About dstuder

dstuder · ‎11-01-2021

Also, I don't think you can configure the identities at the command line because the password attribute is an encrypted value. I tried putting in plain text and restarting Splunk and it did not encrypt the value on it's own, so I think it has to be done through the UI. I wonder if I need to set ... conf_replication_include.identities = false in local/server.conf on the search head deployer, deploy it, and then create the identity on each search head manually. https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/javaspec

dstuder · ‎11-01-2021

No, I created the identity through the UI. So, it was synced across the search heads. It didn't get deployed from the search head deployer.

dstuder · ‎11-01-2021

Those are in the default/server.conf file and they do sync across the search heads already. The issue is that the identity encrypted password is only readable on the search head that it was created on through the UI.

dstuder · ‎11-01-2021

I did deploy it to the search heads from the search head deployer. However, the SQL identity was created through the UI and then it synced across to the other search heads. So, the SQL connections and the identities do not exist on the search head deployer.

dstuder · ‎11-01-2021

We do have it on the heavy forwarder for indexed data, but on the search heads this would be for search time things such as alerts and reports so alas I do still need it on the search heads as well. My users don't log into anything but the search heads.

dstuder · ‎11-01-2021

I'm trying to use DB Connect on our search heads to do something like this ... | dbxquery query="My Query" connection="My_Connection" This sorta works, but only on one search head. The issue seems to be when the identities.conf file syncs to the other heads the encrypted password is not readable by the other instances. It works on the machine that the SQL identity was created on but no others. So, I'm thinking I either need to somehow get identities.conf to not sync and manually create it on each search head or the other search heads need to be able to read the encrypted password. Or maybe there is another solution I'm not thinking of. Anybody have any thoughts with this? Thanks.

dstuder · ‎04-23-2021

I'm trying to get the bytes of indexed events to find out by event code in our windows event log security events how much indexing they are taking up. Below is what I have, but I'm not sure if that will really get me the bytes. Sure it will get me the relative sizes, but I'm specifically looking for the bytes. My hunch is what I have below is totally correct because the data could be in ASCII (one byte per character), UTF-8 (one to four bytes per character), UTF-16 (two to four bytes per character), etc. Does Splunk store the actual bytes anywhere, if not is there a way to get it to? Thoughts? index="wineventlog" source="WinEventLog:Security" | eval bytes = len(_raw) | stats sum(bytes) by EventCode | sort sum(bytes) desc

dstuder · ‎12-14-2020

Did my follow up question make sense?

dstuder · ‎12-01-2020

I know that you never edit the default conf files and that in a clustered environment you put the apps in the master-apps folder on the cluster master and then push to the indexers. That wasn't really my question. Many apps come with their own default/indexes.conf file. The Windows TA even did until recently-ish. So, my question is often times we need to override what is in the default/indexes.conf file. Is it best to create a app/local/indexes.conf file or create our own app and handle all indexes through our own app. If it is best to create our own app what have other found is the best way to have that app take precedence. My understanding is that precedence is determined alphabetically. Yes, I know there is more to it than that but if we create our own app lexicographical order would be the part that would come in to play. Should I create an app called Aaa_My_Config_App or something like that? Or is it best to keep the indexes with the app they are for in the app/local/indexes.conf file so that you don't have to deal with file precedence and you know what app the indexes are for?

dstuder · ‎11-30-2020

We are building a new Splunk environment. As we were doing this I noticed that the Windows TA no longer includes a default/indexes.conf file and all the inputs don't specify an index thus all events would go to the main index <yuck>. This kicked off the discussion about what is the best way to handle indexes going forward. Should I create a local/indexes.conf file for each app that does not have one or should I create our own app with an indexes.conf file and just make sure it has the highest precedence so that it would override the indexes.conf file that may come bundled with any app? I can see that having an indexes.conf file in each app makes it easy to see what app that data goes with. But having our own app for handling all the index makes it easier to make adjustments to all the indexes without having to edit multiple files. FYI, we have clustered indexers so I cannot just rely on the web UI for this.

dstuder · ‎11-06-2020

I know that if I want to deploy apps to the search heads I should use the search head deployer functionality. My question is can the deployer server also act as the deployment server for pushing out apps to clients? I think I would also like to make it the license server if that's possible. Thoughts?

dstuder · ‎05-01-2020

I believe you meant to say ... the answer is misleading. you can't change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf thank you

dstuder · ‎01-22-2019

When I do a drill down in my dashboard the search box in the new windows get's rid of all the line breaks in my SPL search. Is there a way to keep the formatting in the new window? I've tried editing the xml to put in the xml encoded line break variants (nl, cr, cr+nl) but no dice.

dstuder · ‎01-16-2019

So after talking about this with tech support and looking at my own system a bunch I have figured out what is going on. Splunk is designed such that is will not re-index rolled over logs. Even though the file name changes it realizes that the log file has already been indexed. This document talks about how Splunk handles log file rotation and doesn't re-index the data. That is why it is ok for them to say [monitor://$SPLUNK_HOME/var/log/splunk] instead of [monitor://$SPLUNK_HOME/var/log/splunk/*.log] In fact the first one is right and here is why. Log file rotation. What I mean by that is that when the metrics.log file rotates Splunk has not had a chance to get the tail of that log indexed. So, when metrics.log is renamed to metrics.log.1 Splunk looks at the file and realizes that is has already indexed much of that file, but there is a bit at the end that has not been index. So, it indexes that part and since the file name is not metrics.log.1 and not metrics.log that is what is reflected in the source. If the monitor stanza was set to only pull in *.log then the tail portion that was not fully indexed would never get pulled in as metrics.log.1 would not match the file mask *.log. I verified this by looking at some of the data that was indexed in metrics.log.1 and found no corresponding entries in a metrics.log source. So, it isn't duplicating the data and the world is still turning just fine.

dstuder · ‎12-31-2018

I already did. Thanks. 🙂

dstuder · ‎12-28-2018

I'm not sure you want the ... earliest=-2h@h latest=+2h@h as this ... _index_earliest=-17m@m _index_latest=-2m@m is what you are really after. You want to alert on the stuff as is comes in (being indexed) not based at all on the actual time of the event. What if the machine was off for four hours and is turned back on? The _time (earliest) will be -4h and fall outside your search as it doesn't meet the first part even though it meets the second part. I think you really just want ... index=x sourcetype=y _index_earliest=-17m@m _index_latest=-2m@m

dstuder · ‎12-28-2018

Seems like a config oversight to me. Our forwarders are putting tons of data into the _internal index. Most of the data in that index comes from the metrics.log files. Seems to me they could save a LOT of space in the _internal index by not pulling the roll over files by default.

dstuder · ‎12-28-2018

I see that in the forwarder app but I also see this in etc/system/default/input.conf which appears to be sending not only the .log files but also the rolled over log files such as .log.1, .log.2, etc. [monitor://$SPLUNK_HOME\var\log\splunk] index = _internal

dstuder · ‎12-28-2018

Possibly your _internal index size is not big enough to hold all the days data and it is rolling off?

dstuder · ‎12-28-2018

In system/default/inputs.conf, I see a stanza like this ... [monitor://$SPLUNK_HOME/var/log/splunk] I don't see a file mask at the end of the path, so I assume that it is just going to index everything in the directory ... which does appear to be the case. The odd thing though is that the logs in that folder rotate when they reach a certain size and only keep 5 rotated logs and it looks like Splunk is indexing them as well since the monitor just says pull in everything from the log folder. Is this expected behaviour? Indeed if I run this ... | tstats count(_time) WHERE index=_internal source="\*metrics.log\*" by source I see entries like this ... C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.1 C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.2 C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.3 /opt/splunkforwarder/var/log/splunk/metrics.log /opt/splunkforwarder/var/log/splunk/metrics.log.1 /opt/splunkforwarder/var/log/splunk/metrics.log.2 etc ...

dstuder · ‎07-26-2018

Ok, maybe not setting it to "All time" now that I think about it (that's just crazy talk) but maybe sometime like last seven days or something.

dstuder · ‎07-26-2018

Thinking about this a bit I think I would want to alert based on indexed time not event time. For instance my alert is pulling from Windows event logs. If an event happened matching the pattern and say the Splunk Forwarder was not running for more than five minutes when the event came in to the indexer I would not be alerted as earliest and latest are based on _time right? Should I then include the time range in the search string itself and base it on _indextime and set Time Range in the alert to All Time?

dstuder · ‎07-24-2018

I'm setting up an alert that I want to run every five minutes so I set the cron expression like such "*/5 * * * *". If I set the time range to last five minutes is it possible that I could miss events? Does Splunk make sure that the two sync up? I assume it is possible that the cron iteration could be slightly off (drift) from the last iteration thus there could be a few seconds where the time range would not apply as the cron was not totally in sync for each iteration. And I correct in this assumption? If so what is the best way to do something like this?

dstuder · ‎07-06-2018

Oh ... wait. I spoke too soon. It looks like it has to be this way. ... AND NOT field IN (val1, val2, val3) as opposed to ... AND field NOT IN (val1, val2, val3)

dstuder · ‎07-06-2018

Doesn't look like you can do a NOT IN yet. Urg!!

Posts	57
Solutions	3
Karma Given	7
Karma Received	25
Member Since	‎05-05-2014

Online Status	Offline
Date Last Visited	‎05-01-2024 07:05 PM

Compare today vs average of past with a sliding pe...

Two different earliest values on one dashboard

Latest set to most recent increment of 5 minutes

Dynamically pass SPL to events panel on dashboard

Best Practice for Using Splunk_TA_windows on Works...

Can the Cluster Master Also Do Indexer Discovery i...

Best Practice For Managing Alerts/Reports/Dashboar...

Issues With DB Connect identities.conf on Search H...

How to get the bytes of an indexed event

Best way to handle indexes in a clustered environm...

Re: Issues With DB Connect identities.conf on Sear...

Re: Issues With DB Connect identities.conf on Sear...

Re: Issues With DB Connect identities.conf on Sear...

Re: Issues With DB Connect identities.conf on Sear...

Re: Issues With DB Connect identities.conf on Sear...

Issues With DB Connect identities.conf on Search H...

How to get the bytes of an indexed event

Re: Best way to handle indexes in a clustered envi...

Re: Best way to handle indexes in a clustered envi...

Best way to handle indexes in a clustered environm...

Can you use the search head deployer as a deployme...

Re: Changing UF outputs.conf using deployment ser...

Retain SPL format in a drill down

Re: Can you help me with some questions I have abo...

Re: Can you help me with some questions I have abo...

Re: How to trigger alerts when _indextime != _time...

Re: Can you help me with some questions I have abo...

Re: Splunk Forwarder logs to Splunk Indexer

Re: Why don't I have access to source=*metrics.log...

Can you help me with some questions I have about t...

Re: Best Practice for Alert Time Range and Cron Ex...

Re: Best Practice for Alert Time Range and Cron Ex...

Best Practice for Alert Time Range and Cron Expres...

Re: Is there an operator similar to the SQL 'in' o...

Re: Is there an operator similar to the SQL 'in' o...

Join the Conversation