Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-19-2023
04:48 PM
This issue should have been solved by Splunk. Now, I can download and install my app without any problems. FYI.
12-19-2023
04:46 PM
Hello, I am trying to blacklist winevent code 4679 by TaskCategory=Kerberos Service Ticket Operations. This regex is not working. blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w...
See more...
Hello, I am trying to blacklist winevent code 4679 by TaskCategory=Kerberos Service Ticket Operations. This regex is not working. blacklist7 = EventCode="4769" TaskCategory="\w+\s\w+\s\w+\s\w+" Ive also tried blacklist7 = EventCode="4769" TaskCategory="Kerberos Service Ticket Operations"
Labels
- Labels:
-
regex
12-19-2023
04:16 PM
Hi, Did you ever get a solution to this? I'm seeing the same on Windows as well. With no streams configured the streamfwd.exe process uses 5MB. The second I turn on just one stream all agents sta...
See more...
Hi, Did you ever get a solution to this? I'm seeing the same on Windows as well. With no streams configured the streamfwd.exe process uses 5MB. The second I turn on just one stream all agents start hogging 700MB of memory. This is kind of a deal breaker for a host with only 4GB of RAM. Infrastructure people really didn't like that and are reluctant to install site wide. It's not isolated to busy hosts either. Quiet dev/test hosts with minimal traffic exhibited the same behaviours. I've been playing around with enabling/disabling various streams to see if I can pinpoint the main culprit but no luck yet. Thanks
12-19-2023
01:48 PM
Hi @PhoebeOh, did you ever figure this out?
12-19-2023
01:45 PM
@petra_bee did you ever find a solution to this?
12-19-2023
01:30 PM
Hello, I have tried numerous configurations to get my Splunk Universal Forwarder to connect to my Splunk Enterprise instance with no luck. I am trying to forward data to my indexer located on port 33...
See more...
Hello, I have tried numerous configurations to get my Splunk Universal Forwarder to connect to my Splunk Enterprise instance with no luck. I am trying to forward data to my indexer located on port 3389 with the only info in the logs reading WARN AutoLoadBalancedConnectionStrategy [136236 TcpOutEloop] - Cooked connection to ip=XX.XX.XX.XX:3389 timed out I have checked telnet with that port in both directions and the connection is successful. Any advice would be appreciated
Labels
- Labels:
-
universal forwarder
-
Windows
12-19-2023
01:00 PM
I don't currently have that add on installed.
12-19-2023
12:37 PM
2023-12-19 19:31:25,905 INFO [6581ef8de57f8ee86089d0] error:321 - Masking the original 404 message: 'The path '/en-US/splunk/en-US/splunkd/__raw/services/authentication/current-context' was not fo...
See more...
2023-12-19 19:31:25,905 INFO [6581ef8de57f8ee86089d0] error:321 - Masking the original 404 message: 'The path '/en-US/splunk/en-US/splunkd/__raw/services/authentication/current-context' was not found.' with 'Page not found!' for security reasons 2023-12-19 19:31:25,906 INFO [6581ef8de67f8ee8591950] error:321 - Masking the original 404 message: 'The path '/en-US/splunk/en-US/splunkd/__raw/services/search/jobs' was not found.' with 'Page not found!' for security reasons
12-19-2023
12:37 PM
Would love some help on this. I am getting this error in the web_services.log. Our html dashboard won't load. RHEL 8 Splunk 8.2.7.1
12-19-2023
12:34 PM
We are using OpenShift version 4.13.24 and it is actually on the ROSA AWS managed solution. I've been looking at some metrics for the splunk-otel-collector-agent pods that we have running, and in par...
See more...
We are using OpenShift version 4.13.24 and it is actually on the ROSA AWS managed solution. I've been looking at some metrics for the splunk-otel-collector-agent pods that we have running, and in particular we review kubernetes metrics with Dynatrace. The alerts I am seeing are "High CPU Throttling" which basically translates into the CPU Throttling metric being nearly at the same level, or at the same level, as the CPU Usage metric. The pods are configured for Splunk Platform For these pods, I reviewed the YAML for the running instance and we include the following configuration: - resources: limits: cpu: 200m memory: 500Mi requests: cpu: 200m memory: 500Mi As a workaround I was thinking to increase the cpu value under requests (and limits), however I haven't tried this yet. Has anyone else observed high CPU throttling issues? Thank you.
Labels
- Labels:
-
HTTP Event Collector
12-19-2023
12:12 PM
That worked. Thanks dtburrows3!
12-19-2023
12:09 PM
I opened a case with Splunk and they reviewed and replied that all of the DB Inputs running on the SHC Captain is expected behavior. Here's an excerpt from their findings: "In review and consultati...
See more...
I opened a case with Splunk and they reviewed and replied that all of the DB Inputs running on the SHC Captain is expected behavior. Here's an excerpt from their findings: "In review and consultation with other colleagues I believe I may have found an answer. It is located in the documentation: https://docs.splunk.com/Documentation/DBX/3.15.0/DeployDBX/Distributeddeployment#:~:text=by%20executing%20input/output%20on%20the%20captain Specifically, the Deploy DB Connect on search head clusters section. DB Connect provides high availability on Splunk Enterprise with a Search Head Cluster, by executing input/output on the captain. Essentially, this is saying that in Splunk this is normal "expected behavior" and can be treated as such." To me this means that DB Inputs and DB Outputs on the Search Head Cluster will be limited by the hardware (CPU / Memory) of the captain, so you have to be careful with this. The benefit of DB Connect on an SHC is the replication of identity and connection configs across the cluster members. Rather than using DB Connect to configure and run the Input/output jobs, I recommend creating scheduled searches that run the dbxquery command. This way, the query jobs are distributed by the captain to all of the members of the cluster. I am testing this on my SHC with positive results!
12-19-2023
11:37 AM
Hello, I need some help. Icreate a csv file on remote server from a mysql quert. I forward the csv file from the remote server to splunk. I can read the data. The csv file is over written each day...
See more...
Hello, I need some help. Icreate a csv file on remote server from a mysql quert. I forward the csv file from the remote server to splunk. I can read the data. The csv file is over written each day, it have have only 1 line of data, or multiple lines of data - it is a list of device that have gon down. If no devices are down, the the file only has the hearder, and data that says: :No Devices Down:" I only want to see data from the file on the day the file is writtern. The challenge I have is to read only the data in the file for that day. The issue is that splunk indexes the data, so splunk retains the data over time, like I want only 1 day info from the file, but splunk has all the data indexed How can I return only the data for the day, not for all data in splunk indes? thanks, EWHolz
- Tags:
- csv
Labels
- Labels:
-
universal forwarder
12-19-2023
11:25 AM
1 Karma
I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after. Example SPL: index=_introspection sourcety...
See more...
I was able to find a provenance="UI:Report" inside of index=_introspection sourcetype=search_telemetry that I think will have the data you are after. Example SPL: index=_introspection sourcetype=search_telemetry desc.provenance="UI:Report" earliest=-90d@d latest=now
| stats
values(host) as hosts,
latest(timestamp) as last_run_epoch
by "desc.app", "desc.savedsearch_name"
| eval
days_since_last_run=((now()-'last_run_epoch')/(60*60*24)),
duration_since_last_run=tostring((now()-'last_run_epoch'), "duration")
| convert
ctime(last_run_epoch) as last_run_timestamp
12-19-2023
11:11 AM
Hi how can I download splunk apm on premises? FYI: I don’t want use cloud version Thanks
12-19-2023
10:58 AM
1 Karma
I think this regex will capture just the value for template. \s+template:\s+([^,]+) The character after the carrot inside the square brackets means match on a character not in this list. And...
See more...
I think this regex will capture just the value for template. \s+template:\s+([^,]+) The character after the carrot inside the square brackets means match on a character not in this list. And adding a "+" after is a quantifier for 1 or more times. So doing "template: (?<TemplateID>[^-]+)" is matching on all characters after 'template: ' up until a "-" (which I dont see one in the example. So replacing the "-" with a "," I think will extract the value as intended.
12-19-2023
10:29 AM
I have a key called message Inside the value are several results but I need to only extract one result in the middle of the results. Sample: message: template: 1234abcd, eeid: 5678efgh, consumeri...
See more...
I have a key called message Inside the value are several results but I need to only extract one result in the middle of the results. Sample: message: template: 1234abcd, eeid: 5678efgh, consumerid: broker My rex is below but returns the template value but also the results for eeid and consumerid when I only need the template value of 1234abcd. | rex field=message "template: (?<TemplateID>[^-]+)"
Labels
- Labels:
-
rex
12-19-2023
10:23 AM
I spent 3 days trying to fix this issue as Jenkins was not publishing its build analysis to Splunk. This solution worked for me and thanks to @dvargas_splunk. On Jenkins -> Manage Jenkins -> Scroll d...
See more...
I spent 3 days trying to fix this issue as Jenkins was not publishing its build analysis to Splunk. This solution worked for me and thanks to @dvargas_splunk. On Jenkins -> Manage Jenkins -> Scroll down to the Splunk connection entries -> Advanced -> Event Source: source="*" I restarted Jenkins and Splunk service and I started seeing the Jenkins Build Analysis in Splunk
12-19-2023
09:19 AM
Hi @Mahendra.Shetty,
Please check out this AppD Docs page: https://docs.appdynamics.com/appd/22.x/latest/en/end-user-monitoring/browser-monitoring/browser-real-user-monitoring/cookie-consent-manage...
See more...
Hi @Mahendra.Shetty,
Please check out this AppD Docs page: https://docs.appdynamics.com/appd/22.x/latest/en/end-user-monitoring/browser-monitoring/browser-real-user-monitoring/cookie-consent-management
Alternatively, you can contact AppD Support or your AppD Rep
How do I submit a Support ticket? An FAQ
12-19-2023
09:13 AM
@Anees Ur.Rahman confirmed with me they used this existing post to find a solution.
https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Error-when-trying-to-create-event-service-Conne...
See more...
@Anees Ur.Rahman confirmed with me they used this existing post to find a solution.
https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Error-when-trying-to-create-event-service-Connection-Refused/m-p/50833
