Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-08-2024
01:42 PM
1 Karma
You could manually set the _time value to the time when the scheduled search is run.
e.g.
| eval _time = now()
03-08-2024
01:40 PM
@richgalloway - thanks for the response. I just wanted to make sure that I understood correctly that the cluster bundle must be pushed to indexers before the redundant CMs get the settings.
03-08-2024
01:35 PM
1 Karma
The standby CM will receive the apps after they have been sent to the indexers. If I understand the question correctly, that means you must manually deploy the cluster bundle as part of setting up C...
See more...
The standby CM will receive the apps after they have been sent to the indexers. If I understand the question correctly, that means you must manually deploy the cluster bundle as part of setting up CM Redundancy. See https://docs.splunk.com/Documentation/Splunk/9.0.8/Indexer/CMredundancy#Update_the_peer_nodes.27_configuration_bundle
03-08-2024
01:14 PM
What is the version of Python at Splunk 9.2? We are currently at Splunk 9.1.0.2 and that version of Python (3.7.16) is already EOL. In our environment, we need to be at a supported version of Python.
Labels
- Labels:
-
using Splunk Enterprise
03-08-2024
01:14 PM
Hi @Harish2 , sorry there was an error: | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
| eval date=strftime(_time,"%Y-%m-%...
See more...
Hi @Harish2 , sorry there was an error: | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
| eval date=strftime(_time,"%Y-%m-%d")
| search NOT [ | inputlookup calendsr.csv WHERE type="holyday" | fields date ] in in the lookup calendar.csv you have date type
2024-03-08 normal
2024-03-09 holyday
2024-03-10 holyday the alert will not trigger in the 2024-03-09. Ciao. Giuseppe
03-08-2024
01:10 PM
Hello, Why does changing addtime=false on scheduled summary index - advanced edit has no effect? Thank you for your help. Advanced Edit: After the scheduled summary index ran on a sche...
See more...
Hello, Why does changing addtime=false on scheduled summary index - advanced edit has no effect? Thank you for your help. Advanced Edit: After the scheduled summary index ran on a scheduled time, the latest search on "view recent" still showed "addtime=t", instead of "addtime=f" addtime=false worked if I ran it manually
Labels
- Labels:
-
timechart
03-08-2024
12:34 PM
2 Karma
The field is "Country" not "country". Try ...
| iplocation src_ip
| geostats count by Country Happy Splunking! -Rich
03-08-2024
12:20 PM
2 Karma
The iplocation command generates the capitalized field "Country", not "country", so it should work if you capitalize Country: | geostats count by Country
03-08-2024
10:35 AM
Any fixes for this?
03-08-2024
10:30 AM
Hi @Osama.Abbas
I noticed the Community has not yet jumped in to help. Did you happen to make any discoveries or find a solution you could share?
03-08-2024
10:28 AM
Hi @David.Machacek,
I noticed the Community has not yet jumped in to help. Did you happen to make any new discoveries or find a solution you could share? If you have not, you can always contact ...
See more...
Hi @David.Machacek,
I noticed the Community has not yet jumped in to help. Did you happen to make any new discoveries or find a solution you could share? If you have not, you can always contact AppD Support. How do I submit a Support ticket? An FAQ
If you do contact Support, it would be awesome if you came back and shared any learnings or outcomes here as a reply.
03-08-2024
10:09 AM
I am now seeing the following error log 2024-03-08 13:06:35,386 level=ERROR pid=34152 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=mscs_azure_event_hub.py:run:939 | datainput="PFG-A...
See more...
I am now seeing the following error log 2024-03-08 13:06:35,386 level=ERROR pid=34152 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=mscs_azure_event_hub.py:run:939 | datainput="PFG-AzureEventHub" start_time=1709903177 | message="Error occurred while connecting to eventhub: Failed to initiate the connection due to exception: Websocket failed to establish connection: SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')
Error condition: ErrorCondition.SocketError
Error Description: Failed to initiate the connection due to exception: Websocket failed to establish connection: SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')"
03-08-2024
09:50 AM
Hi @gcusello , i tried the query, still i am getting alerts
03-08-2024
09:36 AM
Any reason why this can't be visualized in a geo cluster map? source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 17.0.0.0/8) action=DROP src_ip!="162.159.192.9...
See more...
Any reason why this can't be visualized in a geo cluster map? source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 17.0.0.0/8) action=DROP src_ip!="162.159.192.9" | iplocation src_ip | geostats count by country
Labels
- Labels:
-
count
03-08-2024
09:03 AM
i have splunk index configured in my openshift cluster as a configmap, now if i change the index on the cluster still my container logs are moving to the old index. is there something i am missing?
03-08-2024
08:56 AM
Hi @Harish2 , instead of appendcols thet run as it prefer, please try this: | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs NOT [ | inp...
See more...
Hi @Harish2 , instead of appendcols thet run as it prefer, please try this: | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs NOT [ | inputlookup calendsr.csv WHERE type="holyday" | fields date ]
BY host Ciao. Giuseppe
03-08-2024
08:30 AM
Hello all - Trying to get Azure Event Hub data to flow into Splunk. Having issues configuring it with the add-on for Microsoft Cloud Services. I have configured an app in Azure that has Reader & Ev...
See more...
Hello all - Trying to get Azure Event Hub data to flow into Splunk. Having issues configuring it with the add-on for Microsoft Cloud Services. I have configured an app in Azure that has Reader & Event Hub Receiver roles. Event Hub has been configured it receive various audit information. I am trying to configure the input. But receive error message in splunk_ta_microsoft_cloudservices_mscs_azure_event_hub_XYZ.log Error - 2024-03-08 16:20:31,313 level=ERROR pid=22008 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=mscs_azure_event_hub.py:run:939 | datainput="PFG-AzureEventHub1" start_time=1709914805 | message="Error occurred while connecting to eventhub: CBS Token authentication failed.
Status code: None
Error: client-error
CBS Token authentication failed.
Status code: None" I then tried to input the Connection string-primary key in the FQDN space, but receive the below error message. This is occurring because it is trying to create a ckpt file, but the file path is too long and it contains invalid characters. 2024-03-08 14:41:32,112 level=ERROR pid=34216 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=utils.py:wrapper:72 | datainput="PFG-AzureEventHub1" start_time=1709908886 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "L:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\lib\splunksdc\utils.py", line 70, in wrapper
return func(*args, **kwargs)
File "L:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\lib\modular_inputs\mscs_azure_event_hub.py", line 933, in run
consumer = self._create_event_hub_consumer(workspace, config, credential, proxy)
File "L:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\lib\modular_inputs\mscs_azure_event_hub.py", line 851, in _create_event_hub_consumer
args.consumer_group,
File "L:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\lib\modular_inputs\mscs_azure_event_hub.py", line 238, in open
checkpoint = SharedLocalCheckpoint(fullname)
File "L:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\lib\modular_inputs\mscs_azure_event_hub.py", line 103, in __init__
self._fd = os.open(fullname, os.O_RDWR | os.O_CREAT)
FileNotFoundError: [Errno 2] No such file or directory: 'L:\\Program Files\\Splunk\\var\\lib\\splunk\\modinputs\\mscs_azure_event_hub\\Endpoint=sb://REDACTED.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=REDACTED-insights-activity-logs-$Default.v1.ckpt' Here is my inputs.conf file for the add-on [mscs_azure_event_hub://PFG-AzureEventHub1]
account = AzureActivity
consumer_group = $Default
event_hub_name = insights-activity-logs
event_hub_namespace = REDACTED.servicebus.windows.net
index = azure-activity
interval = 300
max_batch_size = 300
max_wait_time = 10
sourcetype = mscs:azure:eventhub
use_amqp_over_websocket = 1 I have been stuck on this for the past couple of days. Any advice would be greatly appreciated!
Labels
- Labels:
-
heavy forwarder
-
inputs.conf
03-08-2024
08:19 AM
Hi @gcusello , my goal is to i don't want to receive the alerts during certain days. For example in csv file i gave todays date. My alert condition is count >0, corn job is 15mins for last 15 minu...
See more...
Hi @gcusello , my goal is to i don't want to receive the alerts during certain days. For example in csv file i gave todays date. My alert condition is count >0, corn job is 15mins for last 15 minutes. time range. Used below query still i am receiving alerts. | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
|where count >0
| appendcols [ | makeresults
| eval date=strftime(_time, "%m/%d/%Y")
| lookup calendsr.csv date OUTPUT type
| eval type=if(isnotnull(type),type,"NotHoliday"]
03-08-2024
08:16 AM
Recently our TA was rejected for Splunk Cloud compatibility due to a configuration option that would allow our customers to disable SSL verification so that they can make the REST API calls to a serv...
See more...
Recently our TA was rejected for Splunk Cloud compatibility due to a configuration option that would allow our customers to disable SSL verification so that they can make the REST API calls to a server that has a self-signed TLS certificate. The TA is using Python code for the inputs, and one of the configuration options when setting up the input was to Enable or Disable SSL Verification. Customers using servers with self-signed certificates could opt to disable verification. This would set the verify parameter to the helper.send_http_request to False. This option passed Cloud compatibility until recently when we were notified that external network calls must be made securely and so our TA no longer qualified for Cloud compatibility with the option to set verify=False. Has anyone else ran into this issue and is there a solution other than forcing customers to purchase TLS certificates from a trusted CA? I did see there is an option to the helper.send_http_request call to specify the CA bundle, but we do not have any control over what CA is used to generate the self-signed certificate so there is no way to include a bundle in the TA. Any suggestions are welcome.
03-08-2024
07:56 AM
Hi @rbakeredfi, forgetting for a moment the use of Windows that I'd avoid in production systems! how many logs this HF must manage? are there many syslogs? if yes how do you input them using Splun...
See more...
Hi @rbakeredfi, forgetting for a moment the use of Windows that I'd avoid in production systems! how many logs this HF must manage? are there many syslogs? if yes how do you input them using Splunk inputs or an external rsyslog server? Are you sure to have a performant network between the HF and the Indexers? are Indexers overloaded or not? Ciao. Giuseppe
