Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About BP9906
BP9906
Builder
Member since:
07-25-2011
06-05-2020
Community Statistics
| Posts | 160 |
| Solutions | 14 |
| Karma Given | 8 |
| Karma Received | 73 |
| Member Since | 07-25-2011 |
Activity Feed
- Got Karma for Re: How to troubleshoot why startup.handoff in the Search Job Inspector always seems to take a long time?. 10-19-2020 08:44 AM
- Got Karma for Splunk TA-Windows-Exchange-IIS vs sourcetype=IIS. 08-10-2020 03:03 PM
- Karma Re: After applying a shcluster bundle, why am I getting splunkd startup parsing errors for Splunk_App_DB_Connect? for johnmvang. 06-05-2020 12:48 AM
- Got Karma for Re: DB Connect 2.2.0 not working in SHC. 06-05-2020 12:48 AM
- Got Karma for Re: DB Connect 2.2.0 not working in SHC. 06-05-2020 12:48 AM
- Got Karma for How to resolve Server Abort error - Nginx Reverse Proxy (load balancing). 06-05-2020 12:48 AM
- Karma Re: Splunk 6.2 mongod does not seem to shut down when initiating a restart for ChrisG. 06-05-2020 12:47 AM
- Karma Re: Splunk 6.2 mongod does not seem to shut down when initiating a restart for rbal_splunk. 06-05-2020 12:47 AM
- Karma Re: Splunk DB Connect 2: How to run same the same SQL query on multiple databases? for jcoates_splunk. 06-05-2020 12:47 AM
- Karma Re: Move Splunk's VAR folder ($SPLUNK_HOME/var or /opt/splunk/var) for woodcock. 06-05-2020 12:47 AM
- Karma Re: What are the differences between append, appendpipe, and appendcols search commands? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Sideview Utils: Creating a dashboard with Switcher and multiple Button modules, how do I prevent the first button from running all subsearches? for sideview. 06-05-2020 12:47 AM
- Karma Re: Coalesce and CIM Compliant Fields for woodcock. 06-05-2020 12:47 AM
- Got Karma for Splunk v6.0.x - LineBreakingProcessor - remote_searches.log. 06-05-2020 12:47 AM
- Got Karma for Search Head Cluster - default.old directories. 06-05-2020 12:47 AM
- Got Karma for Search Head Cluster - default.old directories. 06-05-2020 12:47 AM
- Got Karma for Search Head Cluster - default.old directories. 06-05-2020 12:47 AM
- Got Karma for Search Head Clustering: Why am I getting a duplicate alert for one scheduled job?. 06-05-2020 12:47 AM
- Got Karma for Search Head Clustering: Why am I getting a duplicate alert for one scheduled job?. 06-05-2020 12:47 AM
- Got Karma for Search Head Clustering: Why am I getting a duplicate alert for one scheduled job?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-13-2015
07:51 PM
2015-05-13 19:49:02,799, Level=DEBUG, Pid=20910, File=configuration.py, Line=443, Storage password "SA-ldapsearch:c.b.a.com:" not found
I'm finding that using a master deployer with SA-ldapsearch doesnt work. I deploy it with all the password info in plain text and it just doesnt like it. I end up going around to each search head to configure it anyway, then it still fails with the above log entry.
Anyone get this running in a search head cluster?
... View more
05-01-2015
07:44 AM
It appears the error was due to Search Head Cluster replication not working with DB Connect 2.
I used deployer to deploy the app (base app no config changes), then configured DB Connect 2 on one SH Cluster peer. It did not replicate any settings or configuration. After hitting each SH Cluster member (and captain), the errors stopped.
The problem however is that my identities and connections dont show up in the UI after replication. Weird...
... View more
04-30-2015
12:35 PM
inputs.conf on indexer:
[splunktcp-ssl:9998]
compressed = true
connection_host = none
[SSL]
password = $1$G9OzOtJKYpts
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
... View more
04-30-2015
12:34 PM
04-30-2015 09:05:03.570 -0700 ERROR TcpInputProc - Error encountered for connection from src=127.0.0.1:35742. error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
I'm seeing this error on all my indexers. I have both clustered indexers and non-clustered indexers and they all log about SSL errors to themselves (ie 127.0.0.1).
I use SSL for inputs.conf on all indexers and I'm still receiving data from forwarders and search heads. Any idea why this is happening?
... View more
04-29-2015
02:29 PM
I confirm this works, major bummer on this since Splunk has no easy urlencode function, only urldecode.
I plan to use dbxquery for a long dynamic SQL query but I'll have to wait for this to be fixed because I have PullDown modules sending variables and encoding the query partially in URL Encoded format wont suffice.
... View more
04-20-2015
08:07 AM
2 Karma
Ditto. Have an alert that didnt trigger. From what I can see it shows that same error.
04-16-2015 13:55:19.512 -0700 INFO StreamedSearch - Streamed search connection terminated: search_id=
... View more
04-16-2015
07:28 PM
How do you determine the peer the search was sent to?
I have a 2 peer SH cluster and the captain says status=delegated_remote and we received no alert. Not to mention that the other peer (not captain) is configured to be adhoc searching only. So why did the captain delegate it?
... View more
03-24-2015
02:46 PM
2 Karma
After some experimenting, I found that after completing the new field extraction, if I close out of what I was doing and go to a fresh search window (ie flashtimeline) then it would have the new extractions kick in. Odd.
... View more
03-24-2015
02:28 PM
Running the latest Splunk 6.2.2 with search head clustering. I found that when I create a new search field extraction, it doesnt immediately start to work on the current search head that I'm on. It will start working on the other cluster peers after replication grabs it (pretty quick).
Any idea why the current cluster peer wont start using it immediately?
... View more
03-18-2015
01:53 PM
Thank you. Hopefully this will be fixed in a patch release.
... View more
02-13-2015
12:13 PM
DB Connect has done this twice for me in the past couple weeks. The java bridge stops responding and the dbx.log shows these errors in the log.
2015-02-13 08:50:36.259 :ERROR:BridgeSession - Exception occurred while executing command: com.splunk.bridge.io.BridgeIOException: Header size of 8192 bytes exceeded!
com.splunk.bridge.io.BridgeIOException: Header size of 8192 bytes exceeded!
at com.splunk.bridge.session.BridgeExecutionInfo.readBridgeCommandHeader(BridgeExecutionInfo.java:56)
at com.splunk.bridge.session.BridgeSession.call(BridgeSession.java:65)
at com.splunk.bridge.session.BridgeSession.call(BridgeSession.java:30)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
After this I still see :
2015-02-13 11:44:28.743 dbx8237:INFO:Splunkd - Splunkd REST Keep-alive successful for user splunk-system-user
2015-02-13 11:44:28.743 dbx8237:INFO:ExecutionContext - Execution finished in duration=11 ms
2015-02-13 11:49:28.753 dbx2736:INFO:Splunkd - Splunkd REST Keep-alive successful for user splunk-system-user
2015-02-13 11:49:28.753 dbx2736:INFO:ExecutionContext - Execution finished in duration=6 ms
2015-02-13 11:54:28.765 dbx6739:INFO:Splunkd - Splunkd REST Keep-alive successful for user splunk-system-user
2015-02-13 11:54:28.765 dbx6739:INFO:ExecutionContext - Execution finished in duration=9 ms
2015-02-13 11:59:28.779 dbx1514:INFO:Splunkd - Splunkd REST Keep-alive successful for user splunk-system-user
2015-02-13 11:59:28.779 dbx1514:INFO:ExecutionContext - Execution finished in duration=11 ms
However, Going to the DBX Home page, the Java Bridge status show "Loading..." and all DB Queries have stopped responding.
Restarting Splunk (./bin/splunk restart) resolves the issue of course.
Any idea whats going on here?
... View more
- Tags:
- Splunk DB Connect 1
02-04-2015
08:36 PM
I have the same problem. Rhel 5.8 - 32GB ram. Memory is consumed and swap too. Seeing "sar -r" after hard reboot reveals the same issue. My sar config pulls data each minute. No cpu issue, no disk io issue (local disk raid 10).
Splunk v6.0.5. It only happens to me after a couple weeks of keeping Splunkd running. Seems like a memory leak to me. Splunk support wants a diag but it's pointless right now. The system is still healthy. All I see at the time was lots of search requests from search head to indexer.
... View more
09-30-2014
04:26 PM
Resolved in v6.0.6
... View more
09-30-2014
04:26 PM
Resolved in v6.0.6
... View more
Just as a follow up to those who might be looking for an answer like this. I originally did it like this, using a bash script to take the results of my scheduled search and parse the results and feed it back into a command line splunk search (ie ./bin/splunk search "blah").
I found that I can save the hassle by 1) making a custom copy of the sendemail command and making my own command to make it a customer facing prettier email 2) using the "map" command to search using stats count by and feeding the "by" fields into almost the same search using map command.
sourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv | fields from, to, host ] | stats count by from, to, host | map search="search ourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv ] | search to=\"$to$\" from=\"$from$\" host=\"$host$\" | sendemailpretty from=\"$from$\" to=\"$to$\" subject=\"Email\" server=mailserver sendresults=true inline=true format=html"
Note: please escape the internal quotes of the map search=" " using backslash quote .
Hope this helps others out.
... View more
08-19-2014
01:31 PM
I have a search labeled for this reason.
Splunk - Multiple machine reporting as same host (runs every 60m -1h@h - now)
I found that the RHEL kickstart with our splunkforwarder rpm always puts localhost in server.conf and inputs.conf so I have to go change it in etc/system/local. Alternatively, we get systems folks who duplicate servers (virtual), change server name, and dont tell me. This search handles all of the above.
index=internal sourcetype=splunkd hostname="*" | rex "(?i)hostname=(?P [\w- ]+)" | stats count values(sourceIp) dc(sourceIp) as dup dc(guid) as dup_guid by agentname| where (agentname="localhost" OR dup>1 OR dup_guid>1) | search NOT (agentname="server1" OR agentname="server2")
server1 and server2 are known servers that have 2 or more IPs. This allows me to ignore servers with these names.
... View more
08-19-2014
01:11 PM
1 Karma
I figured out that using a subsearch ie [ ] is not ideal in most situations. Its better to use the map search="" notation and escape the quotes inside the quoted search=.
Thus, this search works:
index=log sourcetype=app_log "keyword" | rex "(?i)primary key: (?P [^ ]+)" | join type=outer host [ | inputlookup db_info.csv ] | dedup host, primary_key | fields SID, primary_key | map search="| dbquery $SID$ \"select column1, column2 from $SID$.table where _id = '$primary_key$'\"" | table column1, column2
I also noticed that if you remove the last "table" command, and run it straight out, you wont see the result but Splunk displays results count.
... View more
08-12-2014
08:13 PM
cp -a ./bin/scripts/snow.py ./bin/scripts/snow.py.original
vi ./bin/scripts/snow.py (as described above)
... View more
08-12-2014
08:12 PM
I found that the incident scripted input wasnt working properly (likely all the others that use snow.py). The sys_updated_on is being used to track when stuff is downloaded, but I noticed that the download sys_updated_on wasnt being ordered properly. The bug:
(remove the equals sign after ORDERBY)
http://wiki.servicenow.com/index.php?title=Encoded_Query_Strings
orderby = "^ORDERBY="+self.oset['timefield']
orderby = "^ORDERBY"+self.oset['timefield']
... View more
08-11-2014
08:00 PM
Thanks. It worked. It didnt work at first oddly enough because the order of my parameters doesnt match yours. Soon as I copy pasted your example and edited accordingly, it all worked. Thanks again.
... View more
08-11-2014
07:10 PM
Well the Splunk App for ServiceNow is doing a json call to open an Incident. Why cant you do the same thing in your other application?
... View more
08-07-2014
02:57 PM
1 Karma
After the last comment, I was troubleshooting the new error and discovered the code was erroring because of empty csv files in the snow/lookups/ folder. I deleted all of them (except the original 3) and disabled the scripts and restarted Splunk, then re-enabled the scripted inputs 1 at a time and they all worked with the original script in place. The issue was that it had a hard time communicating before and that resulted in an empty csv but now all is well.
... View more
08-07-2014
11:42 AM
Determined the bug was on this line:
if child.tag not in self.snow_keys:
Changed to this:
if self.snow_keys is not None and child.tag not in self.snow_keys:
Since snow_keys is empty on the first iteration through.
Now I get a new error, researching.
... View more
08-07-2014
07:56 AM
I uncommented the proxy settings in snow.py so I can see the http request go by. The request is succeeding and I see XML response going back to snow.py, but snow.py is failing to parse it.
proxyHandler = urllib2.ProxyHandler({'https': 'http://burpsuite:8080'})
proxyOpener = urllib2.build_opener(proxyHandler)
urllib2.install_opener(proxyOpener)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
