For web.conf Change the AuthMethod, and add the PivOid list certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name
And also, add the Tier into the display of the business transactions, and count the number of Business Transactions per Tier including the ones that do not have performance data. It is possible that ...
See more...
And also, add the Tier into the display of the business transactions, and count the number of Business Transactions per Tier including the ones that do not have performance data. It is possible that you have the limit of 50 in a Tier. Mark
No. It's not how not how it works. You wrote that you want to simulate a live system. That usually means continuous generation of events and reacting to them as they are ingested. TA_eventgen does j...
See more...
No. It's not how not how it works. You wrote that you want to simulate a live system. That usually means continuous generation of events and reacting to them as they are ingested. TA_eventgen does just that - it creates events based on configuration and templates.
Timewrap works on output from timechart. So you need an output from timechart. To get this you need to use tstats with prestats=t option. | tstats prestats=t `summariesonly` count from datamodel=...
See more...
Timewrap works on output from timechart. So you need an output from timechart. To get this you need to use tstats with prestats=t option. | tstats prestats=t `summariesonly` count from datamodel="Web" where sourcetype="f5:bigip:ltm:http:irule" by _time Web.site span=10m
| timechart span=10m count as event_count by Web.site
The error means that during execution of that script an exception was thrown at line 1245 because it tried to connect somewhere and got 403 as a response. It doesn't have anything to do with filesyst...
See more...
The error means that during execution of that script an exception was thrown at line 1245 because it tried to connect somewhere and got 403 as a response. It doesn't have anything to do with filesystem permissions.
Howto to explode 1 row to several breaking out a multi-value field. app=ABC client=AA views=View1,View2 app=ABC client=AA views=View1,View2,View3 app=ABC client=BB views=View1,View3 app=ABC clien...
See more...
Howto to explode 1 row to several breaking out a multi-value field. app=ABC client=AA views=View1,View2 app=ABC client=AA views=View1,View2,View3 app=ABC client=BB views=View1,View3 app=ABC client=CC views=View3,View2,View1 I want to table that to column data: app client view ABC AA View1 ABC AA View2 ABC AA View1 ABC AA View2 ABC AA View3 ABC BB View1 ABC BB View3 ABC CC View3 ABC CC View2 ABC CC View1 So that I can run count on that resultant rows app client view count ABC AA View1 2 ABC AA View2 2 ABC AA View3 1 ABC BB View1 1 ABC BB View3 1 ABC CC View3 1 ABC CC View2 1 ABC CC View1 1
Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have
[settings]
httpport = 8000
enableSplunkWebSSL = 1
tools.sessions.timeout = 15
requireClientC...
See more...
Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have
[settings]
httpport = 8000
enableSplunkWebSSL = 1
tools.sessions.timeout = 15
requireClientCert = true
enableCertBasedUserAuth = true
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
allowSsoWithoutChangingServerConf = 1
privKeyPath = E:\SPLUNKent\etc\auth\mycerts\xx.key
serverCert = E:\SPLUNKent\etc\auth\mycerts\xx.pem
hi @Gayatri, Did the windows server available on `Clients` tab on DS? if yes can you query the internal log for that windows server? You can used this query index=_internal host=$windows-server-...
See more...
hi @Gayatri, Did the windows server available on `Clients` tab on DS? if yes can you query the internal log for that windows server? You can used this query index=_internal host=$windows-server-hostname$ If the log not available need to consider restart the Splunk UF on windows server and if already restart did you enable forwarding on Splunk UF installation?
Thank you for this post. We are experiencing a similar issue, and have opened a case. We are now testing the suggestion made by the Tech Support engineer: Please add the following stanza to your c...
See more...
Thank you for this post. We are experiencing a similar issue, and have opened a case. We are now testing the suggestion made by the Tech Support engineer: Please add the following stanza to your configuration to see if it resolves the issue. %SPLUNK_HOME%\etc\apps\introspection_generator_addon\local\server.conf [introspection:generator:resource_usage] disabled = true acquireExtra_i_data = false Would you please check/apply the workaround and let us know the output? I will provide an update when I know more - and when I am back from leave.
We migrated our Splunk indexer from Ubuntu to RHEL recently. Everything appeared to go fine except for this one add-on. Initially, we were getting a different error. I ran fapolicyd-cli add file splu...
See more...
We migrated our Splunk indexer from Ubuntu to RHEL recently. Everything appeared to go fine except for this one add-on. Initially, we were getting a different error. I ran fapolicyd-cli add file splunk to it and that error cleared but now we get this error. External search command "ldapgroup" returned error code 1. Script output = "error message=HTTPError at "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1245 : HTTP 403 Forbidden - insufficient permission to access this resources." I went in and did chown -R on the folder (and every other folder in the line including /opt/splunk) but that didn't fix it. The files and folders are all owned by splunk and have permission to run it. I have verified the firewall ports for 636 and 389 are open. We have tried to reinstall the add-on through the web interface and get a series of similar errors indicating that it can't copy a number of .py files over. Some do get copied though and most of the folders created. I'm at a bit of a loss...