes Feb 7
0 Comments
Profile Icon
Jonathan Hawes is now a member of splunkninja Feb 7
Welcome Them!
Dave P
Dave P
  • Sterling, VA
  • United States
Share on Facebook Share on Facebook Share Twitter

Dave P's Discussions

Splunk skipping input files & Order of precedence
5 Replies

Hi,So, I think I'm missing something obvious here. a 2 part question.1) I have one of several inputs defined as:monitor:///data/logs]disabled = falsehost_segment = 4index = defaultsourcetype =…Continue

Tags: operations, of, order, files, inputs

Started this discussion. Last reply by Dave P Jan 4, 2010.

Optimizing searching over indexing
5 Replies

Hopefully, this will be first of many discussions I'll be part of. Found SN yesterday, very cool.I've got a single host handling both Splunk indexing and searching. I'd like to give searching…Continue

Started this discussion. Last reply by Dave P Jan 6, 2010.

 

Dave P's Page

Gifts Received

Gift

Dave P has not received any gifts yet

Give Dave P a Gift

Latest Activity

Profile Icon
Dave P replied to Dave P's discussion 'Optimizing searching over indexing'
I hear that. I try to live in 64-bit land whenever possible. When the real production Splunk gear arrives, it'll be 64-bit OS installation, so I'm hoping that I see some improvement in speed over equivalent hardware running a 32-bit…
Jan 6, 2010
Profile Icon
Michael Wilde replied to Dave P's discussion 'Optimizing searching over indexing'
Dave... I deleted your reply on accident... there was a spammer in here. Yes. Splunk does take advantage of 64bit in a MAJOR WAY!... When indexing on a 32bit machine, splunk can store its "buckets" in a max of 200MB per bucket--meaning…
Jan 6, 2010
Profile Icon
Dave P replied to Dave P's discussion 'Splunk skipping input files & Order of precedence'
Aaaaand Splunk Support has come through again. Below is the solution that worked nicely, though it seems there should have been an easier way to do this. in…
Jan 4, 2010
Profile Icon
Dave P replied to Dave P's discussion 'Splunk skipping input files & Order of precedence'
There are no entries in the "Most recently ignored files" search results for the past 24 hours (or even the past 72 hours). So, at least Splunk is finding everything, even if it is not sourcetyping it correctly. I found the same…
Dec 29, 2009
Profile Icon
Dave P replied to Dave P's discussion 'Splunk skipping input files & Order of precedence'
I'm getting closer, I think. I did what you suggested, created a separate entry for the maillog stuff in the props.conf, though it ended up looking like this: [source::/data/logs/...] sourcetype =…
Dec 29, 2009
Profile Icon
Alexander Szoenyi replied to Dave P's discussion 'Splunk skipping input files & Order of precedence'
Hello, Point 1 Go to the Search App -> Status -> Inputs Activity. There you can find the "Most recently ignored files". or use this search index="_internal" source="*splunkd.log" earliest=-24h…
Dec 29, 2009
Profile Icon
Mike Langhorst replied to Dave P's discussion 'Splunk skipping input files & Order of precedence'
a bit old on this but since I had an answer, hopefully it'll help you or someone else with this issue. Correct, due to the first stanza, the second will not be used. What you can do is add an entry to specify this source type in props.conf…
Dec 28, 2009
Profile Icon

Splunk skipping input files & Order of precedence

Hi,So, I think I'm missing something obvious here. a 2 part question.1) I have one of several inputs defined as:monitor:///data/logs]disabled = falsehost_segment = 4index = defaultsourcetype = syslogThere are several directories under /data/logs/${DATE}. It appears that Splunk has "missed" them as files to index and add to the Splunk DB.Is there a way to kick Splunk to index files that it appears to have missed? Permissions, ownerships are correct... I'm stumped.2) Order of precedence.From…See More
Discussion posted by Dave P Nov 27, 2009
5 Comments
Profile Icon
Dave P replied to Joe Rizzo's discussion 'renaming searches, reports and dashboards'
I haven't figured out how to rename them, but I did figure out that if you clone them and give them a new name, it's essentially the same thing. If it's not, I haven't discovered the difference yet. -dave
Nov 15, 2009
Profile Icon
Michael Wilde replied to Dave P's discussion 'Optimizing searching over indexing'
One more question... 32bit or 64bit?
Nov 13, 2009
Profile Icon
Dave P replied to Dave P's discussion 'Optimizing searching over indexing'
The machine looks like this: 4 CPU cores, 2GB ram, 70GB disk, about 30GB used. When I profile the machine (top, sar, iostat, vmstat) I see that the splunkd processes (which appears to be the primary indexing agent) will consume up to 400% CPU (all…
Nov 13, 2009
Profile Icon
Michael Wilde replied to Dave P's discussion 'Optimizing searching over indexing'
A couple of things come to mind... What's the profile of your machine? CPU/Memory/Disk Space & Speed. Are you finding that searches are slow? If so, what types of searches are you doing? How many are running simultaneously? Do you have…
Nov 13, 2009
Profile Icon

Optimizing searching over indexing

Hopefully, this will be first of many discussions I'll be part of. Found SN yesterday, very cool.I've got a single host handling both Splunk indexing and searching. I'd like to give searching priority over indexing. Ordinarily, being a UNIX hack I would nice +19 the splunk processes parent process.root 3492 11.7 12.7 341212 263652 ? SNl Nov09 335:00 splunkd -p 8080 restartroot 3493 0.0 0.0 17916 1728 ? SNs Nov09 0:28 splunkd -p 8080 restartroot 3543 0.9 2.2 187340 46368 ? SNl Nov09 26:25 python…See More
Discussion posted by Dave P Nov 11, 2009
5 Comments
Profile Icon
I tell you whatsamatter, Splunks got my tongue.
Status posted by Dave P Nov 9, 2009
Profile Icon
Dave P is now a member of splunkninja Nov 9, 2009
Welcome Them!

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
UNIX geek

Comment Wall

  • No comments yet!

You need to be a member of splunkninja to add comments!

Join splunkninja

 
 
 

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service