All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hmm. 1. You don't need to escape quotes here. But that shouldn't matter here. The extra backslash should just be ignored. 2. More importantly, you use %7N - that might be the problem. https://docs.... See more...
Hmm. 1. You don't need to escape quotes here. But that shouldn't matter here. The extra backslash should just be ignored. 2. More importantly, you use %7N - that might be the problem. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables only explicitly lists %3N %6N and %9N
At one time, only indexers and HFs could accept HTTP input.  I do not see that documented anywhere now, however. UFs do very little parsing, except for INDEXED_EXTRACTIONs.
WARN  TcpOutputProc [22637 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=ip inside output group default-autolb-group from host_src= has been blocked for blocke... See more...
WARN  TcpOutputProc [22637 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=ip inside output group default-autolb-group from host_src= has been blocked for blocked_seconds=16061. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. ERROR TcpOutputFd [22638 TcpOutEloop] - Read error. Connection reset by peer It turns out there is no network interaction between the workstation and the splunk?
Look at the local splunkd.log file to see any connection attempts to the destination IP.
Hi @KJ10 , I’m a Community Moderator in the Splunk Community. This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that ... See more...
Hi @KJ10 , I’m a Community Moderator in the Splunk Community. This question was posted 3 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
1. Yes This is the constant delimiter ---------------------------- This is an Example (He/She) ----------------------------- 2. It picks up every 7th line and skips others. I think that is because i... See more...
1. Yes This is the constant delimiter ---------------------------- This is an Example (He/She) ----------------------------- 2. It picks up every 7th line and skips others. I think that is because i used \n+ right? 3. I should have used "splunk btool props list" instead of inputs.. I ran the command and i see only one LINE_BREAKER for that sourcetype. Thanks for the info on BREAK_ONLY_BEFORE What is the Regex i should use it on the LINE_BREAKER?
i need to run a script to check if a list of linux servers have splunk installed and the process name. any idea what the process name is or the installed directory? and if its forwarding to splunk co... See more...
i need to run a script to check if a list of linux servers have splunk installed and the process name. any idea what the process name is or the installed directory? and if its forwarding to splunk console?
https://splunkbase.splunk.com/app/3696 Get this app and place it on your DMC as best practice.  The rest calls will access anything that is a search peer.  The DMC node typically has your entire env... See more...
https://splunkbase.splunk.com/app/3696 Get this app and place it on your DMC as best practice.  The rest calls will access anything that is a search peer.  The DMC node typically has your entire environment as a search peer in order to monitor the environment.  The app does suggest install on a search head, but you might miss access to CM, HF, etc. Of course if you have a single node cluster then there is no need to worry about where you install.  Follow the instructions for a cloud based environment.
Hi @yuanliu , Did able to find the solution for this issue? we are also facing same issue.
Hello to everyone! I want to build a dashboard with which I can access information from config files of indexer cluster I know that the typical scenario to access config files is using REST endpoin... See more...
Hello to everyone! I want to build a dashboard with which I can access information from config files of indexer cluster I know that the typical scenario to access config files is using REST endpoints "/services/configs/conf-*" But as I understood, these endpoints show only configuration files stored under /system/local/*.conf Is it a way to access config files stored under /manager-apps/local ?
@richgalloway Hi there. Thanks for the answer about MGMT port. I little confusing your answer about that UF do not support HEC. Previous version 8.2.6 of UF does working fine as HEC with binded 808... See more...
@richgalloway Hi there. Thanks for the answer about MGMT port. I little confusing your answer about that UF do not support HEC. Previous version 8.2.6 of UF does working fine as HEC with binded 8088 port and forward through TCP data to Indexer nodes (9997) . Maybe Splunk removed it logic from UF in next versions after 8.2.6? What is replacement for HEC? We using UF because parsing do not using license. What is latest version of UF that can be configured as HTTP Event Collector?
The procedure you're thinking of is common and works well.  Good luck!
Exactly what I was looking for, thank you so much !! @ITWhisperer 
There is the management mode setting that controls whether the UF listens to a TCP port or via UDS.  See https://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/AboutManagementMode The manag... See more...
There is the management mode setting that controls whether the UF listens to a TCP port or via UDS.  See https://docs.splunk.com/Documentation/Forwarder/9.3.2/Forwarder/AboutManagementMode The management port itself is set in web.conf, not inputs .conf (it's not a data input). [settings] mgmtHostPort = 127.0.0.1:9089 UFs do not support HTTP input.
You might also need global=false on the streamstats | streamstats current=f global=f last(rxError) as priorErr last(_time) as priorTim by host
The coalesce will work it is just that if the count is 1 it could be that it only occurs in component1 or component2 and you would have to do something slightly different if you want to distinguish w... See more...
The coalesce will work it is just that if the count is 1 it could be that it only occurs in component1 or component2 and you would have to do something slightly different if you want to distinguish which set the component comes from
OK, trying: index="myindex" host="our-hosts*" source="/var/log/nic-errors.log" | rex "RX\serrors\s(?<rxError>\d+)\s" | rex "RX\spackets\s(?<rxPackets>\d+)\s" | rex "RX\serrors\s+\d+\s+dropped\s(?<rx... See more...
OK, trying: index="myindex" host="our-hosts*" source="/var/log/nic-errors.log" | rex "RX\serrors\s(?<rxError>\d+)\s" | rex "RX\spackets\s(?<rxPackets>\d+)\s" | rex "RX\serrors\s+\d+\s+dropped\s(?<rxDrop>\d+)\s" | sort - _time | streamstats current=f last(rxError) as priorErr last(_time) as priorTim by host | where not (rxError=priorErr) | chart last(rxError), last(rxPackets), last(rxDrop) by host Will that show me when rxError changes?
Right now I'm just running proof of concept.  I'll move the field definitions to the indexers later.  Right now I'm trying to detect if diff pos1=last(rxError) pos2=last-1(rxError) I want to detec... See more...
Right now I'm just running proof of concept.  I'll move the field definitions to the indexers later.  Right now I'm trying to detect if diff pos1=last(rxError) pos2=last-1(rxError) I want to detect when the value or rxError changes from last-1 to last.  Working on that.  
Hi @PickleRick  just to inform you. I have replaced below endpoint but still the mismatch of the timestamp issue persist.   
Thanks. But I research documentation how to enable HEC from configuration files - no results. And do not find any link how to enable management port. Maybe you can help with direct link?   $cat /op... See more...
Thanks. But I research documentation how to enable HEC from configuration files - no results. And do not find any link how to enable management port. Maybe you can help with direct link?   $cat /opt/splunkforwarder/etc/apps/splunk_httpinput/local/inputs.conf:   [http] disabled = 0     $cat /opt/splunkforwarder/etc/system/local/inputs.conf:   [http] disabled = 0 [http://input] disabled = 0     Used: https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/UseHECusingconffiles