cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
michaelteck
Explorer
Member since: ‎01-09-2024
3 weeks ago
Community Statistics
Posts 8
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎01-09-2024
Activity Feed
View All

Gettin news data by Universal Forwarder

by in Getting Data In
3 weeks ago
3 weeks ago
Hello everyone,  I turn to you because I have a little problem. I have an MFT server that generates logs in a directory. In this directory the log files are stored in directories that have the name of the day. And the log files have the name 1000005847456.log. For example, today’s logs 23 April 2024 are stored in the 2024-04-23/ directory.  For now, I have this input.conf file : [monitor:///data/logs/.../100000*.log] disabled=false sourcetype=log4j host=PC followTail=0 index=test_wild  When I launch the Universal Forwarder, it starts listing all files in/data/logs/.../ . And it also starts to send the data in the log directory as of 4 days ago. I am not looking to retrieve the old log data but the log data of today. I don’t understand this behavior of the Universal Forwarder. Could someone help me?  ... View more

Re: Bring several events together.

by in Splunk Search
‎03-26-2024 06:51 AM
‎03-26-2024 06:51 AM
Hello @ITWhisperer,    First of all, I'd like to thank you for taking the time to think about my concerns. As you said, If the  combinations of correlationIDs and direction are reused it may not give the results I expect. The correlationID and direction are completely random. The correlationID is an ID that SWO2-APIM associates with the request to identify it. The direction means that SWO2-APIM receives or sends the request. In the real log, the first log line is at the bottom and the last log line is at the top. This is the real logs look like : [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "0[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "<Message or something>[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "8e[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Connection: close[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Date: Tue, 26 Mar 2024 13:02:16 GMT[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "HTTP/1.1 200 OK[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Accept-Encoding: gzip, compressed[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "User-Agent: HealthChecker/2.0[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Connection: close[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Host: 10.229.55.71:8243[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "GET /services/Version HTTP/1.1[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "0[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "<Message or something>[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "8e[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Connection: close[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Date: Tue, 26 Mar 2024 13:02:11 GMT[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "HTTP/1.1 200 OK[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "0[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "<Message or something>[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "8e[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Connection: close[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Date: Tue, 26 Mar 2024 13:02:07 GMT[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "HTTP/1.1 200 OK[\r][\n]"   If you look closely at the requests, they are received from bottom to top. And so, I would like to have this kind of outing : Date, loglevel, action_https, correlationID, message, duration [2024-03-26 13:02:16,357], DEBUG, HTTPS-Listener, dispatcher-4, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:16 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:16,353], DEBUG, HTTPS-Listener, dispatcher-4, "GET /services/Version HTTP/1.1[\r][\n]" "Host: 10.229.55.71:8243[\r][\n]" "Connection: close[\r][\n]" "User-Agent: ELB-HealthChecker/2.0[\r][\n]" "Accept-Encoding: gzip, compressed[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:11,042], DEBUG, HTTPS-Listener, dispatcher-3, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:11 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:07,129], DEBUG, HTTPS-Listener, dispatcher-4, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:07 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 003 ... View more

Bring several events together.

by in Splunk Search
‎03-26-2024 02:55 AM
‎03-26-2024 02:55 AM
Hello everyone,  I'm coming to you for advice. I am currently working with splunk to create monitor WSO2-APIM instances.  According to the WSO2-APIM documentation, logs are generated as follows :  [2019-12-12 17:30:08,091] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "GET /helloWorld/1.0.0 HTTP/1.1[\r][\n]" [2019-12-12 17:30:08,093] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "Host: localhost:8243[\r][\n]" [2019-12-12 17:30:08,094] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "User-Agent: curl/7.54.0[\r][\n]" [2019-12-12 17:30:08,095] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "accept: */*[\r][\n]" [2019-12-12 17:30:08,096] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "Authorization: Bearer 07f6b26d-0f8d-312a-8d38-797e054566cd[\r][\n]" [2019-12-12 17:30:08,097] DEBUG - wire HTTPS-Listener I/O dispatcher-5 >> "[\r][\n]" [2019-12-12 17:30:08,105] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "GET /v2/5df22aa131000084009a30a9 HTTP/1.1[\r][\n]" [2019-12-12 17:30:08,106] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "accept: */*[\r][\n]" [2019-12-12 17:30:08,107] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "Host: www.mocky.io[\r][\n]" [2019-12-12 17:30:08,108] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "Connection: Keep-Alive[\r][\n]" [2019-12-12 17:30:08,109] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "User-Agent: Synapse-PT-HttpComponents-NIO[\r][\n]" [2019-12-12 17:30:08,110] DEBUG - wire HTTP-Sender I/O dispatcher-1 << "[\r][\n]" [2019-12-12 17:30:08,266] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "HTTP/1.1 200 OK[\r][\n]" [2019-12-12 17:30:08,268] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Server: Cowboy[\r][\n]" [2019-12-12 17:30:08,269] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Connection: keep-alive[\r][\n]" [2019-12-12 17:30:08,271] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Date: Thu, 12 Dec 2019 12:00:08 GMT[\r][\n]" [2019-12-12 17:30:08,272] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Content-Type: application/json[\r][\n]" [2019-12-12 17:30:08,273] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Content-Length: 20[\r][\n]" [2019-12-12 17:30:08,274] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "Via: 1.1 vegur[\r][\n]" [2019-12-12 17:30:08,275] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "[\r][\n]" [2019-12-12 17:30:08,276] DEBUG - wire HTTP-Sender I/O dispatcher-1 >> "{ "hello": "world" }" [2019-12-12 17:30:08,282] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "HTTP/1.1 200 OK[\r][\n]" [2019-12-12 17:30:08,283] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Access-Control-Expose-Headers: [\r][\n]" [2019-12-12 17:30:08,284] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Access-Control-Allow-Origin: *[\r][\n]" [2019-12-12 17:30:08,285] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Access-Control-Allow-Methods: GET[\r][\n]" [2019-12-12 17:30:08,286] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Authorization[\r][\n]" [2019-12-12 17:30:08,287] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Content-Type: application/json[\r][\n]" [2019-12-12 17:30:08,287] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Via: 1.1 vegur[\r][\n]" [2019-12-12 17:30:08,288] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Date: Thu, 12 Dec 2019 12:00:08 GMT[\r][\n]" [2019-12-12 17:30:08,289] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "Transfer-Encoding: chunked[\r][\n]" [2019-12-12 17:30:08,290] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "[\r][\n]" [2019-12-12 17:30:08,290] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "14[\r][\n]" [2019-12-12 17:30:08,291] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "{ "hello": "world" }[\r][\n]" [2019-12-12 17:30:08,292] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "0[\r][\n]" [2019-12-12 17:30:08,293] DEBUG - wire HTTPS-Listener I/O dispatcher-5 << "[\r][\n]" And also according to the doc :  DEBUG - wire >> Represents the message coming into the API Gateway from the wire. DEBUG - wire << Represents the message that goes to the wire from the API Gateway.   I use AWS Lambda to retrieve the WSO2-APIM logs, which are stored in AWS CloudWatch. I've just started using Splunk so I'm not very good at SPL. I would like Splunk to process events with SPL and then output something like this : Date, loglevel, action_https, correlationID, message, duration [2019-12-12 17:30:08,091], DEBUG, HTTPS-Listener, dispatcher-5, "GET /helloWorld/1.0.0 HTTP/1.1[\r][\n]" "Host: localhost:8243[\r][\n]" "User-Agent: curl/7.54.0[\r][\n]" "accept: */*[\r][\n]" "Authorization: Bearer 07f6b26d-0f8d-312a-8d38-797e054566cd[\r][\n]" "[\r][\n]", 006 [2019-12-12 17:30:08,105], DEBUG, HTTPS-Listener, dispatcher-1, "GET /v2/5df22aa131000084009a30a9 HTTP/1.1[\r][\n]" "accept: */*[\r][\n]" "Host: www.mocky.io[\r][\n]" "Connection: Keep-Alive[\r][\n]" "User-Agent: Synapse-PT-HttpComponents-NIO[\r][\n]" "[\r][\n]", 005 [2019-12-12 17:30:08,266], DEBUG, HTTPS-Sender, dispatcher-1, "HTTP/1.1 200 OK[\r][\n]" "Server: Cowboy[\r][\n]" "Connection: keep-alive[\r][\n]" "Date: Thu, 12 Dec 2019 12:00:08 GMT[\r][\n]" "Content-Type: application/json[\r][\n]" "Content-Length: 20[\r][\n]" "Via: 1.1 vegur[\r][\n]" "[\r][\n]" "{ "hello": "world" }", 010 [2019-12-12 17:30:08,282], DEBUG, HTTPS-Listener, dispatcher-5, "HTTP/1.1 200 OK[\r][\n]" "Access-Control-Expose-Headers: [\r][\n]" "Access-Control-Allow-Origin: *[\r][\n]" "Access-Control-Allow-Methods: GET[\r][\n]" "Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,Authorization[\r][\n]" "Content-Type: application/json[\r][\n]" "Via: 1.1 vegur[\r][\n]" "Date: Thu, 12 Dec 2019 12:00:08 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "[\r][\n]" "14[\r][\n]" "{ "hello": "world" }[\r][\n]" "0[\r][\n]" "[\r][\n]", 011 Do you have any ideas on how to do this with SPL in the Search App? Thank you for those who took the time to read and reply to me. ... View more
Labels

Network prerequisites Splunk Universal Forwarder

by in Deployment Architecture
‎03-18-2024 03:34 AM
‎03-18-2024 03:34 AM
Hello everyone,  In my splunk journey, I've to make a documentation for the installation of the Universal Forwarder. Ours Forwarders will be install VMs who are on a private network so we need some configuration on the network to let the Universal Forwarder to send data to the indexers splunk. Ours indexers are install on another private network, we created a rule on the network to receive data on the port 9997 of the Splunk server. I'm looking for network prerequisites before the installation of the fowarder. What rules we have to create on the Forwarder's network ? What port we have to open on the Forwarder's network ? Do we need to create a specific flow for the Forwarder to send data to the indexers? What protocol we have to setup on the Forwarder's network? Thank for all who read me, ... View more
Labels

Why "*" start does not include the void value

by in Splunk Search
‎01-16-2024 07:58 AM
‎01-16-2024 07:58 AM
Hello everyone,  I'm working on Splunk Entreprise and on the Search & Reporting app.  I made many drop-down menu to filter my data.  I've a special field who can be "void" and with value.  How can I make include the void value on the drop-down menu's ?  Because when I select "*" on the drop-down menu Splunk return all the value of the field but I want to select the "void" value too. Thanks in advance! ... View more
Labels

Re: Search Bar

by in Dashboards & Visualizations
‎01-09-2024 07:52 AM
‎01-09-2024 07:52 AM
It works, even if I have to manage the time range. Thanks a lot! 🙂 ... View more

Re: Search Bar

by in Dashboards & Visualizations
‎01-09-2024 06:50 AM
‎01-09-2024 06:50 AM
Thank you for your reply. I have a dashboard. I would like to add a search bar, where a user can enter a talend's job name and launch a search with a button. Example: I would like to put it in a <fieldset> tag.   ... View more

Search Bar

by in Dashboards & Visualizations
‎01-09-2024 06:39 AM
‎01-09-2024 06:39 AM
Hello everyone and Happy New Year 🙂   I'm newbie with splunk. And I try to make a full dynamique dashboard with the app Search & Reporting.  I work on Talend's logs. I'm looking for to create a search bar for searching job directly but do not use the drop-down menus.  Is there solution to make a search bar on top of the dashboard with "search" button ?  Thanks for reading me.  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma given to