All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, The cloudtrail logs in splunk come in without proper event break; I only got it to recognize the first event's timestamp. This is problem because each 'Records' do contain a large number of s... See more...
Hi, The cloudtrail logs in splunk come in without proper event break; I only got it to recognize the first event's timestamp. This is problem because each 'Records' do contain a large number of separate events with its own timestamp. Each event is a json block starting with eventVersion. Here is an anonymized sample : { "Records": [ { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AAAAAAAAAAAAAAAA12345", "arn": "arn:aws:iam::999999999999:user/S3_ContentProvider", "accountId": "999999999999", "accessKeyId": "BBBBBBBBBBBBBBB12345", "userName": "S3_ContentProvider" }, "eventTime": "2020-03-05T04:16:50Z", "eventSource": "sns.amazonaws.com", "eventName": "ListTopics", "awsRegion": "us-east-1", "sourceIPAddress": "10.10.10.10", "userAgent": "aws-sdk-java/1.11.192 Linux/3.10.0-693.21.1.el7.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.45-b02/1.8.0_45 exec-env/AWS_ECS_EC2", "requestParameters": null, "responseElements": null, "requestID": "0000000a-000a-000a-000a-00000000000a", "eventID": "0000000a-000a-000a-000a-00000000000b", "eventType": "AwsApiCall", "recipientAccountId": "999999999999" }, { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AAAAAAAAAAAAAAAA12345", "arn": "arn:aws:iam::999999999999:user/S3_ContentProvider", "accountId": "999999999999", "accessKeyId": "BBBBBBBBBBBBBBB12345", "userName": "S3_ContentProvider" }, "eventTime": "2020-03-05T04:17:04Z", "eventSource": "sns.amazonaws.com", "eventName": "ListTopics", "awsRegion": "us-east-1", "sourceIPAddress": "10.10.10.11", "userAgent": "aws-sdk-java/1.11.192 Linux/3.10.0-693.21.1.el7.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.45-b02/1.8.0_45 exec-env/AWS_ECS_EC2", "requestParameters": null, "responseElements": null, "requestID": "0000000a-000a-000a-000a-00000000000a", "eventID": "0000000a-000a-000a-000a-00000000000b", "eventType": "AwsApiCall", "recipientAccountId": "999999999999" } ] } Thanks.
I am adding a new role to allow analysts to access the Monitoring Console . I believe that the minimum set of capabilities for this to be these: [role_moncon_user] # ==== Capabilities ==== di... See more...
I am adding a new role to allow analysts to access the Monitoring Console . I believe that the minimum set of capabilities for this to be these: [role_moncon_user] # ==== Capabilities ==== dispatch_rest_to_indexers = enabled list_accelerate_search = enabled list_app_certs = enabled list_deployment_client = enabled list_deployment_server = enabled list_forwarders = enabled list_health = enabled list_httpauths = enabled list_indexer_cluster = enabled list_indexerdiscovery = enabled list_inputs = enabled list_introspection = enabled list_metrics_catalog = enabled list_pipeline_sets = enabled list_search_head_clustering = enabled list_search_scheduler = enabled list_settings = enabled list_storage_passwords = enabled list_tokens_all = enabled list_tokens_own = enabled list_workload_pools = enabled list_workload_rules = enabled # ==== Index Values ==== srchIndexesAllowed = *;_* I added this to authorize.conf file in the client_all_search_base app and restarted Splunk; so far, so good. However when I try to assign this moncon_user role to anybody, after clicking Save it fails with Role=moncon_user is not grantable . I figured that I would be able to brute-force it in by manually adding it to a user in the $SPLUNK_HOME/etc/passwd file but all that did was cause splunk to disable that user completely (it doesn't even show in the GUI at all after that). What is really happening and how can I get this to work?
Hi, I've created a Splunk alert (see below photos) and have found that it's not properly sending e-mails to my account upon being triggered. I opened the query in the search bar (from the alerts... See more...
Hi, I've created a Splunk alert (see below photos) and have found that it's not properly sending e-mails to my account upon being triggered. I opened the query in the search bar (from the alerts page) to verify that the message i'm looking for is actually showing up, which it is. I'm not sure what the problem might be. Please let me know if there's any other information which I could include that might be helpful. Thanks!
Hi SMEs: I would like to define a print event type to differentiate Remote Prints from Office Print jobs. From my print logs, i'd like to: Define channel = "Remote Print", where printer nam... See more...
Hi SMEs: I would like to define a print event type to differentiate Remote Prints from Office Print jobs. From my print logs, i'd like to: Define channel = "Remote Print", where printer name contains "WING*RCA" else, "Office Print". I started off with: | eval channel = if(match(like printer="WING*RCA", "Remote Print"), "Office Print") I'm still relatively new to these commands and would appreciate any assistance. Thanks in advance, Mac
I've a table like below and I want to merge two rows based on the COMMONID 1. JBID JOBTYPE START_TIME END_TIME COMMONID 2. ... See more...
I've a table like below and I want to merge two rows based on the COMMONID 1. JBID JOBTYPE START_TIME END_TIME COMMONID 2. 2020-03-10T06:30:00 2020-03-10T08:30:00 abc 3. 6398 Medium abc 4. 5649 Medium def 5. 2020-03-10T08:30:00 2020-03-10T10:30:00 def 6. 5649 Medium ghi 7. 2020-03-20T08:30:00 2020-03-20T10:30:00 ghi 8. 2020-03-11T08:30:00 2020-03-11T10:30:00 jkl 9. 6383 Medium jkl 10. 7070 Medium mno 11. 2020-03-10T08:30:00 2020-03-10T10:30:00 mno 12. 11690 Medium pqr 13. 2020-03-12T06:30:00 2020-03-12T08:30:00 pqr 14. 2020-03-19T06:30:00 2020-03-19T08:30:00 stu 15. 6398 Medium stu 16. 6398 Medium vwx 17. 2020-03-10T06:30:00 2020-03-10T08:30:00 vwx The resulting table should look like below 1. JBID JOBTYPE START_TIME END_TIME COMMONID 2. 6398 Medium 2020-03-10T06:30:00 2020-03-10T08:30:00 abc 3. 5649 Medium 2020-03-10T08:30:00 2020-03-10T10:30:00 def 4. 5649 Medium 2020-03-20T08:30:00 2020-03-20T10:30:00 ghi 5. 6383 Medium 2020-03-11T08:30:00 2020-03-11T10:30:00 jkl 6. 7070 Medium 2020-03-10T08:30:00 2020-03-10T10:30:00 mno 7. 11690 Medium 2020-03-12T06:30:00 2020-03-12T08:30:00 pqr 8. 6398 Medium 2020-03-19T06:30:00 2020-03-19T08:30:00 stu 9. 6398 Medium 2020-03-10T06:30:00 2020-03-10T08:30:00 vwx How do I achieve this?
Is load balancing in HF and UF's outputs.conf bound to cause data imbalance on IDXC overt time? If yes, I wholeheartedly accept that data rebalancing is something that we need to do in a regular b... See more...
Is load balancing in HF and UF's outputs.conf bound to cause data imbalance on IDXC overt time? If yes, I wholeheartedly accept that data rebalancing is something that we need to do in a regular basis. Just need confirmation from the crowd / community. If not and in which it means that the line (according to this Splunk doc) "every 30 seconds, the forwarder switches the data stream to another indexer in the group, selected at random" guarantees to make number of data among the peers balance. If that is really the case, then what causes data imbalance and how to prevent it? Thanks in advance.
Hi all, I have a problem when I tried to parse EventID=1 in wineventlog. The message look like this: 03/05/2020 09:01:58 AM LogName=System SourceName=Microsoft-Windows-Kernel-General Event... See more...
Hi all, I have a problem when I tried to parse EventID=1 in wineventlog. The message look like this: 03/05/2020 09:01:58 AM LogName=System SourceName=Microsoft-Windows-Kernel-General EventCode=1 EventType=4 Type=Information ComputerName=H7Y2.nap.net TaskCategory=5 OpCode=Info RecordNumber=5763 Keywords=Time Message=The system time has changed to ‎2020‎-‎03‎-‎04T23:01:58.500000000Z from ‎2020‎-‎03‎-‎03T00:38:07.829890100Z. Change Reason: System time synchronized with the hardware clock. Process: '' (PID 4). When I used regex to parse the time from Message field. There is 1 unseen character before and after each number. Hence the command: | eval time_from = strptime(stime_from, "‎%Y‎-‎%m‎-‎%dT%H:%M:%S.%N") doesn't work because it doesn't have the unseen characters. Tks Linh
A single source have two different types of events and two different types of timestamps. raw event-1: Request Set Number: [1234567] - Scheduled Run Date: [2020-03-05 16:10:37.0] -source -values ... See more...
A single source have two different types of events and two different types of timestamps. raw event-1: Request Set Number: [1234567] - Scheduled Run Date: [2020-03-05 16:10:37.0] -source -values [{ all values} 5 more lines of data] raw-event-2: [Threat-123] 03/05 17:30:05,159, INFORMATION, [process name, process number] I tried with xml file and props.conf but is didn't fix the issue XML: <datetime> <!-- Request Set Number: [444888] - Scheduled Run Date: [2020-03-05 16:45:22.0] --> <define name="_datetimeformat1" extract="year, month, day, hour, minute, second , subsecond"> <text>\[(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}).(\d{1,4})\]</text> </define> <!-- [Threat-11] 03/04 17:10:58,109, INFO --> <define name="_datetimeformat2" extract="month, day, hour, minute, second, subsecond"> <text>\s(\d{2})\/(\d{2})\s(\d{2}):(\d{2}):(\d{2}),(\d{3})</text> </define> <timePatterns> <use name="_datetimeformat1"/> <use name="_datetimeformat2"/> </timePatterns> <datePatterns> <use name="_datetimeformat1"/> <use name="_datetimeformat2"/> </datePatterns> </datetime> Props.conf: [my sourcetype] DATETIME_CONFIG = /etc/apps/SourcetypeName-datetime.xml SHOULD_LINEMERGE=false LINE_BREAKER = (Request\sSet\sNumber:\s\[\d+\]\s-\s\w+\W\w+\W\w+:\s\[|\[Threat-\d{1,5}\]\s) MAX_TIMESTAMP_LOOKAHEAD=60 MAX_DAYS_AGO = 45 I am still getting this error. 0500 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Thu Mar 5 16:30:37 2020). Context: source:: Can some one please help me on this issue.. Thanks in Advance.
Just installed Eventgen on a fresh HF install. I then installed the MS IIS addon as well as the JBOSS one. I am getting errors like this: 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - messa... See more...
Just installed Eventgen on a fresh HF install. I then installed the MS IIS addon as well as the JBOSS one. I am getting errors like this: 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen DEBUG MainProcess {'event': 'Using cached earliest time: 2020-03-05 16:02:15.115000'} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen DEBUG MainProcess {'event': 'Using cached latestTime: 2020-03-05 16:12:15.116000'} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen INFO MainProcess {'event': "Starting '1' generatorWorkers for sample 'iis.sample'"} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen DEBUG MainProcess {'event': "Worker# 0: Put 0.0 MB of events in queue for sample 'iis.sample'with et '2020-03-05 16:02:15.115000' and lt '2020-03-05 16:12:15.116000'"} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen DEBUG MainProcess {'event': "Generating sample 'iis.sample' in app 'Splunk_TA_microsoft-iis' with count 1, et: '2020-03-05 16:02:15.115000', lt '2020-03-05 16:12:15.116000'"} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" 2020-03-05 16:12:15 eventgen ERROR MainProcess {'exception': 'Traceback (most recent call last):\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\eventgen_core.py", line 271, in _generator_do_work\n item.run(output_counter=output_counter)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\generatorplugin.py", line 167, in run\n self.gen(count=self.count, earliest=self.start_time, latest=self.end_time, samplename=self._sample.name)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\plugins\\generator\\default.py", line 69, in gen\n GeneratorPlugin.build_events(self, eventsDict, startTime, earliest, latest)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\generatorplugin.py", line 39, in build_events\n send_objects = self.replace_tokens(eventsDict, earliest, latest, ignore_tokens=ignore_tokens)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\generatorplugin.py", line 198, in replace_tokens\n pivot_timestamp=pivot_timestamp)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\eventgentoken.py", line 78, in replace\n pivot_timestamp=pivot_timestamp)\n File "D:\\Splunk\\etc\\apps\\SA-Eventgen\\lib\\splunk_eventgen\\lib\\eventgentoken.py", line 150, in _getReplacement\n replacementTime = replacementTime.strftime(replacement)\nValueError: Invalid format string', 'event': 'Invalid format string'} 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" Exception in thread Thread-8: 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" Traceback (most recent call last): 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" File "D:\Splunk\Python-2.7\Lib\threading.py", line 801, in __bootstrap_inner 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" self.run() 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" File "D:\Splunk\Python-2.7\Lib\threading.py", line 754, in run 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" self.__target(*self.__args, **self.__kwargs) 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" File "D:\Splunk\etc\apps\SA-Eventgen\lib\splunk_eventgen\eventgen_core.py", line 282, in _generator_do_work 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" raise e 03-05-2020 16:12:15.500 -0600 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\SA-Eventgen\bin\modinput_eventgen.py" ValueError: Invalid format string Does anyone have any ideas on what the issue is? Windows 2016 Splunk: 7.3.0 Eventgen: 6.5.2
2/11/2020 11:49:00 AM 2/11/2020 9:55:00 PM How to convert this into Secs.. Conersion of AM and PM is not working as expected 2/11/2020 9:55:00 PM | eval "Bridge End Date In Sec"=tonumbe... See more...
2/11/2020 11:49:00 AM 2/11/2020 9:55:00 PM How to convert this into Secs.. Conersion of AM and PM is not working as expected 2/11/2020 9:55:00 PM | eval "Bridge End Date In Sec"=tonumber(strftime(strptime('Bridge End Date',"%m/%d/%Y %H:%M:%S %p"),"%s")) 1581440100 2/11/2020 11:49:00 AM | eval "Bridge Start Date In Sec"=tonumber(strftime(strptime('Bridge Start Date',"%m/%d/%Y %H:%M:%S %p"),"%s")) 1581446940 %p is not wrking? 1581440100 1581446940 Values retued as this which is not correct. End is lesser thatn the start date
Does anyone have any SPL that would identify the following: Identify Active Directory Groups that have Admin Privileges Any help here is greatly appreciated!
The Security Essentials documentation (https://docs.splunksecurityessentials.com/data-onboarding-guides/office-365/) states that "The Office365 Reporting Add-on lets you collect Exchange message-trac... See more...
The Security Essentials documentation (https://docs.splunksecurityessentials.com/data-onboarding-guides/office-365/) states that "The Office365 Reporting Add-on lets you collect Exchange message-tracking logs by querying the Office 365 Reporting web service API and indexing the results.". Based on my testing and the comments made here in Splunk Answers related to the add-on, it is no longer supported and no longer works to support pulling down message trace logs. Is there a newer recommended way for pulling down these logs?
during the smartstore conversion process, do the excess copies get evicted as they are uploaded, or is that done at the end?
We have configured an intermediary hf, C and 2 HFs - A and B connecting to C. The HF A is able to establish connection and send data to HF C over ssl but the HF B is not. We need your help fixin... See more...
We have configured an intermediary hf, C and 2 HFs - A and B connecting to C. The HF A is able to establish connection and send data to HF C over ssl but the HF B is not. We need your help fixing this. Forwarder A can SSL-communicate with intermediary forwarder C. Forwarder B can NOT SSL-communicate with intermediary forwarder C. A and C are in the same chassis/compartment and B is not. Log messages A has no problem: 02-19-2020 23:38:26.344 +0000 INFO TcpOutputProc - Connected to idx=1.2.3.4:9997, pset=0, reuse=0. using ACK. B gets an error below; 02-19-2020 23:41:09.861 +0000 ERROR TcpOutputFd - Connection to host=1.2.3.4:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
during the smartstore conversion process, do the excess copies get evicted as they are uploaded, or is that done at the end?
Hello, I'm trying to blacklist Windows Security Events in XML format. In non XML format we have this blacklist blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program... See more...
Hello, I'm trying to blacklist Windows Security Events in XML format. In non XML format we have this blacklist blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" The format for XML blacklist is described here hxxps://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events blacklist1 = $XmlRegex = This is not accepted blacklist1 = $XmlRegex = <EventID>4688<\/EventID>.*<Data Name=\'NewProcessName\'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe Character ' is seen as a delimiter. Has anyone been able to build something similar? Is it a good idea to keep the EventID in the regex? RAW Event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{12345678-1234-1234-A1B2-1A2B3456C78D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated1 SystemTime='2020-03-05T17:11:17.754003000Z'/><EventRecordID>5254707</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11888'/><Channel>Security</Channel><Computer>COMPUTER.contoso.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>COMPUTER$</Data><Data Name='SubjectDomainName'>CONTOSO</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3668</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3c28</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data></EventData></Event> Thanks.
Will the current version of NeApp Ontapp 2.1.91 work with Splunk Enterprise 8.0.2? And since I am doing the upgrade, will the NetApp TA 2.1.91 work as well? Thanks ed
Total newb here, so please be gentle. So we are on the Windows platform and have Splunk Universal Forwarder 8.0.2 installed on many Windows 10 workstations as well on a bunch of Windows Server 2012 ... See more...
Total newb here, so please be gentle. So we are on the Windows platform and have Splunk Universal Forwarder 8.0.2 installed on many Windows 10 workstations as well on a bunch of Windows Server 2012 R2 etc. I am aware of the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory construct and how to modify files in here and not in the default location My question is if in the deploymentclient.conf file all we have is the: [target-broker:deploymentServer] targetUri = OurDeploymentServer:8089 Defined, how are our logs getting to our cluster of Indexers. By the way everything is working fine as I joined this team after they built and configured our Splunk environment already, I am just trying to catch up and was upgrading the UniversalForwarders to the latest version, hence my question of how does the data get to the Indexers when all the Forwarders know about is the Deployment server.
I reduced content of my documentation of problem (Code and Trace), due to request from Splunk, I'm trying to log to the Splunk via the HEC using java.util.logging and Splunk Handler Class HttpEve... See more...
I reduced content of my documentation of problem (Code and Trace), due to request from Splunk, I'm trying to log to the Splunk via the HEC using java.util.logging and Splunk Handler Class HttpEventCollectorLoggingHandler. The events don't appear to be forwarded to Splunk. Also It looks to stopping in the SSL Handshake; I have a GUID specified in the properties file; the properties used for the Splunk Class are echoed out in the console log. Logging to a different HTTP listener look to work OK; my play Java Http listener to echo sent logger data, The Java Program Source and the Console Log, are pasted below. Using Eclipse Java Development environment; Build Path has the following Jar Files: • splunk-sdk-java-1.6.5.jar • okhttp-3.12.8.jar • okio-1.13.0.jar • com.google.gson classes I'm also using splunk-library-javalogging-1.8.0.zip classes, for classes not included in the splunk .jar file. The program compiles clean. It looks to stop in the SSL handshake after "done seeding SecureRandom"; last entry in the console log. I'm running with these arguments passed to the program, for debugging and properties file, -Djava.util.logging.config.file=C:\Explorer_Exports\jdklogging.properties -Xdebug -Djavax.net.debug=all Was wondering if I'm using the proper .jar files in build path; classes from the .zip file, or my logger setup may be incorrect. Any assistance would be appreciated. Steve. == S O U R C E C O D E =========================================================================== // package com.mycompany.logging; import java.io.*; import java.util.logging.*; import com.splunk.logging.*; import com.splunk.logging.SplunkCimLogEvent; // public class LogTestSplunk{ public static void main(String arg[]) throws IOException { Logger logger = Logger.getLogger("splunklogger"); SplunkCimLogEvent event = new SplunkCimLogEvent("zCEE", "PostInvokeSAK"); //************************************************************* // Splunk Handler Handler shandler = new HttpEventCollectorLoggingHandler(); logger.addHandler(shandler); // echo out properties here... //.... // continue with logger code. event.setAuthApp("jane"); event.setAuthUser("jane"); event.addField("message", "this is my test message foobar"); logger.info(event.toString()); } } == C O N S O L E L O G ==================================================================== Property - com.splunk.logging.HttpEventCollectorLoggingHandler.url:== https://hecdevsplunk.aetna.com:8088/services/collector/event Property - com.splunk.logging.HttpEventCollectorLoggingHandler.level:== INFO Property - com.splunk.logging.HttpEventCollectorLoggingHandler.token:== adee79d5-774e-4cff-9596-d7e2a52b4f5f Property - com.splunk.logging.HttpEventCollectorLoggingHandler.source:== http:zOS_java Property - com.splunk.logging.HttpEventCollectorLoggingHandler.sourcetype:== httpevent Property - com.splunk.logging.HttpEventCollectorLoggingHandler.messageFormat:== text Property - com.splunk.logging.HttpEventCollectorLoggingHandler.index:== webeng-websphere Property - com.splunk.logging.HttpEventCollectorLoggingHandler.disableCertificateValidation:== false Property - com.splunk.logging.HttpEventCollectorLoggingHandler.retries_on_error:== 00001 --- all the SSL handshake here --- final SSL trace entry is this: done seeding SecureRandom
I am currently performing a PoC and testing integrations using a single server instance of Splunk 8.0.0. The index is set to the default name of "index=cloudflare" and the logs are being pulled from ... See more...
I am currently performing a PoC and testing integrations using a single server instance of Splunk 8.0.0. The index is set to the default name of "index=cloudflare" and the logs are being pulled from an S3 bucket successfully. I've tried both "KV_MODE=json" and "KV_MODE=none"; however, the dashboards do not load. Are there any other apps needed or suggestions for troubleshooting?