All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@rukshar  Check Splunk logs for any web service issues: cat /opt/splunk/var/log/splunk/web_service.log 
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yes... See more...
Hi @colinmchugo , If I understand correctly, you are looking for a solution like this. I'm sharing this approach so that anyone landing on this page can use this logic for comparing today's, yesterday's, and last week's hourly data. index = _internal log_level="*" component="*" earliest=-8d@d latest=@d | timechart count span=1h |timewrap 1d series=short |fields _time, s0,s1,s7 | rename s0 as Today, s1 as Yesterday, s7 as Lastweek If anyone finds this helpful, please upvote and share your karma! || Keep Splunking, Keep Securing! ️||    
@wdhaar Please follow the below instruction to install Splunk Enterprise. https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchTutorial/InstallSplunk 
Yes, i am doing curl for my web url only and the result is good. Any further help would really be appreciated. 
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you sh... See more...
@splunklearner  1st stop splunk and after that sudo chown -R splunk:splunk /opt/splunk. Then start it again. In your example, you are trying to do that initialization as root. Only time when you should use user root is to enable boot-start (or start/stop/restart with systemd).  The error message shows that for some reason it tried to write some status information to /root/.splunk directory which didn't succeed as splunk is running as user splunk not as root. You should do sudo -u splunk then run those commands as user splunk.  /opt/splunk/bin/splunk reload deploy-server  
@splunklearner  Instead of using sudo -i, which logs you in as the root user, you should use the following command to switch to the Splunk user sudo su - splunk  
what to give instead of sudo -i while logging in? Please let me know @kiran_panchavat 
This is exactly what I was looking for. Really nice doc linked. Thanks
I signed in just to say I had this exact problem, and your question was exactly what I was looking for. Thank you. This forum post helped answer my issue.  jowenssi Reply was what I was looking for.... See more...
I signed in just to say I had this exact problem, and your question was exactly what I was looking for. Thank you. This forum post helped answer my issue.  jowenssi Reply was what I was looking for.     
sudo su splunk ./splunk reload deploy-server
Yes, you can update the configurations in `/opt/splunk/etc/deployment-apps` and push them to the clients. That should be sufficient. 
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment... See more...
@splunklearner  It's basically: Splunk is not running as root (which is good), but you're logged in as root (which is not so good). When you try to login (which is required to reload the deployment server), Splunk saves your login (which would be a cookie if you we're using a browser) in a folder in your home directory (/root/.splunk/). But as Splunk does not run as root, it has no permissions to do that, therefore the error message. Solution: Do not work as root, especially not while editing files on a non-root Splunk, it will bring you into trouble. I'd suggest using a normal user, you could use the user Splunk is running at.
@rukshar  You need to update the URL: curl -v http://<serverip>:8000 Please replace it with your Splunk Web URL.
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value... See more...
Thank you everyone that replied with helpful comments. I however discovered a math trick with logarithms to accomplish this far more succinctly. | eval log_value = ln(value_a) | stats sum(log_value) AS log_sum | eval product = exp(log_sum)
No i did not without a lot of works. 
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reloa... See more...
Anytime I try to do anything with my deployment server I get this error: An error occurred: Could not create Splunk settings directory at '/root/.splunk' This includes the command -  ./splunk reload deploy-server.  We have AWS EC2 instances hosted for all components and opening it via SSM and login via sudo -i. Tried to give sudo chown -R splunk:splunk /opt/splunk/bin.. still the same issue. And one more doubt - if we edit in etc/deployment-apps reload is enough right to distribute the updated configurations to manager? But when I restart configurations are reflecting in manager not sure why reload is throwing this error?
As I mentioned before, if I put a div around it, I can make it work. const pieClicked = (event) => { console.log(`Clicked: ${event.nativeEvent.point.options.name}`); }; <div onClick={pieClicked}... See more...
As I mentioned before, if I put a div around it, I can make it work. const pieClicked = (event) => { console.log(`Clicked: ${event.nativeEvent.point.options.name}`); }; <div onClick={pieClicked}> <Pie ... /> </div> But I can't seem to get the event handler to fire if I try to attach it to the Pie itself.  I'm guessing I'm missing something simple.
Hello @gcusello,   Thanks for your answers, I have tried this the issues is that I want too output the number of hit on domain in the lookup and if I do a raw search it will also catch Referer or o... See more...
Hello @gcusello,   Thanks for your answers, I have tried this the issues is that I want too output the number of hit on domain in the lookup and if I do a raw search it will also catch Referer or other field.   KR Théo
If you create a lookup definition, you can enable wildcard lookups. I'd also make the proxy logs the primary search and use the lookup as search query parameters, have a second field in your CSV for... See more...
If you create a lookup definition, you can enable wildcard lookups. I'd also make the proxy logs the primary search and use the lookup as search query parameters, have a second field in your CSV for inScope and mark them all as yes and then do the lookup with the definition wildcard.    url,inScope url1.com,Yes *.url2.com,Yes site.url3.com,Yes   The lookup definition (url_list) will have WILDCARD(url) in the Match Type.  The search would look like :   index=my-proxy [| inputlookup url_list | rename url as query | fields query] | lookup url_list url | where match(inScope, "Yes")   This takes all the values you have in your url CSV and uses them as filters on your proxy logs.  Then you lookup the urls in the logs to make sure they're exact matches to your list and not just other urls that might contain your urls somewhere else in the log. 
Hi @y4m373 , please try this: index=my-proxy [ | inputlookup all_url.csv | rename url AS query | fields query ] | ... in this way, you use the values in the lookup's url field in a full text searc... See more...
Hi @y4m373 , please try this: index=my-proxy [ | inputlookup all_url.csv | rename url AS query | fields query ] | ... in this way, you use the values in the lookup's url field in a full text search on the events raw data. Ciao. Giuseppe