Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-31-2023
08:22 AM
1 Karma
This is an old post but I want to post resolutions that worked for us in case someone else runs into the same error. You'll usually see these bundle replication errors with the search below (you'll ...
See more...
This is an old post but I want to post resolutions that worked for us in case someone else runs into the same error. You'll usually see these bundle replication errors with the search below (you'll need to edit the search with your search head and indexer hostnames - wildcard it if you want): Note: the Monitoring Console app has a dashboard for these type of errors in Search > Knowledge Bundle Replication index=_internal host IN (<YOUR_SH_HOSTNAME>, <YOUR_INDEXER_HOSTNAME>) source=*splunkd.log* (component=BundlesAdminHandler OR component=BundleDataProcessor OR component=BundleDeltaHandler OR component=BundleReplicationProvider OR component=BundleStatusManager OR component=BundleTransaction OR component=CascadePlan OR component=CascadeReplicationReaper OR component=CascadingBundleReplicationProvider OR component=CascadingReplicationManager OR component=CascadingReplicationTransaction OR component=CascadingReplicationStatusActor OR component=CascadingUploadHandler OR component=ClassicBundleReplicationProvider OR component=DistBundleRestHandler OR component=DistributedBundleReplicationManager OR component=GetCascadingReplicationStatusTransaction OR component=RFSManager OR component=RFSBundleReplicationProvider) (log_level=WARN OR log_level=ERROR) component=ClassicBundleReplicationProvider log_level=ERROR In the error logs, note down the search head reporting the errors and the indexers listed in logs. Verify that the search head can connect to the indexers listed in the error log. The second resolution is log into the search head that is reporting the error and check the timestamp of the content inside $SPLUNK_HOME/var/run/proxy_bundles (IE Linux command: ls -lah). If the timestamp of the files are more than a few days ago, then you would need to move the proxy_bundles directory to a backup location and restart Splunk; this should fix the errors.
10-31-2023
07:52 AM
Hi, I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion. At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). M...
See more...
Hi, I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion. At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant. More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead. My question is how it would be the best way to implement this transformation. I tried creating the following files in the path C:\Program Files\Splunk\etc\apps\splunk_httpinput\local props.conf
[StormShield:StormShield]
TRANSFORMS = rewriteaction
transform.conf
[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN") I restarted Splunk, but nothing really happened. Any idea of what I am doing wrong? Many thanks.
Labels
10-31-2023
07:34 AM
1 Karma
It's actually worse. Splunk doesn't allow you to set the wec_event_format to RenderedText if the channel name doesn't start with ForwardedEvents. 10-20-2023 12:49:20.893 +0200 ERROR ExecProcessor [...
See more...
It's actually worse. Splunk doesn't allow you to set the wec_event_format to RenderedText if the channel name doesn't start with ForwardedEvents. 10-20-2023 12:49:20.893 +0200 ERROR ExecProcessor [6396 ExecProcessorSchedulerThread] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::enumLocalWECSubscriptions: subscription:'Applocker' - Invalid WEC destination channel ACME-WEC-Workstations/Applocker for content format RenderedText. RenderedText format is supported only on ForwardedEvents or custom channels named ForwardedEvents-1, ForwardedEvents-2, etc.Consider creating custom channels as the destination log, or change the content format of the subscription to "Events". See the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details. Also you can't set wec_event_format as 'Events' for ForwardedEvents channel and forget about having mixed events in the same channel. It's amazing how such a breaking change was introduced under the carpet.
10-31-2023
07:28 AM
DensityFunction and AutoAnomalyDetection are vastly different algorithms, so different results are to be expected. See Developing the Splunk App for Anomaly Detection | Splunk for more info on the An...
See more...
DensityFunction and AutoAnomalyDetection are vastly different algorithms, so different results are to be expected. See Developing the Splunk App for Anomaly Detection | Splunk for more info on the Anomaly Detection App's custom algorithm and Algorithms in the Machine Learning Toolkit - Splunk Documentation for the MLTK's DensityFunction. At least in my testing, the ADESCA/Earthgecko-Skyline stack in the Anomaly Detection App is more prone to alerting on non-cyclical low values when compared to the boundaries generated by the DensityFunction, though I have no good explanation for this behavior as of right now.
10-31-2023
07:13 AM
There is no other portion, running the same search as in your screenshot I get the error.
10-31-2023
06:44 AM
OK. Let me stop you right there. 1. It is of course a DN - it has its fields. Why do you want to lose that information? 2. Remember that LDAP DN can have properly escaped commas or equal signs.
10-31-2023
06:20 AM
In dashboard classic it was possible to add a heatmap overlay to a tabular chart. Is it possible to add the heatmap data overlay to a tabular chart in Dashboard Studio?
Labels
- Labels:
-
dashboard
-
Dashboard Studio
10-31-2023
06:13 AM
1 Karma
Hi at all, Splunk Support solved my issue in a very strange way that I report for the other people of Community: I removed the stanza from the default folder, I added a stanza wioth disabled = 1 ...
See more...
Hi at all, Splunk Support solved my issue in a very strange way that I report for the other people of Community: I removed the stanza from the default folder, I added a stanza wioth disabled = 1 in local folder, I removed the stanza from the $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/README/inputs.conf.spec file. I didn't understand why the last step, but at least solved my issue. Ciao. Giuseppe
10-31-2023
06:09 AM
Hi at all, I have to use in Splunk Enterprise an external authentication using LDAP. I'm mapping roles with AD groups. I don't see empty AD gropus (groups without associated users) in the mapping ...
See more...
Hi at all, I have to use in Splunk Enterprise an external authentication using LDAP. I'm mapping roles with AD groups. I don't see empty AD gropus (groups without associated users) in the mapping page. Do you think that there could be a misconfiguration or (as I suppose) it isn't possible to see them until a user is inserted in? Thank you for your confirmation. Ciao. Giuseppe
Labels
- Labels:
-
authentication
-
LDAP
10-31-2023
06:08 AM
Try something like this | makeresults
| eval dn="cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr"
| rex field=dn "cn=(?<cn>[^=]+)(?<!,)(?<!o)(?<!u)"
| rex...
See more...
Try something like this | makeresults
| eval dn="cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr"
| rex field=dn "cn=(?<cn>[^=]+)(?<!,)(?<!o)(?<!u)"
| rex field=dn max_match=0 "ou=(?<ou>[^=]+)(?<!,)(?<!o|d)(?<!u|c)"
| rex field=dn max_match=0 "dc=(?<dc>[^=]+)(?<!,)(?<!d)(?<!c)"
10-31-2023
06:06 AM
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display a...
See more...
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display as expected, as shown in the screenshot. Additionally, I attempted to create a user through the CLI using the "splunk add" command, but I received no response, as indicated in the screenshot. Have you encountered this problem before? How can I debug it? I'd like to mention that even when I attempt to view saved searches, the page remains blank and doesn't display them. Thank you
- Tags:
- splunk_cli
- splunk_ui
Labels
10-31-2023
05:38 AM
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two ...
See more...
my DN field value "cn=jsuwus, jkhzdhkjc,ou=sdsfefv accounts,ou=ffdsrew users,dc=hgsywy,dc=tre,dc=hyt,dc=kuhytr" I need rex to extract anything after "="and end ",ou=" if it see "=" need to stop two letter and "," so in this instance cn field as "first_field" value="jsuwus, jkhzdhkjc" ou field as "2_field" value="sdsfefv accounts" ou field as "3_field" value="ffdsrew users" dc field as "4_field" value="hgsywy" dc field as "5_field" value="tre" dc field as "6_field" value="hyt" dc field as "7_field" value=kuhytr" Thanks in advance
10-31-2023
05:24 AM
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common ...
See more...
We recently had a short metric gaps in the controller UI (SaaS Controller) for several apps and different agents (DB, App and Machine). The log files of all the different agents all have a common theme: "Connection back off limitation in effect" "Fatal transport error while connecting to URL" also comes up sometimes as a similar error logged by agents. I did a quick search online and this seems to be an AppD agent specific log file entry. The AppD community also had about 12 entries going back to 2017, all with no clear solution to this error message. (Summary below) Docs site search returns nothing. I opened an AppD support case and will see what they say, but it is frustrating to see that this is a common thing reported by different agents without a clear cause for it documented anywhere. I wonder why something like this is logged the way it is which makes me think its something to do with a limitation on the Controller side of things, when all other community posts and agent logs make it look like it is not Controller related. Examples of our recent issue: * I tried to redact the important bits DB Agent v23.2.2 [Entity-Registration-Scheduler-19] 31 Oct 2023 10:50:25,932 WARN EntityRegistrar - Fail to register [DBSession] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/***/registerServerSatelliteEntity at com.singularity.ee.agent.dbagent.task.reporter.EntityRegistrar.registerEntities(EntityRegistrar.java:276) ~[db-agent.jar:Database Agent v23.2.0.0 GA compatible with 4.5.2.0 Build Date 2023-02-22] Other DB Agent v23.2.2 [<**DB Collector Name***>-Transient-Event-Scheduler-2] 31 Oct 2023 10:51:22,737 WARN SystemAgentTransientEventChannel - Error sending event data to controller: Connection back off limitation in effect: /controller/instance/***/transient-channel Different DB agent v23.8.8 [<**DB Collector Name***>-Scheduler-3] 31 Oct 2023 10:51:52,288 INFO ADBCollector - Collected one-minute data for *** [Entity-Registration-Scheduler-2] 31 Oct 2023 10:51:52,850 WARN EntityRegistrar - Fail to register [Query] entities: java.lang.RuntimeException: Connection back off limitation in effect: /controller/instance/3945944/registerSQLQuery SIM (Machine)Agent **ServerName**==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:56,554 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Connection back off limitation in effect: /controller/instance/***/metrics SIM Agent v22x ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Fatal transport error while connecting to URL [/controller/instance/***/metrics]: org.apache.http.conn.ConnectTimeoutException: Connect to ***:443 [***/***, ***, ***] failed: connect timed out ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 WARN ManagedMonitorDelegate - Error sending metric data to controller:Fatal transport error while connecting to URL [/controller/instance/***/metrics] ***Hostname***==> [AD Thread-Metric Reporter0] 31 Oct 2023 10:51:48,204 ERROR ManagedMonitorDelegate - Error sending metrics - will requeue for later transmission com.singularity.ee.agent.commonservices.metricgeneration.metrics.MetricSendException: Fatal transport error while connecting to URL [/controller/instance/***/metrics] Summary of other AppD community posts with a similar error from agent log files: 2017 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/Azure-Cloud-Service-No-load-detected-App-agent-status-0/td-p/26538 No solutions in ticket/unresolved 2017 Community post no 2 https://community.appdynamics.com/t5/Dynamic-Languages-Node-JS-Python/Could-not-connect-to-the-controller-invalid-response-from/td-p/28680 Python agent issues Mentions proxy setup for outbound requests from agent server, but no clear answer other than bringing the node online on controller, whatever that means 2017 Community post no3 https://community.appdynamics.com/t5/NET-Agent-Installation/Failed-to-add-web-app-to-AppDynamics/td-p/23699 No confirmed solution, but last posts suggests using non ssl settings which is not a great solution if that is the fix 2017 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/net-Agent-registering-issue/td-p/29595 Proxy setting highlighted but no ultimate solution 2018 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/BT-requests-and-survival/td-p/29629 Answers do not address the "Connection back off limitation in effect" issue 2018 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/After-NET-Agent-upgrade-to-4-3-7-1-we-are-not-seeing-load-for/td-p/34528 Issue shown in one log file extract but not addressed 2018 Community post no3 https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Unable-to-connect-to-the-controller/td-p/30857 No final solution 2018 Community post no4 https://community.appdynamics.com/t5/NET-Agent-Installation/Need-help-on-installation-of-agent/td-p/34673 Post never had a resolution 2019 Community post https://community.appdynamics.com/t5/NET-Agent-Installation/no-metrics-in-controller-after-net-agent-installation-in-linux/td-p/37848 Possible issue with AppDynamicsConfig.json No clear answer/solution 2019 Community post no2 https://community.appdynamics.com/t5/NET-Agent-Installation/Net-core-agent-Linux-is-not-connecting-to-the-saas-controller/td-p/37867 No solution 2021 Community post https://community.appdynamics.com/t5/Knowledge-Base/How-do-I-install-the-NET-Core-Microservices-Agent-for-Windows/ta-p/33191 Answers do not address the "Connection back off limitation in effect" issue 2023 Community post https://community.appdynamics.com/t5/Controller-SaaS-On-Premises/Could-not-connect-to-the-controller-invalid-response-from/m-p/50571#M3319 Suggests ignoring or disabling the errors Here is to hoping there is a solution or better answer to this issue.
10-31-2023
05:07 AM
Looking for the facepalm emoji! Thanks @ITWhisperer
10-31-2023
05:07 AM
Hi @smanojkumar, let me understand: you need to index WinEvenLog events, is it correct? in this case you don't need to monitor an evtx file but there's a dedicated collector. More more infos see a...
See more...
Hi @smanojkumar, let me understand: you need to index WinEvenLog events, is it correct? in this case you don't need to monitor an evtx file but there's a dedicated collector. More more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/MonitorWindowseventlogdata https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-windows.html Ciao. Giuseppe
10-31-2023
05:04 AM
Hi Splunkers! I would like to know how to define a .evtx file, I had defined in this way, but it didn't works [monitor://C:\Windows\System32\Winevt\Logs\Data Security.evtx] Thanks!
Labels
- Labels:
-
inputs.conf
10-31-2023
05:03 AM
OK - I have never come across that in SimpleXML, indeed, it doesn't seem to work for me. Whatever the case, it seems like it isn't defined for you in Studio either.
10-31-2023
05:01 AM
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider ...
See more...
Hi all, I have a forwarder in my cluster and it sends events to the indexers. The events are json formatted and I want to drop some events if a specific key has specific value. For example consider following event: {"process_exec":{"process":{"exec_id":"xXXXXXXXXXx==","pid":1111111,"cwd":"/tmp","binary":"/bin/sleep","arguments":"10"}}} I want to for example if the binary was equal to X, the forwarder drops the event and not send to indexers no index. I created props.conf and transforms.conf. The content of these files are: [json_no_timestamp]
TRANSFORMS-filter = filterLinux and [filterLinux]
REGEX = process.process_exec.binary = '/usr/bin/timeout'
DEST_KEY=queue
FORMAT=nullQueue But the events are not dropped. Any help is appreciated.
Labels
- Labels:
-
field extraction
-
fields
-
regex
10-31-2023
04:56 AM
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their D...
See more...
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their DLLs, executables, hashes, and paths? The Endpoint Data Model requires fields related to the above: https://docs.splunk.com/Documentation/CIM/5.2.0/User/Endpoint Any help will be much appreciated! Thank you.
Labels
10-31-2023
04:52 AM
Hi, I searched in the Dashboard code. "CurDate" is not set anywhere in the code. Looks like "CurDate" is kind of build in variable in Classic XML Dashboard. Thanks, Ravikumar
