Hi @Cyner__ , you should run the telnet from the client, not from the Server: telnet my-private-ip 9997 If it doesn't answer there's something in the middle (e.g. personal firewalls) that block th...
See more...
Hi @Cyner__ , you should run the telnet from the client, not from the Server: telnet my-private-ip 9997 If it doesn't answer there's something in the middle (e.g. personal firewalls) that block the connection. Ciao. Giuseppe
When you complete the setup it will create a local/passwords.conf. you're saying you don't have a passwords.conf so did you complete the setup? If so, did you set the default org/key or did you nam...
See more...
When you complete the setup it will create a local/passwords.conf. you're saying you don't have a passwords.conf so did you complete the setup? If so, did you set the default org/key or did you name it something other than default? When you have default set, you don't have to specify the org or key with the openai/ChatGPT command.
Following two error repeats every minute in splunkd.log on Splunk Enterprise What is causing this? 06-07-2024 10:45:00.314 +0200 ERROR ExecProcessor [2519201 ExecProcessorSchedulerThread] - mess...
See more...
Following two error repeats every minute in splunkd.log on Splunk Enterprise What is causing this? 06-07-2024 10:45:00.314 +0200 ERROR ExecProcessor [2519201 ExecProcessorSchedulerThread] - message from "/data/splunk/bin/python3.7 /data/splunk/etc/apps/search/bin/quarantine_files.py" Quarantine files framework - Unexpected error during execution: Expecting value: line 1 column 1 (char 0)
06-07-2024 10:45:00.314 +0200 ERROR ExecProcessor [2519201 ExecProcessorSchedulerThread] - message from "/data/splunk/bin/python3.7 /data/splunk/etc/apps/search/bin/quarantine_files.py" Quarantine files framework - Setting enable_jQuery2 - Unexpected error during execution: Expecting value: line 1 column 1 (char 0)
Thanks for the help @gcusello But my problem is still occurs. When i use telnet with 9997 port to my computer (tried both private and public ip) telnet runs "connection timed out" error. i alread...
See more...
Thanks for the help @gcusello But my problem is still occurs. When i use telnet with 9997 port to my computer (tried both private and public ip) telnet runs "connection timed out" error. i already enabled receiving. I don't know if i enabled forwarder or not bu i Start'ed it with command and configured output and input file This is inputs.conf: [monitor:///home/cowrie/cowrie/var/log/cowrie/cowrie.json] index = cowrie sourcetype = json disabled = false this is output.conf: [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] disabled = false server = my-private-ip:9997 sorry if i missed something as i said im both new to linux and splunk
Splunk to slack report integration not displaying all events in results from output. So we have report running which will have below records in output. But Splunk reports triggered to slack will just...
See more...
Splunk to slack report integration not displaying all events in results from output. So we have report running which will have below records in output. But Splunk reports triggered to slack will just display only first record in alerts description\summary. How to get entire thing in alert summary\description. UnmappedActions test, some value test, some value test, some value base search | stats values(unmapped_actions) as UnmappedActions
Hello @marysan - thanks for this. I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest i...
See more...
Hello @marysan - thanks for this. I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest if I am missing something? | eval email_subject=MonthYear." - ".Customer." - ".CheckName." - ".Device Thank you.
Thanks again, gcusello. Much appreciated. Do I need to add <"values.interface" AS interface> in rename, correct? I executed the following query. index=gnmi ("tags.next-hop-group"=* OR "tags.index"...
See more...
Thanks again, gcusello. Much appreciated. Do I need to add <"values.interface" AS interface> in rename, correct? I executed the following query. index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*) earliest="06/07/2024:08:28:14"
| rename
"tags.next-hop-group" AS tags_next_hop_group
"tags.index" AS tags_index
"tags.ipv4-entry_prefix" AS ipv4_entry_prefix
"tags.network-instance_name" AS network_instance_name
"values.interface" AS interface
| eval tags_index=coalesce(tags_index, tags_next_hop_group)
| stats
values(ipv4_entry_prefix) AS ipv4_entry_prefix
values(network_instance_name) AS network_instance_name
values(interface) AS interface
BY tags_index
| sort ipv4_entry_prefix network_instance_name Then I received the following result. My expectation is that "Ethernet48" appears in 1st and 2nd line. The data is as follows. Many thanks, Kenji
Hi @Cyner__ , at first did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents ? In other words: did you checked the open route between ...
See more...
Hi @Cyner__ , at first did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents ? In other words: did you checked the open route between UF and Splunk on port 9997 (default)? you can do this using telnet. did you enabled receiving in Splunk Enterprise ? [Settings > Forwardring and Receiving > Receiving] did you enabled forwarding in Universal Forwarder? When you did the above steps, you can check the connection using the following search index=_internal host=your_client_host) Ciao. Giuseppe
You could try something like this index=foo message="magic string" duration > [search index=foo message="magic string" | stats p99(duration) as search]
| stats count as "# of Events with Duration > ...
See more...
You could try something like this index=foo message="magic string" duration > [search index=foo message="magic string" | stats p99(duration) as search]
| stats count as "# of Events with Duration > p99"
I am newbie to splunk. Any help is appreciated So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is wh...
See more...
I am newbie to splunk. Any help is appreciated So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is when i try to ping test my local computer with VPS server , i have %100 packet loss. Also splunkd log file is full of "cooked connection to "my-local-ip" timed out and ... blocked nfor blocked_seconds=3000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. errors Thanks for helping. I am waiting for your response
@jrs42 you can use 'stats' instead of 'eventstats' to optimize : index=foo message="magic string" | stats p99(duration) as p99val, count(eval(duration > p99(duration))) as count
Hi @shimada-k , sorry I mistyped the field name, probably the interface field name is different, probably its only "interface", please see the exact field name and replace it in the search: index=...
See more...
Hi @shimada-k , sorry I mistyped the field name, probably the interface field name is different, probably its only "interface", please see the exact field name and replace it in the search: index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*)
| rename
"tags.next-hop-group" AS tags_next_hop_group
"tags.index" AS tags_index
"tags.ipv4-entry_prefix" AS ipv4_entry_prefix
"tags.network-instance_name" AS network_instance_name
| eval tags_index=coalesce(tags_index, tags_next_hop_group)
| stats
values(ipv4_entry_prefix) AS ipv4_entry_prefix
values(network_instance_name) AS network_instance_name
values(interface) AS interface
BY tags_index
| sort ipv4_entry_prefix network_instance_name Ciao. Giuseppe
Assuming you are changing the groupby_field token in the change handler of the time selection input, which is essentially the input that is being waited for, you could also initialise the groupby_fie...
See more...
Assuming you are changing the groupby_field token in the change handler of the time selection input, which is essentially the input that is being waited for, you could also initialise the groupby_field token in an init block in SimpleXML - it is perhaps a little more complicated to do in Studio