Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
nick fox's Discussions
splunk errors - splunk-optimize failed to start
is this anything serious to worry about? and does it impact me in any way?cheersContinue
Started Feb 13, 2010
segmentation and text/XML files
9 Replies
HiI have just started implementing splunk for some of our application logging and while most logs seem to be working well we have a small issue with some XML messages.I say messages because the…Continue
Tags: rpc, xml, segmentation
Started this discussion. Last reply by Bob Munson Jan 24, 2010.
nick fox's Page
Gifts Received
nick fox has not received any gifts yet
Latest Activity
splunk errors - splunk-optimize failed to start
is this anything serious to worry about? and does it impact me in any way?cheersSee More
Discussion posted by nick fox
Bob Munson replied to nick fox's discussion 'segmentation and text/XML files'
When you create an index, you may not have noticed but splunk tells you to restart at the top of the screen so you did exactly what you needed to.
nick fox replied to nick fox's discussion 'segmentation and text/XML files'
This works fantastic, thanks very much.
on another note, It seems that when i create a new index and then go to data inputs even though i can select the index i created in the drop down i cannot save, i get an error at the top saying index not…
Michael Wilde replied to nick fox's discussion 'segmentation and text/XML files'
You should be cool doing this:
1. Manually Sourcetype your input. I called mine "myxml". (this can be done at the GUI when you monitor the directory, or in the $SPLUNK_HOME/etc/apps/search/local/inputs.conf file. Mine looks like…
nick fox replied to nick fox's discussion 'segmentation and text/XML files'
good question. the first message is not timestamped on recipt so if there is a delay in transmission from the other side that first xml message may be inaccurate.
i think the timestamp in the second message where we are forwarding it is the best,…
Michael Wilde replied to nick fox's discussion 'segmentation and text/XML files'
More helpful than Splunk?.. well. that is why i started this community, because i think it could be far better than the Splunk forums (which are buried), and possibly better than the best practices in the docs.... but yes.. I do work for Splunk..…
nick fox replied to nick fox's discussion 'segmentation and text/XML files'
wow ur more helpful than splunk! you dont work for splunk do you?
Hmm good question. it might be useful in the long run to have each xml message indexed, for reporting etc but for now it would be great to just index the whole file, and maybe later…
Michael Wilde replied to nick fox's discussion 'segmentation and text/XML files'
Ok.. one more simple question... ultimately it seems like you'd just like each of these files indexed.. preferrably with a proper sourcetype.
Would you like the file as one event... or the responses split up in to single events? and which…
nick fox replied to nick fox's discussion 'segmentation and text/XML files'
ok so format is as follows: text on line 1, a cert id then xml followed by captured response xml and then duplicated again for the transmission, thats subject to change if unable to respond due to system being down etc.. (the line of hyphens are not…
Michael Wilde replied to nick fox's discussion 'segmentation and text/XML files'
Couple o' Questions for ya!
Is each file a message?
Is there a timestamp in the message?
Is the created date on the file the time the event occured?
What sourcetype is splunk assigning when it indexes the files?
segmentation and text/XML files
HiI have just started implementing splunk for some of our application logging and while most logs seem to be working well we have a small issue with some XML messages.I say messages because the XML-RPC for a particular system is logged in individual files rather than a log and there are around 40-50k files produced each day.to increase indexing and reduce disk space i THINK we need to alter the way splunk indexes the files. I assume we need to index the entire contents of the file by setting…See More
Discussion posted by nick fox
Profile Information
- Are you an existing splunk user?
- Free
- What do you do for your day job?
- applications analyst
Comment Wall
- No comments yet!
© 2012 Created by Michael Wilde.
