Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-27-2024
12:18 AM
@gcusello I have already tested by adding the below string to the monitoring stranza. But no luck was found.
02-27-2024
12:08 AM
1 Karma
Hi @uagraw01 , please try to use this header in the inputs.conf stanza: [monitor://\\WALVAU-SCADA-1\d$\CM\alarmreports\outgoing\*.xml] Ciao. Giuseppe
02-26-2024
11:40 PM
There has always been a problem with parsing a "headered" structured data. There is even an open idea about it. https://ideas.splunk.com/ideas/EID-I-208 The easiest way to go about it would be proba...
See more...
There has always been a problem with parsing a "headered" structured data. There is even an open idea about it. https://ideas.splunk.com/ideas/EID-I-208 The easiest way to go about it would be probably to parse the header into indexed fields if needed (most of it should already be parsed into _time and host; you could however want to have the process name and pid stored) and then strip the header completely with SEDCMD or INGEST_EVAL (I don't remember if SEDCMD works before or after transforms are called). This way you'd be left with an all-json event which Splunk can handle with proper KV_MODE.
02-26-2024
11:33 PM
1. It's a linux auditd log so you might want to use an add-on for auditd. That will make everyone's lives easier 2. How are you ingesting those logs? Locally by forwarder reading from /var/log/au...
See more...
1. It's a linux auditd log so you might want to use an add-on for auditd. That will make everyone's lives easier 2. How are you ingesting those logs? Locally by forwarder reading from /var/log/audit/auditd.log? Sent with syslog over the network? Whatever?
02-26-2024
11:18 PM
Copy-pasted and missed that closing one. Good catch.
02-26-2024
11:15 PM
1 Karma
Ingesting files over the network from CIFS share can be tricky. 1) Too many monitored files cause performance issues (but that might be an issue when it works in the first place) 2) The user the sp...
See more...
Ingesting files over the network from CIFS share can be tricky. 1) Too many monitored files cause performance issues (but that might be an issue when it works in the first place) 2) The user the splunkd.exe process runs with must be able to access the share. Since there is no additional authentication possible it works only in a domain environment if you run the forwarder process under domain account and grant this account proper permissions to the share (could also work - never tried it - if the share was public but that's not a good idea).
02-26-2024
10:59 PM
Hi We are facing below error while Run the search in search head. This is coming frequently and unable to solve it. We have checked bundle size & Network connectivity between Indexer & Search he...
See more...
Hi We are facing below error while Run the search in search head. This is coming frequently and unable to solve it. We have checked bundle size & Network connectivity between Indexer & Search heads. All looks good but still getting this below error. Please check and provide me hopeful solution on this. Unable to distribute to peer named uswaa-dopsidt01.cgdop.com at uri https://XXXX:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_BUNDLE_DATA_TRANSMIT_FAILURE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information.
Labels
- Labels:
-
distributed search
02-26-2024
10:29 PM
Hi @Ryan.Paredez , Thanks for the info. I have found it in AppD portal by selecting 'Show Config ID' option
02-26-2024
09:59 PM
Hi @altink , retention is defined at index level, so you cannot have a different retention for a sourcetype. If you didn't modified the retention of this index ,by default it's 30 days and ususlly ...
See more...
Hi @altink , retention is defined at index level, so you cannot have a different retention for a sourcetype. If you didn't modified the retention of this index ,by default it's 30 days and ususlly is reducted to save disk space. See in the Monitoring Console or in [Settings > index] what's the latest event in your _internal index to understand the retention of your _internal index and eventually enlarge it changing the frozenTimePeriodInSecs parametr in $SPLUNK_HOME/etc/system/local/indexes.conf file _internal stanza. If you didn't modified this file before you haven't it in the local folder, so you have to copy the stand from the same file in the default folder. Ciao. Giuseppe
02-26-2024
09:53 PM
@gcusello I have a standalone Windows Splunk server, and from the same server I can able to access the network folder as provided in the screenshot earlier.
02-26-2024
09:53 PM
Hi @BTB , yes, as @yuanliu said, <my_index> means that you have to use the name of your index, without the angular brackets, and it should work. Ciao. Giuseppe
02-26-2024
09:51 PM
Hi @richgalloway , i added the year and it is working fine now. I want to only show the calendar week in the chart, any solution for this? What i understand is that we cannot change the labels.
02-26-2024
09:49 PM
1 Karma
Hi @uagraw01, please could you better describe your architecture? have you a stand alone Splunk server? have you a Forwarder or folders to monitor are accessed by the Splunk server? which user ar...
See more...
Hi @uagraw01, please could you better describe your architecture? have you a stand alone Splunk server? have you a Forwarder or folders to monitor are accessed by the Splunk server? which user are you usig to run Splunk on the the system accessing the folders to monior? have this user the grants to read the files? Ciao. Giuseppe
02-26-2024
09:11 PM
Hello Splunker In my request, I want to monitor the below files, which are under the network folder. I have configured indexes.conf, props.conf, inputs.conf & transforms.conf but nothing is workin...
See more...
Hello Splunker In my request, I want to monitor the below files, which are under the network folder. I have configured indexes.conf, props.conf, inputs.conf & transforms.conf but nothing is working for me to get data into Splunk. Please check my config and help or suggest me if any changes are required. inputs.conf : [monitor://\\WALVAU-SCADA-1\d$\CM\alarmreports\outgoing*] disabled = false index = scada host = WALVAU-SCADA-1 sourcetype = cm_scada_xml indexes.conf : [scada] coldPath = $SPLUNK_DB/scada/colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB/scada/db maxTotalDataSizeMB = 512000 thawedPath = $SPLUNK_DB/scada/thaweddb props.conf : [cm_scada_xml] KEEP_EMPTY_VALS = false KV_MODE = xml LINE_BREAKER = <\/eqtext:EquipmentEvent>() MAX_TIMESTAMP_LOOKAHEAD = 24 NO_BINARY_CHECK = true SEDCMD-first = s/^.*<eqtext:EquipmentEvent/<eqtext:EquipmentEvent/g SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3f%Z TIME_PREFIX = ((?<!ReceiverFmInstanceName>))<eqtext:EventTime> TRUNCATE = 100000000 category = Custom disabled = false pulldown_type = true TRANSFORMS-remove-xml-footer = remove-xml-footer TRANSFORMS-keep-came-in-and-went-out-states = keep-came-in-and-went-out-states FIELDALIAS-fields_scada_xml = "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.AreaID" AS area "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.ElementID" AS element "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.EquipmentID" AS equipment "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.ZoneID" AS zone "eqtext:EquipmentEvent.eqtext:ID.eqtext:Description" AS description "eqtext:EquipmentEvent.eqtext:ID.eqtext:MIS_Address" AS mis_address "eqtext:EquipmentEvent.eqtext:Detail.State" AS state "eqtext:EquipmentEvent.eqtext:Detail.eqtext:EventTime" AS event_time "eqtext:EquipmentEvent.eqtext:Detail.eqtext:MsgNr" AS msg_nr "eqtext:EquipmentEvent.eqtext:Detail.eqtext:OperatorID" AS operator_id "eqtext:EquipmentEvent.eqtext:Detail.ErrorType" AS error_type "eqtext:EquipmentEvent.eqtext:Detail.Severity" AS severity transforms.conf : [remove-xml-footer] REGEX = <\/eqtexo:EquipmentEventReport> DEST_KEY = queue FORMAT = nullQueue [keep-came-in-and-went-out-states] REGEX = <State>(?!CAME_IN|WENT_OUT).*?<\/State> DEST_KEY = queue FORMAT = nullQueue
Labels
- Labels:
-
data
02-26-2024
08:09 PM
I need to post some custom metrics to AppDynamics for analytics purpose. So I am trying to create new Transaction from application source code using below code. Transaction transaction = Appdynamic...
See more...
I need to post some custom metrics to AppDynamics for analytics purpose. So I am trying to create new Transaction from application source code using below code. Transaction transaction = AppdynamicsAgent.getTransaction(getProcessorName().name(), null, EntryTypes.POJO, false) However getting below while loading AppdynamicsAgenet class Caused by: java.lang.ClassNotFoundException: com.appdynamics.apm.appagent.api.NoOpInvocationHandler
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
... 92 common frames omitted Anyone know how to fix this?
Labels
- Labels:
-
Agent Management
02-26-2024
08:06 PM
Hi SMEs, there are logs coming from one of the application in one single event. How to split it in a seperate log event. Like there are 3 diff logs which are tagged to one event log type=USER_ACCT m...
See more...
Hi SMEs, there are logs coming from one of the application in one single event. How to split it in a seperate log event. Like there are 3 diff logs which are tagged to one event log type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12221): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12223): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_ACCT msg=audit(Thu Sep 22 09:09:09 2023.333.12229): pid=12345 uid=0 auid=424242424 ses=6535872 subj=system_u:system_r:crond_t:s0-s0:c0.c1111 msg='op=PAM:accounting grantors=pam_access,pam_faillock,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
- Tags:
- parsing
Labels
- Labels:
-
field extraction
02-26-2024
07:56 PM
Hi SMEs, morning I have a situation where logs are coming from an application recently on-boarded in below format, seems like they are in JSON and should be parsed as per key:value mechanism. Any sugg...
See more...
Hi SMEs, morning I have a situation where logs are coming from an application recently on-boarded in below format, seems like they are in JSON and should be parsed as per key:value mechanism. Any suggestion how to fix it. Many thanks in advance <11>1 2024-02-27T03:22:53.376823921Z hostname-1 ipsec ipsecd[85] log - {"time":"2024-02-27T03:22:53.376823921Z","type":"log","level":"error","log":{"msg":"et_backend: connection failed while getting et keys"},"process":"ipsecd[85]","service":"ipsec","system":"hostname-1","neid":"414399","container":"784722400000","host":"hostname-1","timezone":"UAT"}
- Tags:
- parsing
02-26-2024
07:54 PM
I am using Splunk Enterprise version 9.2.0.1 ( Upgraded from 9.0.5 to latest). Before the upgrade, the Splunk deployment server is working as well. When Splunk DS was upgraded to version 9.2.0.1, w...
See more...
I am using Splunk Enterprise version 9.2.0.1 ( Upgraded from 9.0.5 to latest). Before the upgrade, the Splunk deployment server is working as well. When Splunk DS was upgraded to version 9.2.0.1, we saw issues with the client's server class. Client name: EC2AMAZ-XXXXX 1. Client in DS server before upgraded (9.0.5) Splunk Server class: UF_input_WIN, UF_output 2. Client in DS server after upgraded (9.2.0.1) Server class: UF_input_Linux, UF_output The server class "UF_input_Linux" only filters by machine type Linux (see section 3 below). I did not know why this server class is applied to this windows client 3. "UF_input_Linux" Server class configuration 4. "UF_input_WIN" Server class configuration Client is listed in the match list on UF_input_WIN server class Is that a bug? The filter Machine type does not work correctly. I did not change any thing on server class & app when upgraded Splunk DS. Does anyone know or meet this issue before?
Labels
- Labels:
-
using Splunk Enterprise
02-26-2024
07:52 PM
Came looking for an answer to this as well - seems there has been an idea for this for some time now .. https://ideas.splunk.com/ideas/EID-I-717
02-26-2024
06:51 PM
Was getting similar errors too. Adding the /raw in my curl statement resolved the issue.
