Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About ivanreis
ivanreis
Builder
Member since:
07-23-2019
10-19-2022
Community Statistics
| Posts | 211 |
| Solutions | 32 |
| Karma Given | 0 |
| Karma Received | 32 |
| Member Since | 07-23-2019 |
Activity Feed
- Got Karma for Re: How to fix "Could not load lookup=LOOKUP-app_proto"?. 10-05-2023 11:11 AM
- Got Karma for Re: Search History disappeared ( Splunk Enterprise 8.0.1). 07-07-2022 11:32 AM
- Got Karma for Re: Splunk DB Connect Connection is invalid. 07-04-2022 01:53 AM
- Got Karma for Re: How to monitor search head cluster from a monitoring console?. 07-29-2021 08:48 AM
- Got Karma for Re: Decomissioning indexers. 07-25-2021 06:57 AM
- Posted Re: Cluster Licensing and Monitoring Dashboard Permissions Required to View on Security. 12-21-2020 03:38 PM
- Got Karma for Re: Cluster Licensing and Monitoring Dashboard Permissions Required to View. 12-11-2020 02:55 AM
- Posted Re: Cluster Licensing and Monitoring Dashboard Permissions Required to View on Security. 12-07-2020 03:13 PM
- Posted Re: How can enable kvstore monitoring for seach head cluster members on Knowledge Management. 12-06-2020 10:56 PM
- Posted Re: Installation Package on Installation. 12-06-2020 10:36 PM
- Posted Re: Cluster Licensing and Monitoring Dashboard Permissions Required to View on Security. 12-06-2020 10:25 PM
- Got Karma for Re: Send AUTH0 logs to Splunk Enterprise. 12-01-2020 01:18 AM
- Posted Re: Send AUTH0 logs to Splunk Enterprise on All Apps and Add-ons. 11-30-2020 04:00 PM
- Posted Re: Splunk running on Linux version 6.4.1 to 8.05 Upgrade on Installation. 09-24-2020 09:13 PM
- Posted Re: How can I filter the contents of an eventID without blacklisting it? on Getting Data In. 09-21-2020 09:09 PM
- Posted Re: How can i change my dashboard from English language to Japanese ? on Splunk Search. 09-20-2020 11:25 PM
- Got Karma for Re: rename command seems to work differently in Splunk 7.2.5.1 vs Splunk 8.0.5.1. 09-20-2020 02:54 AM
- Posted Re: Palo Alto Networks Add-on Install Locations on All Apps and Add-ons. 09-17-2020 09:27 PM
- Posted Re: "splunk add oneshot" not working on Getting Data In. 09-17-2020 05:25 PM
- Got Karma for Re: What are the Unsupported Characters for HEC. 09-17-2020 09:47 AM
Topics I've Started
No posts to display.
10-16-2019
03:09 PM
One alternative can be you index this file, but use the regex expression to find/index the information you need to for memory.
There is a potential that SQL save this type of information in a sys.dm table.
sys.dm_os_sys_info
sys.dm_os_sys_memory
sys.dm_os_process_memory
Here is a link with some tables that can you can search to check if the dump is also stored in one of those tables. If so, you can use the dbconnect to read this table and index this particular information.
https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-memory-brokers-transact-sql?view=sql-server-2017
... View more
10-15-2019
08:24 PM
1 Karma
Here is a video at splunk
https://www.splunk.com/en_us/resources/videos/splunk-incident-review-demo.html
https://www.youtube.com/watch?v=lh21uzfogRk
In order to maximize the Splunk Enterprise usage, please consider to run for Splunk Training.
https://www.splunk.com/en_us/training/courses/using-splunk-enterprise-security.html
... View more
10-15-2019
08:12 PM
My suggestion is to create an app and add the user-prefs.conf the stanza below. Make sure the users that is assigned to the particular role should see the GMT time zone. Maybe you should create a new role and assign all the users that should have to see the GMT time to this role and add the stanza below.
[role_user]
tz = GMT
https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/User-prefsconf#user-prefs.conf.example
... View more
10-15-2019
05:53 PM
2 Karma
When you create a lookup definition at splunk, you have to run a command at splunk, to refresh the new configuration, because sometimes splunk does not recognise the new configuration. there two ways to do it
1 - run the command debug refresh, this commando will make splunk to get the new lookup definition, this happened with myself several times. I am only able to get the lookup working properly after I run this process. It does not restart the splunk service, only reload the configuration definitions.
-> http://servername:8000/en-GB/debug/refresh
2 - restart the splunk service
Remember that all the configuration for the lookup definitions have to be done before you run this command.
Here is a link to document about lookup files -> https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/Addfieldsfromexternaldatasources
... View more
10-15-2019
05:30 PM
I ran a move procedure on Splunk Enterprise and ITSI, but I did not play around Enterprise Security, but I expect this procedure also work for your purpose
The procedure was:
- deploy the splunk enterprise to the new server, use the same version you have on the existing server
- tar the entire $SPLUNK_HOME/etc folder from the existing splunk Enterprise security server, but I recommend to stop the splunk service first, just to avoid any change from customers
- Stop the splunk service at new server
- copy the tar file to the new server at $SPLUNK_HOME/etc folder
- Stop Splunk service on the current Splunk Enterprise server
- Copy the bundle file from $SPLUNK_HOME/var/run from the existing server to the new one on the same path. Bundle file should be something like this servername-1570745614.bundle
- Start splunk service on the new server
- Monitor for any error message of lack of configuration issues
Before you run this procedure, stop the existing Splunk server, run a full backup of etc, just to make sure if you the last updated configuration/apps in case you have any issues, you can recover from the point where everything is working properly on the current splunk environment.
... View more
10-15-2019
04:09 PM
1 Karma
Splunk base has an SQL addon(https://splunkbase.splunk.com/app/2648/) to deploy at sql servers where collects a several sourcetypes, including the memory.
here is the metric that collects from memory, I did not remember is this sourcetype can capture memory dumps, so I suggest you can install it on a SQL dev server and test it.
Memory % Committed Bytes In Use; Pages/sec; Available Mbytes; Pages perfmon:sqlserverhost:memory
https://docs.splunk.com/Documentation/AddOns/latest/MSSQLServer/About
https://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/Datatypes
There is also an SQL app that you can deploy to the search head with dashboards to report the information you are indexing with SQL addon
https://splunkbase.splunk.com/app/1524/
... View more
10-15-2019
03:59 PM
As mentioned on the previously post by richgalloway, you have to check the error messages on file splunkd_stderr.log.
Check if the user that you are installing the UF client has the access granted to start the service
you can either use the windows system local account or domain account where the user has privilege access to start splunk service
Remove the UF client from this server.
Verify if you have any local server police from anti-virus or other software that monitores the server that can prevent splunk service to be started.
Also check the windows logs on the server, because if there is any problem with permissions, there is potential the error will be there
Install the UF client again on a sandbox server where you can run your troubleshooting or either test the different windows accounts who has access to process changes on the system.
https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/InstallaWindowsuniversalforwarderfromthecommandline
... View more
10-15-2019
03:45 PM
please read this link -> https://answers.splunk.com/answers/656711/how-to-install-splunk-eventgen-in-a-windows-enviro.html
Here is the step I took to deploy eventgen to my macbook.
Deployed the eventgen at Splunk
Deployed the Splunk_TA_Windows version 4.8.4
This version has a evengen.conf file at default folder
Create a local folder at evengen app
Copy the eventgen.conf from Splunk_TA_Windows app to eventgen local folder
the key to have your eventgen working properly is to extract the correct data using token.
See below a sample configuration for Windows data.
Use Splunk_TA_Windows/default/inputs.conf sequence
Default replacement for all DhcpSrvLog logs
[sample.DhcpSrvLog]
index = windows
source=c:\windows\system32\dhcp\dhcpsrvlog.log
sourcetype = DhcpSrvLog
interval = 300
Generate all events in sample
count = 0
earliest = -5m
latest = now
replace timestamp 10,07/21/06,19:42:47
token.0.token = ^\d+\,(\d{2}\/\d{2}\/\d{2}\,\d{2}:\d{2}:\d{2})
token.0.replacementType = timestamp
token.0.replacement = %m/%d/%y,%H:%M:%S
... View more
10-15-2019
03:09 PM
Please see this documentation to assist you to understand the KVStore usage
http://dev.splunk.com/view/SP-CAAAEY7
https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/AboutKVstore
... View more
10-14-2019
05:34 PM
Answering your questions:
1 - I don't know why, but the most recent version of the DB connect just work properly with JDK
2 - you can try https://www.cyberciti.biz/faq/linux-unix-set-java_home-path-variable/ . The properly path configuration should relying on the linux bash you are running to, but I believe can be similar with :
export JAVA_HOME=/usr/java/jdk_version/bin/java
export PATH=$PATH:/usr/java/jdk_version/bin
... View more
10-14-2019
05:15 PM
please try this one: https://regex101.com/r/wgNicw/1
transforms.conf
[discardsnmp]
REGEX = \b(\w[a-zA-Z].*\Dapp=SNMP.+)
DEST_KEY = queue
FORMAT = nullQueue
... View more
10-14-2019
04:47 PM
please check the rest api command, it shows all the information relate with jobs, the name of the reports, runtime and others.
| rest /services/search/jobs
... View more
10-14-2019
04:16 PM
"Send the job to the background. Select this if the search job is slow to complete and you want to you work on other Splunk activities, including running a new search job. The job continues to run in the background."
https://docs.splunk.com/Documentation/Splunk/7.3.2/Search/Aboutjobsandjobmanagement#Job_menu
run your report and when it is running, select the Job/Send the job to the background and type your email. When your report is completed, you will receive an email with a link to access the report results.
... View more
10-14-2019
03:53 PM
Please, check this splunk answers, maybe it fits your purposes:
https://answers.splunk.com/answers/105128/how-to-determine-how-long-splunk-has-been-up.html
... View more
10-14-2019
03:30 PM
I never faced this issue before, so my suggestion is to delete the job from CLI/WEB. The admin role is required to delete this job from CLI/web.
The jobs path is $SPLUNK_HOME/var/run/splunk/dispatch/
Check the job inspector to confirm the job SID and find the job. If you are running on linux just run the rm to delete the file.
here is the document to delete the job from web -> https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Search/SupervisejobswiththeJobspage
I dont know why, but sometimes if you delete the job from web interface, it is possible that you can still see the job at job inspector, so I believe it is more secure if you delete it from CLI command. I hope this can help you to delete this job, but I don't have any idea why this happen.
... View more
10-13-2019
10:25 PM
"A scheduled report is a report that runs on a scheduled interval, and which can trigger an action each time it runs. You can define up to four actions for a scheduled report:
Send a report summary by email
Write the report results to a CSV lookup file
Set up a webhook that sends a message to an external web resource, such as a chatroom
Log and index searchable events"
For further information: https://docs.splunk.com/Documentation/Splunk/7.3.2/Report/Schedulereports
Do not remove your reports from schedule because those schedule are responsible to provide the output results to the dashboards.
If you are having issues of overloading on splunk environment, you need to determine which is causing this overloading on the indexers using the management console. It is possible that your current environment is not capable to process all the amount of load for indexing data and even run the scheduled reports/dashboards.
If you have deployed the managed console, please check this link here to assist you to determine where to bottle neck can be
https://docs.splunk.com/Documentation/Splunk/7.3.1/DMC/DMCoverview
Other potential alternative to assist you to determine what is going on, you can open a support case at Splunk and report the problems you are having and Splunk will reply back with the potential actions to mitigate or fix the issues.
... View more
10-13-2019
05:54 PM
I had a similar issues when I deployed the DB connect to Oracle linux. Per the error, the Java path is setup for JAVA JRE, if so, please update the path for JDK . I think we cannot have the both of them on the path, thus I am not really sure, because I did not test it. I remembered that I was only able to successfully deploy the DBconnect after the JDK was properly installed and the Path was setup as well. I never deploy DB connect to Ubuntu, but I believe the behavior can be similar. If possible run this installation in a sandbox to do not damage anything on the production environment.
... View more
10-13-2019
05:27 PM
There are a couple of apps at SplunkBase to index email.
I found this Splunk TA-App "TA-mailclient" that works with Splunk Enterprise version 7.0 as you requested
-> https://splunkbase.splunk.com/app/3200/
I never used this app before, so I don't know about the Add-on functionalities.
For further research check the splunk base apps
https://splunkbase.splunk.com/
... View more
10-13-2019
04:33 PM
1 Karma
When you copy over the old config files from your previous installation to the new one, splunk run a verification if the files are running on a different version and did not start the web, I am not really sure which files splunk uses to check it. The web is a very sensitive part of Splunk and you should be very carefully when you have to restore any config file from previous Splunk versions, because it is very hard to recover the Splunk web from the times I ran into issues.
My suggestion to fix it, please reinstall the last Splunk Enterprise version, because it will be recover the web interface. Be carefully if you have to restore any file from previous installation and avoid to copy the entire folder, because it can cause the issues again. Copy the config files individually and check if Splunk will working properly. This is a manual process and time consuming, thus is necessary to avoid issues when you are copying the old config files to a new Splunk installation.
... View more
10-13-2019
04:18 PM
I never installed the Phantom license previously, thus I assume the process to add the license should be same as the other Splunk Premium apps.
Here is the command to add a license key thought the cli. Make sure you are logged in Master license and the license key is already downloaded to this server.
./ splunk add licenses {path_to_license_file}
I found this document to run the license thought rest api, but I never run this before
check this link please : https://docs.splunk.com/Documentation/Splunk/7.3.2/RESTREF/RESTlicense#licenser.2Flicenses
... View more
10-10-2019
05:53 PM
1 Karma
I did a search at datamodel.conf and I did not find any command where this can be done automatically, but it seams splunk run a type of correction when identifies the datamodel is not up to date for acceleration function. This is the only attribute I found when I source for rebuild
acceleration.manual_rebuilds =
* ADVANCED: When set to 'true,' this setting prevents outdated summaries from
being rebuilt by the 'summarize' command.
* Normally, during the creation phase, the 'summarize' command automatically
rebuilds summaries that are considered to be out-of-date, such as when the
configuration backing the data model changes.
* The Splunk software considers a summary to be outdated when:
* The data model search stored in its metadata no longer matches its current
data model search.
* The search stored in its metadata cannot be parsed.
* NOTE: If the Splunk software finds a partial summary be outdated, it always
rebuilds that summary so that a bucket summary only has results corresponding to
one datamodel search.
* Defaults to: false
I took this definition from this link
https://docs.splunk.com/Documentation/ITSI/4.3.0/Configure/datamodels.conf#GLOBAL_SETTINGS
... View more
10-10-2019
05:41 PM
ok, no problem, I just mistyped this stanza
should be [monitor://D:\foo*.csv], this will take all the new csv files that should be added to this folder.
Thanks for your feedback.
... View more
10-10-2019
05:33 PM
Where you are deploying this configuration?
In order to have this configuration work properly, the props.conf have to be deployed at the indexer or heavy forwarder tier to parse the timezone properly before indexing, if you are not running on a Splunk standalone instance. Use the btool to troubleshoot your configuration.
https://docs.splunk.com/Documentation/Splunk/7.3.2/Troubleshooting/Usebtooltotroubleshootconfigurations
... View more
10-10-2019
05:21 PM
1 Karma
I would suggest to produce the csv instead of stdout. If you lose any network connectivity the data you are trying to run thought stdout can be lost, if you do not have any buffer to store this data.
According to the Splunk Administration manual, this is the only the downside of using scripting inputs.
"One possible downside to scripted input is potential loss of data
– Example: the forwarder that is running the script is not able to connect to the indexer due to networking problems".
... View more
10-10-2019
05:11 PM
I would verify the last backup of /etc folder to check the local.meta file that could be used to restore the previous condition. Other option would be the previous splunk diag files created, because the file will collect all the configuration that you had in the splunk environment and you can open it and extract the file you need to.
From I couple of times that I have to deal with meta.conf, I manually edit it to process any particular update.
Or possible you get a default.meta file from default folder and rename it to local.meta and copy to the app you need to. The problem here is that you have to tweak all the permissions again for all the knowledges, more manual work.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-19-2022
07:45 PM
|
Karma from
