Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wrong parameters on macOS and logd input?

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2024 06:55 AM

Hi

I try to Ingest macOS logd into Splunk Cloud. When I enable logd input it didn't work. Based on logs it use wrongly "log show" command.

 

log show --style ndjson --no-backtrace --no-debug --no-info --no-loss --no-signpost --predicate 'subsystem == "com.apple.TimeMachine" && eventMessage CONTAINS[c] "backup"' --start 2024-10-18 16:47:55 --end 2024-10-18 16:48:25

 

It should be

 

log show --style ndjson --no-backtrace --no-debug --no-info --no-loss --no-signpost --predicate 'subsystem == "com.apple.TimeMachine" && eventMessage CONTAINS[c] "backup"' --start "2024-10-18 16:47:55" --end "2024-10-18 16:48:25"

 

Have anyone noticed this and have anyone any fix for it or should I just create a support ticket?

r. Ismo

Labels (3)
0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-18-2024 05:36 PM

Hello @isoutamo missing double quotes parsing failing?


looks like a bug to me. We had an old similar type bug sometime back on Splunk version6 .

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-19-2024 04:32 AM

Thanx. I will create support case for this. Do you have old case id on your hands?

Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-20-2024 12:06 PM

I found this old bug "SPL-109918"  combined with a different issue though. 

Thanks.

 
 
 
If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2024 04:24 AM
Case created.
0 Karma
Reply

Hod152
Explorer
‎12-02-2024 01:54 PM

Hey.
Any updates regarding the bug? Found the same issue, using latest splunk (9.3.2)

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-02-2024 02:23 PM
Not yet. I'm still discussing with support is this a bug or something else. Currently we are waiting (final?) answer from developers/PM to hear what are their plans for it.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-23-2024 08:31 AM
Fix for this will be SPL-266957.
0 Karma
Reply

Hod152
Explorer
‎12-08-2024 01:27 AM

Thanks,
Is there any temporary solution? older universal forwader version?
Collecting with script is blocked by Apple. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-08-2024 03:10 PM
I think that using script should work. Just use sudo w/o password and with exact command if needed.
Splunk has recognized this as a bug, but I haven’t yet Jira either estimated fix version/time.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...