All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone, I am struggling with extracting the fields of a custom WAF log file as there is no sourcetype that parses the fields correctly. My regex experience is very limited so any help would ... See more...
Hello everyone, I am struggling with extracting the fields of a custom WAF log file as there is no sourcetype that parses the fields correctly. My regex experience is very limited so any help would be appreciated. The log output is: ************************************************************************* Attack blocked, match (torro!234) detected from 1.2.3.4:55488. Time: 2021-03-28 09:09:08 Full request: ************************************************************************* GET /waf-test-page.php?torro!234 HTTP/1.1 Host: 34.210.25.50 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=e59oluljlvjkeef2ts3gphrt7g Upgrade-Insecure-Requests: 1 ************************************************************************* Attack blocked, match (union+select) detected from 1.2.3.4:57280. Time: 2021-03-28 09:10:19 Full request: ************************************************************************* POST /waf-test-page.php HTTP/1.1 Host: 34.210.25.50 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://34.210.25.50 Connection: keep-alive Referer: http://34.210.25.50/waf-test-page.php Cookie: PHPSESSID=e59oluljlvjkeef2ts3gphrt7g Upgrade-Insecure-Requests: 1 os='+UNION+SELECT+1,2,3&php=&path= ************************************************************************* Attack blocked, match (<script) detected from 1.2.3.4:53248. Time: 2021-03-28 09:12:38 Full request: ************************************************************************* GET /waf-test-page.php?path=5"><script> HTTP/1.1 Host: 34.210.25.50 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=e59oluljlvjkeef2ts3gphrt7g Upgrade-Insecure-Requests: 1 ************************************************************************* Attack blocked, match (IP BLACKLISTED) detected from 1.2.3.4:56704. Time: 2021-03-28 09:19:02 Full request: ************************************************************************* GET /waf-test-page.php?test_block_ip HTTP/1.1 Host: 34.210.25.50 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=e59oluljlvjkeef2ts3gphrt7g Upgrade-Insecure-Requests: 1 ************************************************************************* I would like to extract the following 3 fields: alert Eg. "Attack blocked, match (torro!234) detected from 1.2.3.4:55488. Time: 2021-03-28 09:09:08" http.request Eg. "GET /waf-test-page.php?torro!234 HTTP/1.1" host.ip Eg. "34.210.25.50" Thank you in advance. Chris  
Hello All,   We are trying to achieve Power BI integration with Splunk. We have Power BI installed on windows machine and we also installed ODBC driver to connect to Splunk. As part of conf... See more...
Hello All,   We are trying to achieve Power BI integration with Splunk. We have Power BI installed on windows machine and we also installed ODBC driver to connect to Splunk. As part of configuration we added credentials (same with which we connect to our splunk cloud instance) and URL in Power BI Get Data options but we are getting below error: "Details: "ODBC: ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Couldn't connect to serverERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Couldn't connect to server" I am attaching connection screenshot and error screenshot. Please let me know if we can add any more information. Please try to help on same as this will ease reporting to great extent
Jobs Running on daily basis. Events like- 1) "Job_Name": "XYZ", "status":" Start" 2) "Job_Name": "XYZ", "status":" SUCCESS" 3) "Job_Name": "XYZ", "status":" Failure" Need to calculate and displa... See more...
Jobs Running on daily basis. Events like- 1) "Job_Name": "XYZ", "status":" Start" 2) "Job_Name": "XYZ", "status":" SUCCESS" 3) "Job_Name": "XYZ", "status":" Failure" Need to calculate and display the job run time  and status on dashboard for multiple days/runs. Below query works well for single run but for multiple run runtime is not getting calculated. search to fetch both "job started" and "job finished" events | eval eventType=if(searchmatch("job started"),"Start","End") | chart values(_time) over Job_Name by eventType | eval jobduration=End-Start  
Hi everyone I need a query to check the alert status close with time and when the same alert got triggered 1 st time in Splunk  it may be 1 week before and now we r closing same alert can be trigger... See more...
Hi everyone I need a query to check the alert status close with time and when the same alert got triggered 1 st time in Splunk  it may be 1 week before and now we r closing same alert can be triggered multiple time so need an historical data of the alert with current status closed time       Thanks in advance
I'm using the Cisco ACI add-on to retrieve information from the Cisco ACI device but I'm only interested in retrieving data from a subset of the tenants. Polling data from all of the tenants is causi... See more...
I'm using the Cisco ACI add-on to retrieve information from the Cisco ACI device but I'm only interested in retrieving data from a subset of the tenants. Polling data from all of the tenants is causing performance issues on the device. I've taken a look at the inputs and the collect.py script that is used to make the calls to the API but there is no obvious way of adding a filter. Is there a way to do this?
Hi All,  I have an Warning message on my search head GUI as below: "The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is ... See more...
Hi All,  I have an Warning message on my search head GUI as below: "The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/hostename-randomnumber-randomnumber.delta" When i validated respective delta file, it's not even one MB. Still getting this Warning message frequently. Could anyone please help ? i see same messages on splunkd.log too. -rw------- 1 root root 188M Apr 2 10:36 hostname-1617352591.bundle -rw------- 1 root root 80K Apr 2 10:36 hostname-1617352525-1617352591.delta
A few days ago I rebuilt all of the lookup lists because I noticed the AD changes we had made weren't picked up in them. Since the rebuild, the memberOf column in the AD_User_LDAP_list has been empt... See more...
A few days ago I rebuilt all of the lookup lists because I noticed the AD changes we had made weren't picked up in them. Since the rebuild, the memberOf column in the AD_User_LDAP_list has been empty and I'm not sure how to populate it. It was definitely complete before the rebuild so I'm not sure why it's not working now? The AD_Computer_LDAP_list is also missing various computers which it definitely contained before. Any advice on the missing data from the lookups or why AD changes aren't being picked up would be much appreciated
Hello! As shown in the below picture, those are the events with a timestamp. I want when a "Kafka" service or "Jps" services are down, I will get an alert. How to write a search query for this when ... See more...
Hello! As shown in the below picture, those are the events with a timestamp. I want when a "Kafka" service or "Jps" services are down, I will get an alert. How to write a search query for this when any of the below services are down, I will get an alert.  
Hi Everyone, I have one requirement. Below is my query: index=abc ns=ab ("NullPointerException" OR "IllegalStateException" OR "IllegalArgumentException" OR "RuntimeException" OR "NumberFormatExcep... See more...
Hi Everyone, I have one requirement. Below is my query: index=abc ns=ab ("NullPointerException" OR "IllegalStateException" OR "IllegalArgumentException" OR "RuntimeException" OR "NumberFormatException" OR "NoSuchMethodException" OR "ClassCastException" OR "ParseException" OR "InvocationTargetException" OR "OutOfMemoryError")| rex "message=(?<ExceptionMessage>[^\n]+)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|cluster showcount=t t=0.6|table app_name, ExceptionMessage,cluster_count,_time, environment, pod_name,ns|dedup ExceptionMessage|rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name,cluster_count as Count   I am getting multiple rows and column names are app_name, ExceptionMessage,cluster_count,_time, environment, pod_name,ns   I want them to be in one row.  All the app_name should be in one row, all excepton messages should be in one row Can soemone guide me on this.
{ Exams : { “Message” : “Passed in Maths paper 1 exam” ,”Result”:”Passed”, ’Name’ : “s3”} SubjecctName:Passed-Maths-SemiAnually } { Exams : { “Message” : “Passed in Maths paper 2 exam” ,”Result”... See more...
{ Exams : { “Message” : “Passed in Maths paper 1 exam” ,”Result”:”Passed”, ’Name’ : “s3”} SubjecctName:Passed-Maths-SemiAnually } { Exams : { “Message” : “Passed in Maths paper 2 exam” ,”Result”:”Passed”, ’Name’ : “s3”} SubjecctName:Passed-Maths-SemiAnually } { Exams : { “Message” : “Passed in Maths paper 1 exam” ,”Result”:”Passed”, ’Name’ : “s4”} SubjecctName:Passed-Maths-SemiAnually } { Exams : { “Message” : “Passed in Maths paper 2 exam” ,”Result”:”Passed”, ’Name’ : “s4”} SubjecctName:Passed-Maths-SemiAnually } { Exams : { “Message” : “Passed in Maths paper 1 exam” ,”Result”:”Passed”, ’Name’ : “s3”} SubjecctName:Passed-Maths-Anually } { Exams : { “Message” : “Passed in Maths paper 2 exam” ,”Result”:”Passed”, ’Name’ : “s3”} SubjecctName:Passed-Maths-Anually } { Exams : { “Message” : “Passed in Physics paper 1 exam” ,”Result”:”Passed”, ’Name’ : “s4”} SubjecctName:Passed-Physics-Anually } { Exams : { “Message” : “Failed in Physics paper 2 exam” ,”Result”:”Failed”, ’Name’ : “s4”} SubjecctName:Passed-Physics-Anually } Statusreport of each student ( Count no of exams passed and failed by each student)   In the above example s4 passed in physics paper 1 but failed in paper 2 Annually then it must be considered as failed in that exam Annually In the above example s4 passed in Maths paper 1, passed in paper 2 semi Annually then it must be considered as passed in that exam semi - Annually   In the above example s3 passed in Maths paper 1, passed in paper 2 semi Annually then it must be considered as passed in that exam semi - Annually In the above example s3 passed in Maths paper 1, passed in paper 2 Annually then it must be considered as passed in that exam Annually   Final output should be   Student  failed passed S4            1           1 S3            2           0
Hi, I have this stats table Column1     Column2 400                  500   I want to have a bar chart which shows 2 bars side by side for column1 v and column2  
Hi @all Already have the data in an  index 1.I have created a new dashboard but it shows Instance id and Instance type only (Prebuilt panel) unable to show the CPU Credit balance? if need have to... See more...
Hi @all Already have the data in an  index 1.I have created a new dashboard but it shows Instance id and Instance type only (Prebuilt panel) unable to show the CPU Credit balance? if need have to write any query?  
Hi, I have below sample dataset. This dataset is for an asset being compliant or not compliant. What I need is: If an asset is tagged as compliant for some values and non compliant for some, I nee... See more...
Hi, I have below sample dataset. This dataset is for an asset being compliant or not compliant. What I need is: If an asset is tagged as compliant for some values and non compliant for some, I need non compliant to take precedence and show it as non compliant. Right now, I am seeing all values for example for asset1. If an asset is compliant only, it stays as Compliant. If an asset is NA only, it stays as Compliant. Is: To Be: Thanks in-advance!!!
Value session_value containg this info: not found, name: user@mycompany.com more text here  Trying to use this: rex field=session_value ":(?<session_value>)@" To extract: user I think I am close... See more...
Value session_value containg this info: not found, name: user@mycompany.com more text here  Trying to use this: rex field=session_value ":(?<session_value>)@" To extract: user I think I am close, anyone assist? 
Hi, I am looking for a solution to ingest AWS RDS - MS SQL DB Audit logs in Splunk. This is  for a production Database and we cannot use Splunk DB Connection option for this setup. Any possible solu... See more...
Hi, I am looking for a solution to ingest AWS RDS - MS SQL DB Audit logs in Splunk. This is  for a production Database and we cannot use Splunk DB Connection option for this setup. Any possible solution or available documentation?  Regards, Kevin V.  
I'm an occasional Splunk Enterprise user so forgive me if this is a noob question or has been answred before: We use Qualys to scan our systems daily for vunerabilties. As such, on things like web s... See more...
I'm an occasional Splunk Enterprise user so forgive me if this is a noob question or has been answred before: We use Qualys to scan our systems daily for vunerabilties. As such, on things like web servers it generates a lot of logs entries as it scans endpoints. At times it might crawl a website for example generating a lot of failed requests as it creates ad-hoc GET requests to try and see what to can return from the site. As such, I have a requirment to build queries that exclude log entries with the scanners IP address therein. The thing is this IP (or rather IPs) are growing as we introduce slave nodes to scan our network. What I would like to do is the following: have our query creators use a token that is a list of the Qualys scanner IP addresses and use that as an exclusion in their search macros e.g. index=iis | c_ip NOT ($myglobaltoken)  The thing is though I want this token defined globally by the admin team so we can update the values in it and thus all queries (in different apps etc.) referencing it are updated thus.  Is this possible?
Here are the contents of the /opt/splunk/etc/deployment-apps: [splunk@splunk deployment-apps]$ ls README Splunk_TA_nix Splunk_TA_windows [splunk@splunk deployment-apps]$ pwd /opt/splunk/etc/deploy... See more...
Here are the contents of the /opt/splunk/etc/deployment-apps: [splunk@splunk deployment-apps]$ ls README Splunk_TA_nix Splunk_TA_windows [splunk@splunk deployment-apps]$ pwd /opt/splunk/etc/deployment-apps However upon running either splunk reload deploy-server or splunk restart, while no errors are being generated, the deployment apps displayed on the web UI are not updating: The entire path /opt/splunk/etc/deployment-apps and its subfolders are owned by the splunk user. Here are the results when running splunk reload deploy-server -debug: [splunk@splunk deployment-apps]$ splunk reload deploy-server -debug > reload Will setenv SPLUNK_CLI_DEBUG to "v". In check_and_set_splunk_os_user(): In env found SPLUNK_OS_USER var: "splunk" In cmd_rc Will exec (detach=no): LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf HOSTNAME=splunk.cdc.health.local SPLUNK_SERVER_NAME=Splunkd SPLUNK_HOME=/disk2/splunk USER=splunk LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_DB=/export/intindx NODE_PATH=/disk2/splunk/lib/node_modules SPLUNK_OS_USER=splunk /disk2/splunk/bin/splunkd btool web list settings --no-log Will exec (detach=no): LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf HOSTNAME=splunk.cdc.health.local SPLUNK_SERVER_NAME=Splunkd SPLUNK_HOME=/disk2/splunk USER=splunk LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_DB=/export/intindx NODE_PATH=/disk2/splunk/lib/node_modules SPLUNK_OS_USER=splunk /disk2/splunk/bin/splunkd btool server list general --no-log Will exec (detach=no): LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf HOSTNAME=splunk.cdc.health.local SPLUNK_SERVER_NAME=Splunkd SPLUNK_HOME=/disk2/splunk USER=splunk LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_DB=/export/intindx NODE_PATH=/disk2/splunk/lib/node_modules SPLUNK_OS_USER=splunk /disk2/splunk/bin/splunkd btool server list kvstore --no-log Will exec (detach=no): LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf HOSTNAME=splunk.cdc.health.local SPLUNK_SERVER_NAME=Splunkd SPLUNK_HOME=/disk2/splunk USER=splunk LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_DB=/export/intindx NODE_PATH=/disk2/splunk/lib/node_modules SPLUNK_OS_USER=splunk /disk2/splunk/bin/splunkd btool server list dfs --no-log dynamic conf init: httpport=8000 mgmtHostPort=8089 bind_ip= rest_hostname=127.0.0.1 kvStorePort=8191 base splunkdURL from splunkd: https://127.0.0.1:8089 Will setenv SPLUNK_CLI_DEBUG to "v". cmd: reload obj: deploy-server cli args: In build_full_rest_url(): Composing URL from base=https://127.0.0.1:8089 + relative=/static/splunkrc_cmds.xml In build_full_rest_url(): Composed URL=https://127.0.0.1:8089/static/splunkrc_cmds.xml In make_simple_rest_call_online(): using_basic_auth=0 In make_simple_rest_call_online(): [Re-]Initialized HTTP request headers: <none> In make_simple_rest_call_online(): HTTP request response_code=200 In make_simple_rest_call_online(): HTTP response headers: ETag: "s-t2y1XwAAAAD4ZQsAAAAAAJ8CCgAAAAAANsQDAAAAAAA" Date: Thu, 01 Apr 2021 20:44:37 GMT Expires: Thu, 01 Apr 2021 21:44:37 GMT Cache-Control: max-age=3600 Content-Type: text/xml X-Content-Type-Options: nosniff Last-Modified: Wed, 18 Nov 2020 18:49:27 GMT Content-Length: 246838 Connection: Keep-Alive X-Frame-Options: SAMEORIGIN Server: Splunkd Online REST call to /static/splunkrc_cmds.xml returned 0 Visited node: deploy-server Entered node:deploy-server/common Entered node:deploy-server/cmd Metadata: cmd: reload obj: deploy-server rel_url: (no value) eai_id: (no value) implied_arg_name: (no value) action: 0 args map count: 0 args map: default args count: 0 initial args count: 0 hooks count: 0 object help command array count: 0 In call_pcl, will exec_python Will exec (detach=no): HOSTNAME=splunk.cdc.health.local USER=splunk PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_HOME=/disk2/splunk SPLUNK_DB=/export/intindx SPLUNK_SERVER_NAME=Splunkd SPLUNK_OS_USER=splunk NODE_PATH=/disk2/splunk/lib/node_modules PYTHONPATH= LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf /disk2/splunk/bin/python3.7 -u /disk2/splunk/lib/python3.7/site-packages/splunk/clilib/cli.py reload deploy-server DEBUG (cli) Running in debug mode. DEBUG (cli) Command: reload DEBUG (cli) Subcmd: deploy-server DEBUG (cli) Begin parsed arguments: DEBUG (cli) DEBUG (cli) End parsed arguments. DEBUG (cli) noAuthReq: False DEBUG (cli) username: None DEBUG (cli) password: None DEBUG (cli_common) Running btool for 'web.conf'. WARNING (cli_common) btool returned something in stderr: 'Will exec (detach=no): HOSTNAME=splunk.cdc.health.local USER=splunk PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_HOME=/disk2/splunk SPLUNK_DB=/export/intindx SPLUNK_SERVER_NAME=Splunkd SPLUNK_OS_USER=splunk NODE_PATH=/disk2/splunk/lib/node_modules LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf /disk2/splunk/bin/splunkd btool web list ' DEBUG (cli) Contents of ./splunk/authToken file: <auth><username>splunkadmin</username><sessionkey></sessionkey></auth> DEBUG (cli) authInfo: DEBUG (rcUtils) cmd: reload, obj: deploy-server, restArgList: {'authstr':', 'owner': 'splunkadmin'} DEBUG (rcUtils) endpoint: deployments DEBUG (rcUtils) layeredFind:default_eai_parms: DEBUG (rcUtils) authstr poped from argList DEBUG (rcUtils) layeredFind:app_context: DEBUG (rcUtils) namespace: DEBUG (rcUtils) layeredFind:uri: /deployment/server/config/_reload DEBUG (rcUtils) layeredFind:eai_id: DEBUG (rcUtils) layeredFind:required: DEBUG (rcUtils) eai_key_list: [] DEBUG (rcUtils) eai_key_list: [] DEBUG (rcUtils) layeredFind:args: DEBUG (rcUtils) layeredFind:prehooks: DEBUG (rcUtils) after prehooks, eaiArgsList: {} DEBUG (rcUtils) Before buildEndpoint uri: /deployment/server/config/_reload DEBUG (rcUtils) Before buildEndpoint entityName: DEBUG (rcUtils) uri: /services/deployment/server/config/_reload DEBUG (rcUtils) layeredFind:type: edit DEBUG (rcUtils) eaiArgsList: {} DEBUG (rcUtils) In sanitizeArgs: target: , argsMap: {}, argsDict: {} DEBUG (rcUtils) In sanitizeArgs: target: , argsMap: {}, argsDict: {} DEBUG (rcUtils) In sanitizeArgs: target: /deployment/server/config/_reload, argsMap: {}, argsDict: {} DEBUG (rcUtils) In sanitizeArgs: target: /deployment/server/config/_reload, argsMap: {}, argsDict: {} DEBUG (rcUtils) postargs: {} DEBUG (rcUtils) getargs: {} DEBUG (__init__) simpleRequest > POST https://127.0.0.1:8089/services/deployment/server/config/_reload [] sessionSource=direct timeout=30 DEBUG (cli_common) Running btool for 'server.conf'. WARNING (cli_common) btool returned something in stderr: 'Will exec (detach=no): HOSTNAME=splunk.cdc.health.local USER=splunk PATH=/disk2/splunk/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/splunk/.local/bin:/home/splunk/bin:/disk2/splunk/bin PWD=/opt/splunk/etc/deployment-apps SPLUNK_HOME=/disk2/splunk SPLUNK_DB=/export/intindx SPLUNK_SERVER_NAME=Splunkd SPLUNK_OS_USER=splunk NODE_PATH=/disk2/splunk/lib/node_modules LD_LIBRARY_PATH=/disk2/splunk/lib:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64:/disk2/splunk/bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u242b08/lib/amd64/jli LDAPCONF=/disk2/splunk/etc/openldap/ldap.conf /disk2/splunk/bin/splunkd btool server list ' DEBUG (__init__) simpleRequest < server responded status=200 responseTime=0.1081s DEBUG (rcUtils) In checkStatus: type: edit, server_response: {'date': 'Thu, 01 Apr 2021 20:44:37 GMT', 'expires': 'Thu, 26 Oct 1978 00:00:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate, max-age=0', 'content-type': 'text/xml; charset=UTF-8', 'x-content-type-options': 'nosniff', 'content-length': '3828', 'vary': 'Authorization', 'connection': 'Close', 'x-frame-options': 'SAMEORIGIN', 'server': 'Splunkd', 'status': '200'} DEBUG (rcDisplay) In displayDeployment: kwargs: {'cmd': 'reload', 'obj': 'deploy-server', 'type': 'edit', 'serverResponse': {'date': 'Thu, 01 Apr 2021 20:44:37 GMT', 'expires': 'Thu, 26 Oct 1978 00:00:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate, max-age=0', 'content-type': 'text/xml; charset=UTF-8', 'x-content-type-options': 'nosniff', 'content-length': '3828', 'vary': 'Authorization', 'connection': 'Close', 'x-frame-options': 'SAMEORIGIN', 'server': 'Splunkd', 'status': '200'}, 'serverContent': b'<?xml version="1.0" encoding="UTF-8"?>\n<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->\n<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>\n<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">\n <title>deploymentserver</title>\n <id>https://127.0.0.1:8089/services/deployment/server/config</id>\n <updated>2021-04-01T20:44:37+00:00</updated>\n <generator build="152fb4b2bb96" version="8.0.6"/>\n <author>\n <name>Splunk</name>\n </author>\n <link href="/services/deployment/server/config/_reload" rel="_reload"/>\n <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>\n <link href="/services/deployment/server/config/authentication" rel="authentication"/>\n <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>\n <opensearch:totalResults>1</opensearch:totalResults>\n <opensearch:itemsPerPage>30</opensearch:itemsPerPage>\n <opensearch:startIndex>0</opensearch:startIndex>\n <s:messages/>\n <entry>\n <title>config</title>\n <id>https://127.0.0.1:8089/services/deployment/server/config/config</id>\n <updated>1970-01-01T00:00:00+00:00</updated>\n <link href="/services/deployment/server/config/config" rel="alternate"/>\n <author>\n <name>system</name>\n </author>\n <link href="/services/deployment/server/config/config" rel="list"/>\n <link href="/services/deployment/server/config/config/_reload" rel="_reload"/>\n <link href="/services/deployment/server/config/config" rel="edit"/>\n <content type="text/xml">\n <s:dict>\n <s:key name="currentDownloads">0</s:key>\n <s:key name="disabled">0</s:key>\n <s:key name="eai:acl">\n <s:dict>\n <s:key name="app"></s:key>\n <s:key name="can_list">1</s:key>\n <s:key name="can_write">1</s:key>\n <s:key name="modifiable">0</s:key>\n <s:key name="owner">system</s:key>\n <s:key name="perms">\n <s:dict>\n <s:key name="read">\n <s:list>\n <s:item>admin</s:item>\n <s:item>splunk-system-role</s:item>\n </s:list>\n </s:key>\n <s:key name="write">\n <s:list>\n <s:item>admin</s:item>\n <s:item>splunk-system-role</s:item>\n </s:list>\n </s:key>\n </s:dict>\n </s:key>\n <s:key name="removable">0</s:key>\n <s:key name="sharing">system</s:key>\n </s:dict>\n </s:key>\n <s:key name="loadTime">1617309877</s:key>\n <s:key name="repositoryLocation">$SPLUNK_HOME/etc/deployment-apps</s:key>\n </s:dict>\n </content>\n </entry>\n</feed>\n', 'sessionKey': '', 'eaiArgsList': {}}  
I am trying to setup syslog forwarding from Isilon Cluster to Splunk server ... I have done the following steps as per instructions online. 1. edit syslog.conf file in cluster 2. create a read only... See more...
I am trying to setup syslog forwarding from Isilon Cluster to Splunk server ... I have done the following steps as per instructions online. 1. edit syslog.conf file in cluster 2. create a read only user in splunk 3. Deploy the DELL EMC app and TA on deployment server. Currently I can see that all of the cluster nodes are talking to my server but all TCP state for the nodes are in TIME_WAIT. I am also unable to detect any connection with the cluster from the Splunk UI. I tried setting up the TA with the read only user I had created. But that is also throwing "authentication" error. I am new to Splunk and am no expert. I am unable to understand what I have missed. Requesting help from the Splunk community.
Hi i need to find the name employee name who are taking high salary and low salary. please help in this Field Names: MonthlySalary "First Name"
Hi I need to count the employee numbers who are not match with experience*1.5. i tried lot with eval and where commands, but i can't find the correct answer. please help in this Field Name: Age in... See more...
Hi I need to count the employee numbers who are not match with experience*1.5. i tried lot with eval and where commands, but i can't find the correct answer. please help in this Field Name: Age in Company _Years