All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @MK2 the monitoring console is ostensibly the best place to check your forwarder versions, although keep in mind all the data there is populated by internal Splunk searches, so you can actually se... See more...
Hi @MK2 the monitoring console is ostensibly the best place to check your forwarder versions, although keep in mind all the data there is populated by internal Splunk searches, so you can actually search the data yourself if you need a different visualization, for example. E.g. index="_internal" source="*metrics.lo*" group=tcpin_connections | dedup guid| eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid
I assume the answer is to check Forwader management on setting or to check Forwader Deployment: in monitoring console. Is there any other way?
In the "better late than never" category of answers (and I realize this answer might not have been available in previous versions of Splunk)... It's unclear, from the original question, if the "ip... See more...
In the "better late than never" category of answers (and I realize this answer might not have been available in previous versions of Splunk)... It's unclear, from the original question, if the "ip:port" belongs to the service, or the client. If it belongs to the service, then every timeout uniquely identifies the service, and all that needs to be done is to count the timeouts, and then map in the service name: | makeresults | eval data="CONNECTION-1.1.1.1:1: connect() timeout,[service_with_2_timeouts] tearing down tcp connection [1.1.1.1.1],CONNECTION-1.1.1.2:2: connect() timeout,[service_with_1_timeout] tearing down tcp connection [1.1.1.2.2],[service_with_no_timeouts] tearing down tcp connection [1.1.1.3.3],CONNECTION-1.1.1.1:1: connect() timeout,[service_with_2_timeouts] tearing down tcp connection [1.1.1.1.1]" | eval mvdata=split(data,",") | mvexpand mvdata ``` Everything above this is to generate sample data ``` | eval is_timeout=if(like(mvdata,"%connect() timeout%"),1,0) | rex field=mvdata "CONNECTION-(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<port>\d+): connect\(\) timeout" | rex field=mvdata "\[(?<service_name>[^\]]+)\] tearing down tcp connection \[(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<port>\d+)\]" | stats first(service_name) as service_name, sum(is_timeout) as timeout_count by ip, port   If, on the other hand, the "ip:port" belong to the client accessing the service, this is a bit more complicated, with too many potential solutions depending on details not available here.
Hi @bmanikya please confirm if my understanding is correct: You want to match the "user" field from the first screenshot with the "user" field from the bd_users_hierarchy.csv lookup, and the "app_id... See more...
Hi @bmanikya please confirm if my understanding is correct: You want to match the "user" field from the first screenshot with the "user" field from the bd_users_hierarchy.csv lookup, and the "app_id" field from the third screenshot?
If I'm reading this right, you have data that has events with pods and their phases. In your example query, you appear to be using decimal values to create your ranges, but can we assume that the act... See more...
If I'm reading this right, you have data that has events with pods and their phases. In your example query, you appear to be using decimal values to create your ranges, but can we assume that the actual pos states fall on specific integers? Something like this might work:   | makeresults count=25 | eval phase=(random()%5)+1 ``` Everything above here is just to create sample data ``` ``` The following statement groups and counts phases. | stats count by phase ``` The following statement maps phases to a string equivalent ``` | eval label=case(phase=1,"A (Pending)", phase=2,"B (Running)", phase=3,"C (Succeeded)", phase=4,"D (Failed)", phase=5,"E (Stopping?)", 1=1,"Unknown")   If the phase values are not discreet, and the range you mention is necessary, then you can use a case statement like this:   | makeresults count=25 | eval phase=((random()%50)/10)+1 | eval phase_group=case(phase<1.5,1, phase<2.5,2, phase<3.5,3, phase<4.5,4, phase<5.5,5) | stats count by phase_group | eval label=case(phase_group=1,"A (Pending)", phase_group=2,"B (Running)", phase_group=3,"C (Succeeded)", phase_group=4,"D (Failed)", phase_group=5,"E (Stopping?)", 1=1,"Unknown")    
Could you please share a screenshot?
Assume for the moment that these work individually: Outputs1 [tcpout] defaultGroup = primary_indexers forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) ... See more...
Assume for the moment that these work individually: Outputs1 [tcpout] defaultGroup = primary_indexers forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [indexer_discovery:company] pass4SymmKey = passhere manager_uri = https://clustermanager:8089 [tcpout:primary_indexers] indexerDiscovery = company sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem Outputs2 [tcpout] defaultGroup = heavy_forwarders forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [tcpout:primary_heavy_forwarders] server = y.y.y.y:9997 sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem If I understand the documentation correctly all we would need to do is this: [tcpout] defaultGroup = primary_indexers, primary_heavy_forwarders forceTimebasedAutoLB = true forwardedindex.2.whitelist = (_audit|_introspection|_internal) useSSL = true [indexer_discovery:company] pass4SymmKey = passhere manager_uri = https://clustermanager:8089 [tcpout:primary_indexers] indexerDiscovery = company sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem [tcpout:primary_heavy_forwarders] server = y.y.y.y:9997 sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem Is this correct? In this configuration the exact same data would be flowing to both destinations? There would be no issues binding the certifcates to different stanzas? I appreciate the responses.
@leykmekoo A tip for the future  | inputlookup your_lookup | eval your_wildcard_field=your_wildcard_field."*" | outputlookup your_lookup  
Extract and test for the day of the week similar to how date_hour was done. index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H"), date_wday = strftime(_t... See more...
Extract and test for the day of the week similar to how date_hour was done. index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H"), date_wday = strftime(_time, "%A") | where date_hour >= 19 OR date_hour <=06 OR date_wday = "Saturday" OR date_wday = "Sunday" | timechart count(src_user)
Hello,  my current search is  index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H") | where date_hour >= 19 OR date_hour <=06 | timechart count(src_... See more...
Hello,  my current search is  index=winsec source=WinEventLog:Security EventCode=6272 | eval date_hour = strftime(_time, "%H") | where date_hour >= 19 OR date_hour <=06 | timechart count(src_user) This provides me with a graph of logins made after hours. I want to expand the acceptable items to include the entire days of saturday/sunday as well. When I attempt to add this, i get "no results" what would be the best way to include that? 
We want to discuss this with technical support.   As of this time it seems we are acting as QA when we need a fix.  
Hi,  I know this post is quite old but anyway, here is my stanza which is working fine: [WinEventLog://Microsoft-Windows-BitLocker/BitLocker Management] index = windows disabled = 0 renderXml = ... See more...
Hi,  I know this post is quite old but anyway, here is my stanza which is working fine: [WinEventLog://Microsoft-Windows-BitLocker/BitLocker Management] index = windows disabled = 0 renderXml = 1 evt_resolve_ad_obj= 1 start_from = oldest current_only = 0 checkpointInterval = 5 sourcetype=XmlWinEventLog   Did you check the Splunkd.log on you UF on start? Maybe the user running Splunk Forwarder Service is not able to access the logs. Or there are just no logs available? On my site it is not written very frequently.  The Splunk_TA_windows is also required on the UF. 
Thank you for the reply and example! Greatly appreciated. Ken
Hi @Vishnu Teja.Katta, Thanks for asking your question on the Community. Since it's been a few days with no reply, did you happen to find any new information you could share? If you are looking f... See more...
Hi @Vishnu Teja.Katta, Thanks for asking your question on the Community. Since it's been a few days with no reply, did you happen to find any new information you could share? If you are looking for help still, you can contact Cisco AppDynamics Support. AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases.  
Hi @Roberto.Barnes, Thanks for asking your question on the community. It seems no one was able to offer any info. I think it would be helpful to reach out to your AppD Rep for more information on t... See more...
Hi @Roberto.Barnes, Thanks for asking your question on the community. It seems no one was able to offer any info. I think it would be helpful to reach out to your AppD Rep for more information on this or reach out to AppD Call a Consultant. https://community.appdynamics.com/t5/Knowledge-Base/A-guide-to-AppDynamics-help-resources/ta-p/42353#call-a-consultant
Hello @Kamal.Manchanda, Since it's been a few days and the community did not jump in, did you happen to find a solution yourself you can share? If you still need help, you can learn more about c... See more...
Hello @Kamal.Manchanda, Since it's been a few days and the community did not jump in, did you happen to find a solution yourself you can share? If you still need help, you can learn more about contacting Cisco AppDynamics Support here: AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases. 
The message appears because httpout is not configured.  The outputs.conf file shown defines tcpout, not httpout.  Since the [httpout] stanza is optional, these INFO messages can be ignored.
Hello @Surendra.Maddullapalli, It's been a few days with no reply from the community. Have you discovered a solution or have any further information you can share? If you are still looking for h... See more...
Hello @Surendra.Maddullapalli, It's been a few days with no reply from the community. Have you discovered a solution or have any further information you can share? If you are still looking for help, you can contact Cisco AppDynamics Support. AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases.