All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, @PickleRick @gcusello  When I tried to refresh/debug inputs.conf using btool in deployment server , I can see the below errors. Refreshing admin/collections-conf RESTException [HTTP 503] ... See more...
Hi, @PickleRick @gcusello  When I tried to refresh/debug inputs.conf using btool in deployment server , I can see the below errors. Refreshing admin/collections-conf RESTException [HTTP 503] [{'type': 'ERROR', 'code': None, 'text': 'KV Store initialization failed. Please contact your system administrator.'}] Refreshing admin/deploymentserver SplunkdConnectionException Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/search/admin/deploymentserver/_reload: The read operation timed out',) Refreshing admin/ingest-rfs-destinations SplunkdConnectionException Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/search/admin/ingest-rfs-destinations/_reload: The read operation timed out',) Refreshing admin/serverclasses SplunkdConnectionException Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/search/admin/serverclasses/_reload: The read operation timed out',) How we can trouble shoot this ERROR Messages ??    
Wait. What do you mean? You're editing the app on DS? Then you have to reload the deployment server (you don't have to restart it) so that it notices a new version of the app and offers it to the for... See more...
Wait. What do you mean? You're editing the app on DS? Then you have to reload the deployment server (you don't have to restart it) so that it notices a new version of the app and offers it to the forwarder(s) for download. Also: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#Event_Log_allow_list_and_deny_list_formats
Yes I had restarted forwarder but in the host  inputs.conf I dnt see the applied regex from deployment server ! As we are using all the blacklisted in the quotes!!
Hello fellow Splunkthiasts! I need some insights to understand how comparison functions in mstats could be used. Consider the following query:   | mstats latest(cpu_metric.*) as * WHERE index="osn... See more...
Hello fellow Splunkthiasts! I need some insights to understand how comparison functions in mstats could be used. Consider the following query:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all BY host | where pctUser > 50   As expected, it returns a list of hosts having latest CPU usage value higher than 50%. However, according to mstats command reference, I can have comparison expression within WHERE clause and I'd expect it would be more efficient to rewrite the above query like this:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all pctUser > 50 BY host   Unfortunately, this doesn't return any results. I tried to refer to metric before aggregation with no luck:   | mstats latest(cpu_metric.*) as * WHERE index="osnix_metrics" sourcetype=cpu_metric CPU=all cpu_metric.pctUser > 50 BY host   What am I missing here?
Regexes in blacklists can be tricky sometimes. btool will just show you what is the effective config you just wrote so it won't show you if it works or not. I assume you restarted your forwarder aft... See more...
Regexes in blacklists can be tricky sometimes. btool will just show you what is the effective config you just wrote so it won't show you if it works or not. I assume you restarted your forwarder after configuring the blacklist. Anyway, you should not enclose the blacklist parameter in quotes.
Hello Guys, I have weird problem with Javascript after the latest upgrade(8.2.8 to 9.0.6). Javascript Code     var queryResults = smAlerteGetter.data("results"); console.log("Sear... See more...
Hello Guys, I have weird problem with Javascript after the latest upgrade(8.2.8 to 9.0.6). Javascript Code     var queryResults = smAlerteGetter.data("results"); console.log("Search done", queryResults); console.log("pimba - ---- " + JSON.stringify(queryResults)); // when we have the result queryResults.on("data", function() { console.log("Data received");     We should received the events and should see the log "Data received". The query goes well and we can see in the Activity Jobs that we received our events. However we have other splunk apps with similar scripts that have the correct behavior. Do we miss something in our app or configurations related to Javascript ? Please help!
Hi @Claudia.Landivar , it is because of the fire wall setting in the machine agent which restricts the machine from connecting to server , then we used this command to resolve it  cscript InstallSer... See more...
Hi @Claudia.Landivar , it is because of the fire wall setting in the machine agent which restricts the machine from connecting to server , then we used this command to resolve it  cscript InstallService.vbs -Dappdynamics.http.proxyHost=proxy1-***.***.com -Dappdynamics.http.proxyPort=8080 -Dappdynamics.http.proxyUser=user -Dappdynamics.http.proxyPasswordFile=D:\machineagent-bundle-64bit-windows-23.7.0.3689\password.txt
There is no master , whatever the values which are present that should be same and not different.
Still getting the same PORT issue @SanjayReddy 
Hi @SanjayReddy    If i execute the above process check command getting the below.  
Hi @sivakrishna  instaed of changing rhe port, if 8191 is already used by splunk then please kill  and start the splunk have you checked which process using 8191 , if you wan the change the ... See more...
Hi @sivakrishna  instaed of changing rhe port, if 8191 is already used by splunk then please kill  and start the splunk have you checked which process using 8191 , if you wan the change the port , you need to change port on rest search heads, which is not recomended 
Thanks for the reply!!   can we change the port for this server?? What will happen if i change the PORT for this single server when it's in the cluster? Remaining 3 servers are running on the 819... See more...
Thanks for the reply!!   can we change the port for this server?? What will happen if i change the PORT for this single server when it's in the cluster? Remaining 3 servers are running on the 8191 PORT.
Hi @sivakrishna  it seems KVstrore port 8191 is used by other application. can you check which process using 8191 port , ps -ef | grep -i 8191  if is used by other application check with ... See more...
Hi @sivakrishna  it seems KVstrore port 8191 is used by other application. can you check which process using 8191 port , ps -ef | grep -i 8191  if is used by other application check with os team to check and ask them use other port,  then you can start splunk and kvstore will start on port 8191
update for this case: specify the server want to collect, in my example is dc-tdi-redis02 here is full path Application Infrastructure Performance|Root|Individual Nodes|dc-tdi-redis02|Custom M... See more...
update for this case: specify the server want to collect, in my example is dc-tdi-redis02 here is full path Application Infrastructure Performance|Root|Individual Nodes|dc-tdi-redis02|Custom Metrics|Redis|dc-tdi-redis02|Clients|blocked_clients when i try select from Hardware resouces, it will show: Hardware Resources|CPU|%Busy so let remove "Application Infrastructure Performance|Root|Individual Nodes|dc-tdi-redis02|", it will work now Thanks everyone!!! Phucdq from Vietnam with love!!
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splun... See more...
Hi Team, We have 4 Search heads are in cluster in that one Search head is getting the KV store PORT issue asking that change the port remaining 3 SHs working fine. We are unable to restart the Splunk on that particular SH. If i check the SH cluster status only 3 servers are showing now. Splunk installed version: 9.0.4.1 for error visibility Please find the attached.  Regards, Siva.  
Thank you, let me know the outcome of this if possible for you.
Hi @gcusello , only the selected part of the events i am trying to exclude.. How we can trouble shoot splunk locally using btool ?
@PickleRick , Hello, When I apply this blacklist  regex, still I can see the logs. Can we use btool to trouble shoot this issue ?? blacklist8 = "$XmlRegex=#Data Name='ParentProcessName'>C:\\Program... See more...
@PickleRick , Hello, When I apply this blacklist  regex, still I can see the logs. Can we use btool to trouble shoot this issue ?? blacklist8 = "$XmlRegex=#Data Name='ParentProcessName'>C:\\Program Files\\(AzureConnectedMachineAgent\\GCArcService\\GC\\(gc_service|gc_worker)\.exe|Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe|Rapid7\\Insight Agent\\components\\insight_agent\\3\.2\.5\.31\\ir_agent\.exe)#" renderXml=true Thanks 
Fantastic! It worked. Thanks for the solution.
Try without the greedy match at the beginning | rex max_match=0 field=_raw "\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\""