Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout. 01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChanne...
See more...
Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout. 01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US/custom/splunk_app_addon-builder/app_edit_modularalert/add_modular_alert. In the meanwhile if I open a new tab on the browser, whichever page I request falls in timeout as well. 01-16-2024 17:02:18.114 +0100 ERROR HttpClientRequest [7954 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US. Looking into the /opt/splunk/etc/apps folder it seems my app stuck in TA-splunk-myapp_temp_output folder meanwhile is saving. splunk@SearchHead:~/etc/apps > ls -latr
drwxrwxrwx 10 splunk splunk 4096 Jan 15 16:02 TA-splunk-myapp
…
drwxrwxrwx 3 splunk splunk 4096 Jan 16 16:53 TA-splunk-myapp_temp_output I also tried to: cancel the TA-splunk-myapp_temp_output folder, restart Splunk and try again saving. increase performance from 16CPU/32GB to 32CPU/64GB but I have the same issue. It seems that the timeout comes from the “appserver” that runs on port 8065. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf appServerPorts = <positive integer>[, <positive integer>, <positive integer> ...]
* Port number(s) for the python-based application server to listen on.
This port is bound only on the loopback interface -- it is not
exposed to the network at large.
* Generally, you should only set one port number here. For most
deployments a single application server won't be a performance
bottleneck. However you can provide a comma-separated list of
port numbers here and splunkd will start a load-balanced
application server on each one.
* At one time, setting this to zero indicated that the web service
should be run in a legacy mode as a separate service, but as of
Splunk 8.0 this is no longer supported.
* Default: 8065 I am thinking about: Put the logs in DEBUG Adding other ports to start load-balanced application server Any suggestion is really appreciated. Thanks a lot, Edoardo
thank you so much for your help and for sharing the resources, I will go through them. I ran the search but I am getting the following error message: "Right hand side of IN must be a collecti...
See more...
thank you so much for your help and for sharing the resources, I will go through them. I ran the search but I am getting the following error message: "Right hand side of IN must be a collection of literals. '(range = "10.0.0.0/8")' is not a literal The search job has failed due to an error..." I got this error before, I assumed that when using lookups the WHERE IN clause needs to be changed for something else maybe? not sure =/ thanks in advanced!
Colour can be defined a number of ways - here is a list of the standard named colour <named-color> - CSS: Cascading Style Sheets | MDN (mozilla.org) I am not sure if there is a limit but I have over...
See more...
Colour can be defined a number of ways - here is a list of the standard named colour <named-color> - CSS: Cascading Style Sheets | MDN (mozilla.org) I am not sure if there is a limit but I have over 120 single values in one trellis.
This is very neat @ITWhisperer - but I have 2 more questions with regards to your answer. Where are the colours defined (i.e. are there more, like pink and purple)? Is Trellis limited to the numb...
See more...
This is very neat @ITWhisperer - but I have 2 more questions with regards to your answer. Where are the colours defined (i.e. are there more, like pink and purple)? Is Trellis limited to the number of graphs it can create (I can't get more than 12 for some reason).
Hello everyone, I'm working on Splunk Entreprise and on the Search & Reporting app. I made many drop-down menu to filter my data. I've a special field who can be "void" and with value. How ...
See more...
Hello everyone, I'm working on Splunk Entreprise and on the Search & Reporting app. I made many drop-down menu to filter my data. I've a special field who can be "void" and with value. How can I make include the void value on the drop-down menu's ? Because when I select "*" on the drop-down menu Splunk return all the value of the field but I want to select the "void" value too. Thanks in advance!
I believe the command you are looking for is scrub. I attended .Conf last year where an instructor used this command to replace "real data" with dummy information, while keeping the format of the da...
See more...
I believe the command you are looking for is scrub. I attended .Conf last year where an instructor used this command to replace "real data" with dummy information, while keeping the format of the data. This command comes in useful when wanting to anonymize the data, when passing it on to a 3rd party etc. I use it when pasting data into 3rd party websites, to work on Regex extractions. |scrub
Hi @toporagno , this means that you have to manually or by Deployment Server update your inputs.conf stanza in the Universal Forwarder, adding the lines for index and sourcetype. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#chart_.28event_tokens.29:~:text=Data%20Property,segment%2C%20or%20if%20not%20applicable%2C%20the%20time%20range%20of%20th...
See more...
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#chart_.28event_tokens.29:~:text=Data%20Property,segment%2C%20or%20if%20not%20applicable%2C%20the%20time%20range%20of%20the%20search. Depending on if you want the X or Y axis value, you'll want to use tokens from above reference.
Hi @danroberts , Hi the counter of the memory is one, if you have other counters, you should have also this. Anyway, it should be [perfmon://Memory] Ciao. Giuseppe
Hi team, In this output, it appears that TLS is enabled based on the following information: XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088 CONNECTED(00000003) 140704518969088:erro...
See more...
Hi team, In this output, it appears that TLS is enabled based on the following information: XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088 CONNECTED(00000003) 140704518969088:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 294 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1705416962 Timeout : 7200 (sec) Verify return code: 0 (ok) --- I dont understand but the "Protocol" field indicates TLS version 1.3, and the "Cipher" field would typically show the cipher suite being used. The "Verify return code" of 0 indicates that the certificate verification was successful. However, there is an error related to the TLS protocol version alert, which might be due to a compatibility issue between the OpenSSL version used and the TLS version supported by the server. If this is not causing any problems with the connection, it might be negligible.
Hi @toporagno, At first how are you taking these logs: from a Universal Forwarder or from an Heavy Forwarder or another Splunk server? if you are using a UF, I suppose that you are using a Deployme...
See more...
Hi @toporagno, At first how are you taking these logs: from a Universal Forwarder or from an Heavy Forwarder or another Splunk server? if you are using a UF, I suppose that you are using a Deployment Server to manage it, so in the inputs.conf, you could add the sourcetype and the index. IOf instead you are receiving a syslog in an HF, you have to apply the same update to the related inputs.conf. You could alse override the index and sourcetype on the Indexer, or (if present) on the HF, but it's easier modifying the inputs.conf. Ciao. Giuseppe
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers support...
See more...
I was looking for quite a long time but I'm still wondering whether or not the SAAS portfolio is covered by the Spanish ENS . I found that the cloud is ISO 27001 because does the hyperscalers supporting it (GCP/AWS) but the Signalfx doesn't seem to be within compliant regarding the use of customers certificates and the lack of native 2FA.