Stack Overflow
Stack Overflow

Questions tagged [splunk]

Splunk is a tool for collecting, monitoring, visualizing and analyzing machine data from any source. You may receive faster responses at answers.splunk.com which is actively monitored by Splunk employees

Splunk

You may receive faster responses at community.splunk.com which is actively monitored by Splunk employees

Splunk is a tool for collecting, monitoring, and analyzing log files from servers, applications, or other sources. The primary features of Splunk include:

  • Collecting logs from multiple sources into a single location to allow for use without needing to access individual servers.
  • Parsing of logs with arbitrary formats, including free-form logs with no defined fields
  • Advanced querying of logs, including
    • combining results from different sources
    • filtering based on identified field values and pattern matching
    • analyzing records using statistical and mapping functions
  • visualizing real-time data
  • the ability to create dashboards of various visualizations

The name "Splunk" comes from a rewriting of spelunking, a cave exploring hobby.

Splunk is available as both an enterprise application that runs on your servers (with a free tier) and a hosted service known as Splunk Cloud.

Useful links

2246 questions
35
votes
2 answers

What does (?i) and ?@ in this regex mean

In the following regex what does "(?i)" and "?@" mean? (?i)<.*?@(?P\w+\.\w+)(?=>) I know that "?" means zero or one and that i sets case insensitivity. This regex captures domains from an email address in a mailto field, but does not…
Deesbek
  • 865
  • 2
  • 12
  • 27
14
votes
3 answers

"Error L10 (output buffer overflow)" when writing to Splunk drain

I'm pushing my logs to a local splunk installation. Recently I found that the following error repeats a lot (about once every minute): Error L10 (output buffer overflow): 7150 messages dropped since 2013-06-26T19:19:52+00:00.134 <13>1…
ripper234
  • 222,824
  • 274
  • 634
  • 905
12
votes
2 answers

How do I escape values in Splunk?

Splunk best practices say to use key/value pairs. It also says to wrap values in quotes if they contain spaces. So, let's say I have a raw value of Fred Smith: my_key=name my_value="Fred Smith" That's fine, I've added the quotes. But what if I…
Steve Dunn
  • 21,044
  • 11
  • 62
  • 87
11
votes
1 answer

How to ignore a specific sub-string from Splunk query

Need some help to generate appropriate Spunk query. I am searching for this but could not come up with a solution. Currently, I want to ignore all error alerts that are generated for logs with only ev31=error; term. If we use NOT ev31=error; in…
peaceamit
  • 121
  • 1
  • 1
  • 6
10
votes
2 answers

Splunk HttpEventCollectorLogbackAppender how to set source and host?

I'm using the Splunk HttpEventCollectorLogbackAppender to automatically send application logs to Splunk. I've been trying to set the host, source, and sourcetype but am not having any luck getting them sent to Splunk. Is it possible to set the host,…
Catfish
  • 18,876
  • 54
  • 209
  • 353
8
votes
2 answers

How to get url to specific splunk event?

How can I get a url to a specific splunk event from a list of splunk events returned by a search? If it's not possible, and I need to create a search that only returns that event, is there some unique id for each event that I can use in the query?
Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
8
votes
2 answers

Why create splunk dashboards vs views?

I'm trying to figure out why anyone would want to create a dashboard in Splunk. Views allow you to add forms along with any charts and searches, while dashboards do not. So, why would I want to make a dashboard? Is there any advantage of one vs the…
caffein
  • 575
  • 8
  • 26
7
votes
1 answer

embeding conf files into helm chart

Im new at helm. Im building a splunk helm chart with numerous conf files. I currently use something like this in a configmap .. apiVersion: v1 kind: ConfigMap metadata: name: splunk-master-configmap data: indexes.conf: | # global settings …
Nick Gleed
  • 105
  • 1
  • 1
  • 6
7
votes
1 answer

Group event counts by hour over time

I currently have a query that aggregates events over the last hour, and alerts my team if events are over a specific threshold. The query was recently accidentally disabled, and it turns out there were times when the alert should have fired but did…
jjohnson8
  • 321
  • 1
  • 3
  • 12
7
votes
2 answers

Alternatives to App Engine's native logging API?

Does anyone have any advice on making the logging in Google App Engine better? I am currently trying to use Splunk Storm, but they are finicky regarding input and go down often. Has anyone else encountered this and solved it in some…
Mantas Vidutis
  • 16,376
  • 20
  • 76
  • 92
6
votes
1 answer

Signalfx formula set 0 if no timeseries found

I have the following formula in a signalfx chart, but it's not showing any results because F has 0 timeseries. How can I display it as 0 instead of this blank line. F = data('myapi.job.count', filter=filter('environment_type', '*') and…
S.Dan
  • 1,826
  • 5
  • 28
  • 55
6
votes
2 answers

Get distinct results (filtered results) of Splunk Query based on a results field/string value

I have a splunk query something like index=myIndex* source="source/path/of/logs/*.log" "Elephant" Thus, this brings up about 2,000 results which are JSON responses from one of my APIs that include the world "Elephant". This is kind of what I want -…
ennth
  • 1,698
  • 5
  • 31
  • 63
6
votes
1 answer

Splunk query for matching lines that do not contain text

To find logging lines that contain "gen-application" I use this search query : source="general-access.log" "*gen-application*" How to amend the query such that lines that do not contain "gen-application" are returned ? source="general-access.log"…
blue-sky
  • 51,962
  • 152
  • 427
  • 752
6
votes
2 answers

how do i pass a result from one search into IN clause of another search in splunk?

i run a query and get list of custId in form of table. how do i pass this result into another search query inside IN clause. eg: search 1: index=* "successful login for"|table custID this gives me table with column custID. Then i have to…
saurabh choudhary
  • 73
  • 1
  • 1
  • 6
6
votes
1 answer

Return Number of Errors From Splunk Search in Python

Is there any way to get the number of errors that occurred during a Splunk search with the splunklib.results module or any of the splunklib modules? Below, is my code so far: #purpose of script: To connect to Splunk, execute a query, and write the…
pHorseSpec
  • 1,246
  • 5
  • 19
  • 48
1
2 3
99 100