Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About mikelanghorst
mikelanghorst
Motivator
Member since:
11-03-2010
08-29-2025
Community Statistics
| Posts | 286 |
| Solutions | 20 |
| Karma Given | 360 |
| Karma Received | 229 |
| Member Since | 11-03-2010 |
Activity Feed
- Got Karma for Re: What are the ports that I need to open?. 04-16-2025 05:18 AM
- Posted Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI on Deployment Architecture. 04-02-2025 03:34 PM
- Karma Re: Splunk 9.3+ Deployment on CIS Red Hat 9 level 1 image - No GUI for jwestbank. 04-02-2025 03:33 PM
- Got Karma for Re: What are the ports that I need to open?. 01-06-2025 02:51 AM
- Posted Re: Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 02:21 PM
- Posted Why is Powershell input not receiving data? on Getting Data In. 05-10-2022 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 03-17-2022 07:11 AM
- Got Karma for Re: What are the ports that I need to open?. 08-18-2021 05:28 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-19-2021 09:48 AM
- Got Karma for Re: What are the ports that I need to open?. 07-28-2020 03:20 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-13-2020 10:52 PM
- Karma Re: Lookup File Editor in Search Head Cluster - "The requested lookup file does not exist" for LukeMurphey. 06-05-2020 12:49 AM
- Karma Re: New forwarder: An Admin password is required??? for xpac. 06-05-2020 12:49 AM
- Karma Re: Where to add certificate info for port 8089? for dwaddle. 06-05-2020 12:48 AM
- Karma Re: what could be the reason for some splunk sessions observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format)? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to upgrade Splunk forwarders from a deployment server installed on a separate VM? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: What are my options to specify the user to start splunk service as on linux for yannK. 06-05-2020 12:48 AM
- Karma Re: Community Supported apps - should they have an external repo for the community to assist in improving? for Damien_Dallimor. 06-05-2020 12:47 AM
- Karma Re: Filtering out 90% log events from indexing for dshpritz. 06-05-2020 12:47 AM
- Karma Re: Splunk installed failed to create splunk account on RHEL for grijhwani. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 |
04-26-2012
12:11 PM
1 Karma
We had an issue here with one of our web fronted applications when the webserver received multiple requests to the same url down to the same millisecond. This caused the wrong file to be delivered to the first requestor. Obviously this was an issue with the code to allow the problem, but I couldn't think of how to find occurrences of this.
So for a given source, how to show where 2 or more events occur at the same time?
... View more
- Tags:
- timestamp
04-24-2012
06:35 PM
I had LAUNCHSPLUNK=0 originally, expecting that it wouldn't start the first time. So it appears that the UF runs the first time no matter what. I had seen something in the docs that suggested so, but wanted to get confirmation before I add the additional commands to change the password. Maybe user-seed.conf only works for *nix installations?
... View more
04-24-2012
05:25 PM
1 Karma
From the initial installation it looks to have read this file:
04-24-2012 16:20:52.722 -0700 WARN AuthenticationManagerSplunk - Failed to remove file 'C:\Program Files\SplunkUniversalForwarder\etc\system\default\user-seed.conf' errno=Access is denied.
There are no log messages for user-seed.conf on the subsequent start.
Does this file have to be placed before the installation occurs? I would expect that the installation would overwrite the file.
... View more
04-24-2012
05:14 PM
3 Karma
I'm attempting to use the user-seed.conf to set the admin password for my Windows Universal Forwarder installations, but not having any luck with it.
My installation command:
msiexec /i splunkforwarder-4.3.1-119532-x86-release.msi SPLUNKD_PORT=9998 DEPLOYMENT_SERVER=xxx.xxx.xxx.xxx:8089 LAUNCHSPLUNK=1 /quiet
I then replaced the $splunk_home\etc\system\default\user-seed.conf and started splunk using the Service Menu. I'm then only able to login using admin:changeme
... View more
- Tags:
- user-seed.conf
04-10-2012
08:22 AM
Used the data import function on my local instance to set this up. Looks like this will be the answer.
... View more
04-09-2012
04:31 PM
Yes, I just tried TZ=US/Pacific, but no change.
» 4/9/12
5:29:41.000 PM
[09/Apr/2012:16:29:41 -0800] 172.27.140.119 user1 - HTTP/1.1 POST 200 8969 98 /app/unitSubstitution/loadJSON
... View more
04-09-2012
04:00 PM
2 Karma
I have a JBoss/Tomcat access log that has an incorrect Timezone configuration, causing Splunk to set the time to an hour ahead.
172.21.138.35 - - [09/Apr/2012:15:51:56.783 -0800] "HEAD /index.html HTTP/1.1" 200 0
The server is correctly set at PDT, but something is setting this log to stay at -0800. The developer isn't sure where this is set, and would take some time to correct even when we do find the location. How do I properly change the time for this source? It occurs on several hosts (dev/test/staging/production), but only for this source file.
I've set props.conf on the indexer to:
[source::/my/app/path/localhost_access*]
TZ=PDT
Is this incorrect? It didn't change the behavior and I verified with btool that it's in effect.
... View more
- Tags:
- timezone
03-28-2012
09:27 AM
Never hurts to post it up here for others to see as well. Even when you eventually may find it's user error.
... View more
03-27-2012
01:45 PM
1 Karma
When I run "$splunk_home/etc/apps/unix/bin/iostat.sh > /tmp/iostat.out", and then vi the resulting file, the output for long rows isn't wrapped but is an additional line. Other hosts which get their results "fielded" properly have single lines.
Still to find out why this is occurring on only some hosts.
Narrowing down a bit further, iostat.sh on linux executes "iostat -xk 1 2". If I output that to a file, it has several of the rows in multiple lines as well.
... View more
03-27-2012
12:22 PM
Looking around further, it doesn't look to be a Solaris vs. Linux issue, but rather the number of results returned by the iostat command.
The host that's breaking this data, iostat returns 2000+ lines: "iostat 1 1 | wc -l"
... View more
03-27-2012
09:02 AM
2 Karma
I was trying to use splunk to filter iostat information on a Linux host, but found that it isn't assigning columns properly when pointing to a RedHat system, but works as expected on Solaris. When passing the Linux output to multikv each disk device is it's own field name.
Data samples
Solaris (works as expected):
Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct
sd1 0.0 0.0 0.0 0.0 0.0 0.0 0
sd2 0.0 0.0 0.0 0.0 0.0 0.0 0
sd46 0.0 0.0 0.0 0.0 0.0 0.0 0
ssd24 0.0 0.0 0.0 0.0 0.0 0.0 0
Linux:
Device rReq_PS wReq_PS rKB_PS wKB_PS avgWaitMillis avgSvcMillis bandwUtilPct
sda 0.00 1.98 0.00 0.00 0.50 0.50 0.10
sda1 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sda2 0.00 0.00 0.00 0.00 0.00 0.00 0.00
sda3 0.00 0.00 0.00 0.00 0.00 0.00 0.00
The data looks similar, though the Linux host I'm attempting to look at has many more devices than the Solaris samples I've tried. Anyone know why this could be occurring?
... View more
03-26-2012
11:00 AM
add the following to your inputs.conf stanza:
connection_host = dns
... View more
03-22-2012
08:19 AM
I'd need more details on what's involved in your Cluster switch over. Is the log directory moved from being available only on node A, to only being available on node B.
If this is the case, it's not a bug, as after the switch to node B all these files would be new to SplunkForwarder on B. All of the data that keeps track of what logs have been indexed would be stuck over on node A.
Would it be possible to have the log rotated as part of the cluster switch? Then have Splunk only look at the active file? Again, difficult to give specifics without more knowledge of your cluster configuration.
... View more
03-22-2012
08:06 AM
It may just be in beta, my sales guy has mentioned it to me several times. Though I don't see an app actually available on SplunkBase.
... View more
03-19-2012
08:36 AM
There's a default transform available to strip the syslog header (date and host) from a syslog event: [syslog-header-stripper-ts-host]. Thought I was using this already for an exact example, but this should work. Assuming your syslog file is /my/folder/messages:
In a props.conf entry:
[source::/my/folder/messages]
TRANSFORMS-my_syslog=syslog-header-stripper-ts-host
... View more
03-14-2012
05:11 PM
1 Karma
I've tried downloading it a couple times, but it wouldn't be the first time something on our network resulted in a corrupted download.
When I attempt to extract the file: mobile.tar.gz I get the following:
[mlanghor@mlanghor-wkstn Downloads]$ tar -xzf mobile.tar.gz
tar: Ignoring unknown extended header keyword `LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword `SCHILY.dev'
tar: Ignoring unknown extended header keyword `SCHILY.ino'
tar: Ignoring unknown extended header keyword `SCHILY.nlink'
tar: Ignoring unknown extended header keyword `LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword `SCHILY.dev'
tar: Ignoring unknown extended header keyword `SCHILY.ino'
tar: Ignoring unknown extended header keyword `SCHILY.nlink'
tar: Ignoring unknown extended header keyword `LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword `SCHILY.dev'
tar: Ignoring unknown extended header keyword `SCHILY.ino'
tar: Ignoring unknown extended header keyword `SCHILY.nlink'
I then tried to install via the "Install app from file" which seemed successful. It shows status=enabled but: The path '/en-US/custom/mobile/mobile' was not found
I had a previous version installed before but had removed: Disabled in the UI, then deleted from etc/apps and restarted. This is on RHEL 5.3, same tar behavior on Fedora 15.
... View more
- Tags:
- SplunkWeb Mobile
03-09-2012
01:55 PM
Failure to read on my part, missed that you were installing on UF.
... View more
03-09-2012
09:59 AM
The Splunk for Unix and Linux TA doesn't contain any of the web files you're looking for. It's meant to be the small portion to install on UF's and other server that are just sending data somewhere else. You need to install the regular version of the app: link text
... View more
03-09-2012
09:57 AM
But you shouldn't have both installed on the same host. The TA is the portion you would install on your forwarders as it doesn't contain the web interface pages. The normal Splunk for Unix/Linux app (non TA) is what you need on your Search server.
... View more
03-09-2012
09:53 AM
1 Karma
Is anything listening on port 8000? Not sure if they've fixed it for 4.3, but the 4.2 UF would also say after installation to connect on port 8000 locally.
You ask about firewalls, have you looked at the configuration of IPtables? "/sbin/iptables --list" will show the firewall rules currently in affect. You could also "/sbin/service iptables stop" or "/sbin/iptables --flush" to disable them temporarily
... View more
03-08-2012
04:44 PM
2 Karma
I've run across an odd log file from EMC's Data Protection application that is logging two very different log formats into a single file. Example:
2012-03-08 12:06:30,643 INFO Webapp Launcher [Init] Connection to controller at fdpap01.oa.domain.com:3916
2012-03-08 12:06:30,643 INFO Webapp Launcher [Init] Connection to reporter at fdpap01.oa.domain.com:4002
INFO 2560.2564 20120308:123239 service - ServerCtrlHandler(): Service stop signalled - exiting
INFO 2676.2696 20120308:123532 webapp - daemonMain(): Setting memory limit '-Xmx128m'
INFO 2676.2696 20120308:123535 webapp - daemonMain(): DPA Webapp
INFO 2676.2696 20120308:123535 webapp - daemonMain(): (c) 1994-2009 EMC Corporation. All rights reserved.
INFO 2676.2696 20120308:123535 webapp - daemonMain(): Version: 5.0.1 build 4792 on windows
INFO 2676.2696 20120308:123535 webapp - daemonMain(): Logging at level Info
2012-03-08 12:36:01,967 INFO Webapp Launcher [Init] Connection to controller at fdpap01.oa.domain.com:3916
2012-03-08 12:36:01,967 INFO Webapp Launcher [Init] Connection to reporter at fdpap01.oa.domain.com:4002
INFO 2676.2680 20120308:133056 service - ServerCtrlHandler(): Service stop signalled - exiting
INFO 3912.3884 20120308:133135 webapp - daemonMain(): Setting memory limit '-Xmx128m'
INFO 3912.3884 20120308:133135 webapp - daemonMain(): DPA Webapp
INFO 3912.3884 20120308:133135 webapp - daemonMain(): (c) 1994-2009 EMC Corporation. All rights reserved.
INFO 3912.3884 20120308:133135 webapp - daemonMain(): Version: 5.0.1 build 4792 on windows
INFO 3912.3884 20120308:133135 webapp - daemonMain(): Logging at level Info
2012-03-08 13:31:38,752 INFO Webapp Launcher [Init] Connection to controller at fdpap01.oa.domain.com:3916
2012-03-08 13:31:38,752 INFO Webapp Launcher [Init] Connection to reporter at fdpap01.oa.domain.com:4002
Whenever I've had to assist splunk with line breaking & date extraction, it's been a consistent format for the entire file. Either specified a source or sourcetype, and the specifics to break on. Unsure how to handle this one in regards to date extraction. For the lines starting with the severity, the third column is the datestamp, and does line up that each of these should be a different event. Currently by default Splunk is merging these.
Ideas?
... View more
- Tags:
- datestamp
03-08-2012
02:16 PM
3 Karma
When I try to run dbinspect, it returns no results:
| dbinspect index=_internal span=1d
I have a single search head (where I'm running this), distributing search to 2 indexers.
... View more
- Tags:
- dbinspect
02-29-2012
11:42 AM
2 Karma
Look for the section titled: Discard specific events and keep the rest on this link RouteAndFilterData
You'll just need to create a regex that matches those 2 log entries. The data will still be read and sent from a UF to the indexer, but the indexer will simply discard the messages.
Something similar to the following
props.conf on your indexer:
[your_sourcetype]
TRANSFORMS-null= discard
transforms.conf on your indexer:
[setnull]
REGEX = "=+\s(?:JOB COUNTERS|JOB COUNTERS END)\s=+"
DEST_KEY = queue
FORMAT = nullQueue
Might need to tweak the regex a bit, but that should work.
... View more
02-21-2012
03:33 PM
Removing those entries in viewstates.conf doesn't resolve the error either.
... View more
02-21-2012
02:48 PM
2 Karma
I've had a few users leave the company now that have had saved searches. Removing the $splunk_home/etc/users/ directory doesn't resolve the errors.
If I search for files that contain the login name, I find the following example entry for "tuser"q:
etc/apps/search/local/viewstates.conf:
[viewstates/flashtimeline%3Agu5s5mv8]
owner = tuser
version = 4.2.3
export = system
Is it safe to remove these entries? Is there a better way to remove terminated users?
... View more
- Tags:
- users
