The dojo of Splunk. Learn, share, teach, mentor.

Welcome to
splunkninja

Sign Up
or Sign In

Or sign in with:

Videos

Stuff Splunkers Should Know (1) - PerfMon / WMI Collection in Splunk 4.2

Added by Michael Wilde
Splunk + SCOM - Troubleshooting .NET at Lightspeed!

Added by Michael Wilde

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Added by Michael Wilde

Latest Activity

William S and Please... Dee Esssss :-) joined splunkninja

1 hour ago

Amine Recoba is now a member of splunkninja

yesterday

Welcome Them!

Michael Wilde replied to Nikita's discussion Count failures and success via transaction

"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"

Friday

Linus Myrefelt updated their profile

May 22

Marie updated their profile

May 21

Marie is now a member of splunkninja

May 21

Welcome Them!

Jitter and matthew arguin joined splunkninja

May 18

Matthew Carter and Nikita joined splunkninja

May 17

Upgraded to 4.0

OK so I have finally upgraded to version 4.0 and now I am kicking myself that I didn't do it sooner! I mean I should have known that if someone known as the splunk ninja recommends you to upgrade your Splunk install then you REALLY should listen to him!

It would seem that the event segmentation works much better and now it is behaving how I would expect. I must admit that I was getting a little confused with the field allocation seemingly changing all the time but 4 seems to be solid as a rock.

< Previous Post

Comment by Michael Wilde on September 4, 2009 at 1:13am: Next up.... Make your own app.... I'll do a video on it, and you'll see why :)

Comment by Michael Wilde on September 4, 2009 at 1:15am: Ben... What do you find confusing about field allocation? Is the "Other Interesting Fields" concept that shows up in the blue sidebar?

Comment by Ben Corbett on September 4, 2009 at 1:50am: After your comment on pulling out the src_ip I was ripping my hair out trying to find the field. I nthe end I did a sort of mash up with the rhost field that kind of did what I wanted but not exactly. It was confusing me becasue I wasn't exactly sure where the rhost was coming from. e.g. If i looked on one of the servers for the past 3 hours, the rhost field would not be present but then if I changed this to say 24 hours it would then appear.

I'm not going to worry about it too much though because everything is behaving as I would expect in version 4. Woop Woop!

Videos

Stuff Splunkers Should Know (1) - PerfMon / WMI Collection in Splunk 4.2

Splunk + SCOM - Troubleshooting .NET at Lightspeed!

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Top Content

Count failures and success via transaction

Latest Activity

Upgraded to 4.0

You need to be a member of splunkninja to add comments!