Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About phoenixdigital
phoenixdigital
Builder
Member since:
02-08-2011
04-01-2026
Community Statistics
| Posts | 280 |
| Solutions | 25 |
| Karma Given | 33 |
| Karma Received | 77 |
| Member Since | 02-08-2011 |
Activity Feed
- Got Karma for Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1. a week ago
- Posted Splunk Addon Builder 4.5.1 import/export broken on Splunk 10.2.1 on All Apps and Add-ons. 04-01-2026 01:53 AM
- Got Karma for Re: Terminate User Session. 08-05-2022 12:07 AM
- Got Karma for Re: Realtime clock of Splunk server time on dashboard?. 06-10-2022 05:49 AM
- Got Karma for Indexing a CSV data file with more than one set of data. 04-06-2021 04:39 PM
- Got Karma for Can you hard code a color for a value range in Calendar Heat Map?. 06-05-2020 12:49 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for MuS. 06-05-2020 12:48 AM
- Karma Re: unarchive_cmd for decoding binary file with python script for micahkemp. 06-05-2020 12:48 AM
- Karma Re: Splunk App for Stream: How to configure a universal forwarder to monitor DNS and DHCP? for vshcherbakov_sp. 06-05-2020 12:48 AM
- Karma Re: Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: Is there documentation on forwarder behavior for various types of inputs when an indexer goes offline? for ryanoconnor. 06-05-2020 12:48 AM
- Karma Re: Search Head Deployer in a SH Cluster: What happens to local? for teunlaan. 06-05-2020 12:48 AM
- Karma Re: How is Server Identified After clone-prep-clear-config Script is Run? for jconger. 06-05-2020 12:48 AM
- Got Karma for Search Head Deployer in a SH Cluster: What happens to local?. 06-05-2020 12:48 AM
- Got Karma for Is there a logging or debug tool to identify all props and transforms that are applied to a particular sourcetype to isolate rogue field extractions?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for How to update a global lookup file via REST API for a particular app in a search head cluster?. 06-05-2020 12:48 AM
- Got Karma for setup.xml to modify/create an entry in app.conf (or anywhere else). 06-05-2020 12:48 AM
- Got Karma for Re: Chart not obeying charting.axisY.includeZero=false. 06-05-2020 12:48 AM
- Karma SA-Eventgen doesn't work? for laiyongmao. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-20-2016
05:47 PM
Now this could be a case of RTFM, but I can't find this in TFM 🙂
I am trying to find some documentation on what the Universal Forwarder does when it can't connect to an indexer for various scenarios.
I am aware of indexer acknowledgement however that is really not what I want to know. I want to know how the UF will behave in various scenarios
http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Protectagainstlossofin-flightdata
So it is well documented that for TCP, UDP and script inputs.conf stanzas there are features for buffers and queues
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* If set to some value other than 0, persistentQueueSize must be larger than
the in-memory queue size (set by queueSize attribute in inputs.conf or
maxSize settings in [queue] stanzas in server.conf).
* Persistent queues can help prevent loss of transient data. For information on
persistent queues and how the queueSize and persistentQueueSize settings
interact, see the online documentation.
Ref: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
If the indexer is not available, these queues will gradually fill until the indexer comes back online or the queues are full at which point other settings determine the behaviour of the UF.
What I can't find any documentation on is what happens to inputs for file monitor, WinEventLog, perfmon etc... when the indexer goes offline.
I'm confident that the indexing of these inputs pauses until the indexer returns. There is no need for a buffer because these events are already stored on the filesystem or within the OS. However I would like to find some documentation to show a customer who wants to know what the official behaviour is in this situation.
Then there is the other concern of rotating logfiles (while the indexer is offline) which is addressed in another Splunk answer (which I can't find right now)
... View more
06-15-2016
06:56 PM
Super late response but I thought I would post the answer as I was looking for the exact same information.
The only answer I could find was
auto - The scheduler automatically chooses an interval based on the number of generated results.
Ref: http://docs.splunk.com/Documentation/DBX/1.2.0/DeployDBX/inputsspec
I had a dig through the DatamaseMonitor.class in the dbx.jar which lead me to Scheduler.class which led me to this function which determines the time
private long getAutoDelay(DbmonResult result) {
if (result.getResultCount() == 0) {
long lastDelay = result.getMonitorDefintion().getLastDelay();
if (lastDelay != -1) {
return Math.max(this.autoMinDelay, Math.min(lastDelay + this.autoDecayIncrement, this.autoMaxDelay));
}
return this.autoMaxDelay;
}
return Math.min(Math.max(this.autoMinDelay, result.getDuration() / (long)result.getResultCount() * (long)this.autoDurationFactor), this.autoMaxDelay);
}
this.autoMinDelay defaults to 5000
this.autoMaxDelay defaults to 5000
this.autoDecayIncrement defaults to 5000
this.autoDurationFactor defaults to 100
So it appears to be related to the number of factors such as
Number of results returned
How long the last delay was between queries
How long the search took to run
So for a search that returned zero results the delay appears to be every 5000ms
For a search with more than zero results it is based on this function
return Math.min(Math.max(this.autoMinDelay, result.getDuration() / (long)result.getResultCount() * (long)this.autoDurationFactor), this.autoMaxDelay);
... View more
06-14-2016
06:19 PM
Thanks teunlaan. Missed that bit of the documentation. It was there right in front of my face.
Good point about the old local remnants on the clustered search heads in answer two. Probably a difficult thing to clean up apart from "un-deploying" then "re-deploying" the app. They wont have any impact if left in place obviously but it is just a bit messy. Maybe I will just stick to backing it up every now and then.
... View more
06-14-2016
01:10 AM
1 Karma
I have been doing a few tests on how configurations are pushed when applying a shcluster bundle. However, I would like to find some definitive answers if at all possible.
On the deployer in shcluster/apps I have a Splunk app with
appname/default/props.conf
appname/default/transforms.conf
appname/default/savedsearches.conf
appname/local/props.conf
appname/local/transforms.conf
appname/local/savedsearches.conf
Now it appears when I apply the cluster bundle with
sudo -u splunk /opt/splunk/bin/splunk apply shcluster-bundle -target https://10.10.1.1:8089 -auth admin:changeme
The app gets pushed to the search head cluster members.
However, on the search heads, it appears everything in appname/local has been "merged" with appname/default. This is great and I understand the reasoning behind this because it then means that users can make changes to the apps on the SH cluster and only changes are stored in the appname/local. This means that if the apps are deployed again, they won't overwrite local users changes to the app.
First question is. Where is this deployment behavior documented? I would assume matching stanzas in local/props.conf would override the default/props.conf, but is this documented somewhere?
What happens to local really isn't covered here
http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges
Second Question is if I want to "take a snapshot" of an app from a search head in the cluster to "update" the deployer with the most recent version is it just a matter of copying off the entire app directory?
Removing any folders like appname/default.old.20160304-103301 which appear to be backups from the last deployment. Then copy this across to the deployer as the lastest "version". I can see the documentation says you don't need to but it seems like a good idea to "track" an app as it grows.
Bonus Knowledge
I just discovered you have control over how the deployer handles lookups which is great. This is one of the reasons I have been hesitant to deploy at times.
splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>
http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/HowconfrepoworksinSHC
... View more
06-09-2016
09:42 PM
I was trying to get a list of all saved searches that would use a realtime search.
Maybe because I am using a clustered search head the results are not consistent.
... View more
06-09-2016
05:36 PM
Anyone know how to do this on the latest version of Splunk 6.x?
This doesn't appear to work anymore.
... View more
05-09-2016
07:06 PM
Well from first hand experience it breaks a Search Head.
DO NOT TRY THIS AT HOME!!!
We moved /opt/splunk/etc/passwd out of the way and Splunk recreated that on restart.
Cleartexted any passwords found in conf files with the grep command here
https://answers.splunk.com/answers/123896/need-a-list-of-all-the-locations-of-hashed-password-based-on-splunk-secret.html
However the Search head keeps returning a 500 error.
... View more
03-01-2016
06:47 PM
Whew. OK Resolved!!!!
My definition of data was off. Not sure how it worked previously though with admin user???
import json
import csv
import requests
splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)
headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
... View more
03-01-2016
06:13 PM
Further tests show that this works.
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/my-app/spool/prices.csv
But now my Python script doesn't work even though it used to when it was only going to the admin user lookups
splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)
headers = {'Content-Type': 'application/json'}
# data = json.dumps({"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv" })
data = "/opt/splunk/etc/apps/my-app/spool/prices.csv"
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
Can't see any major PEBKAC issues here.
... View more
03-01-2016
05:23 PM
2 Karma
Hi All,
I have a Search Head Cluster and I am trying to update a global lookup file in a particular app, but am having no luck. I obviously cannot edit it directly as then it won't be replicated to the rest of the cluster.
So I found this example of editing a lookup via the REST API.
http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-files
And I adapted it to work with my app
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/mp-app/spool/prices.csv
It worked.... sort of. The only problem is it created a new lookup table in the admin's private directory
/opt/splunk/etc/users/admin/my-app/lookups/prices.csv
I wanted it to replace the one at
/opt/splunk/etc/apps/my-app/lookups/prices.csv
Screenshot of the aftermath with the green arrow the one I wanted to replace and the red arrow the one that was created.
http://imgur.com/UPOZJN6
I am obviously using the wrong REST API interface does anyone have any hints to where the right one is?
... View more
02-01-2016
06:27 PM
I fully understand creating a generic framework is definitely not a trivial task. Even if it started off relatively primitive and worked towards more complex protocols it would as you say need to be integrated to Streams DPI engine.
I appreciate the response and hope to see something in the future even in it's most basic forms.
I would say it will give Splunk a very competitive advantage having this feature. Which might be why you missed/ignored my comment about if the source was available 😉
... View more
02-01-2016
02:59 PM
Can I ask is there a plan to support custom protocol dissectors in the future?
I understand there are varying complexities for different protocols but something as simple as Modbus TCP could be handled by a simple configuration file describing the structure of the protocol.
Bytes 1-2 = Transaction identifier
Bytes 3-4 = Protocol Identifier
Bytes 5-6 = Length Field
Byte 7 = Unit Identifier
Byte 8 = Function Code
Those fields plus the sending and receiving IPs are all I would be interested in and would provide some valuable security information for a TCP Modbus system.
Alternatively are the sources available for Splunk Stream so we can add our own dissectors (unsupported of course).
Thanks
... View more
02-01-2016
12:35 PM
That is very unfortunate. One of our engineers said that was the case but I was hoping things may have changed.
I guess the only solution would be to use something like wireshark?
... View more
01-31-2016
11:08 PM
I was just digging through the Splunk App for Stream and was wondering how I could add my own custom protocol.
I was thinking of implementing a ModBus TCP protocol to detect the basics, but can't see where a protocol is defined.
https://en.wikipedia.org/wiki/Modbus#Frame_format
... View more
12-08-2015
12:20 PM
Turns out the issue is a Windows issue and not Splunk. The XML format can be viewed with Windows Event Viewer so if something is missing it is because Windows did not put it there. 😞
Sadly we have switched back to plaintext events for Applocker. Windows disappoints yet again.
More information can be found here.
https://answers.splunk.com/answers/290844/testing-renderxml1-for-windows-event-logs-in-splun.html
... View more
12-07-2015
11:49 PM
Thanks for the answer but I already have the DB admins breathing down my neck regarding database input queries. I fear that adding any more complexity to the query would push them over the edge and they might go all "soup nazi" on me "No DB input for you!!!!"
Ideally having it supported like it was for DB Connect 1 would be the best option.
... View more
12-06-2015
05:46 PM
Hi All,
I will likely file this as a bug report but was just going to check here first.
A customer recently activated XML Windows Events across the board and we noticed that the Applocker Events are missing a few things.
The old text event (obfuscated):
12/07/2015 09:38:54 AM
LogName=microsoft-windows-applocker/exe and dll
SourceName=Microsoft-Windows-AppLocker
EventCode=8004
EventType=2
Type=Error
ComputerName=xxxxxxxxxx.prod
User=cxxxxrn
Sid=S-1-5-xx-1xxxx40-23xxxx4-32xxxx7-3xxx
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=10360
Keywords=None
Message=%OSDRIVE%\USERS\xxxxxxx\APPDATA\xxxxxxxxxxxxx\xxxxxxxxxxx\ADOBECAPTIVATEWS was prevented from running.
The new XML Version:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-AppLocker' Guid='{xxxxxx}'/>
<EventID>8002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2015-12-07T00:49:18.186112800Z'/>
<EventRecordID>147067</EventRecordID>
<Correlation/>
<Execution ProcessID='8092' ThreadID='5804'/>
<Channel>microsoft-windows-applocker/exe and dll</Channel>
<Computer>xxxxxxxxxxx.prod</Computer>
<Security UserID='S-1-5-xx-181xxxxx-23xxx-32xxxxxx-13345'/>
</System>
<UserData>
<RuleAndFileData xmlns:auto-ns2='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>
<PolicyName>EXE</PolicyName>
<RuleId>{xxxxxxxxxxx}</RuleId>
<RuleName>xxxxxx: JExplorer32.3.3.exe</RuleName>
<RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://SHA256HASH Any_of {#1ce1604845axxxxxxxxxxxxxxd2e0cc2}))</RuleSddl>
<TargetUser>S-1-5-xx-181xxxxx-23xxx-32xxxxxx-13345</TargetUser>
<TargetProcessId>1484</TargetProcessId>
<FilePath>%OSDRIVE%\USERS\xxxxxx\APPDATA\LOCAL\TEMP\1\JEXPLORER32.3.3.EXE</FilePath>
<FileHash>1CE160484xxxxxxxxxxxxxxDD2E0CC2</FileHash>
<Fqbn>-</Fqbn>
</RuleAndFileData>
</UserData>
</Event>
One key field most of our dashboards used was the "User" field which is no longer available in the XML version of these events. The only other option is the TargetUser which obviously relates to the User (Sid) but is not really a human friendly. Seems a bit pointless to have to make a lookup from TargetUser -> User.
Is there any way we can control how renderXML works for Windows Events like Applocker?
Thanks
... View more
12-01-2015
07:38 PM
Any chance of this being supported in the future?
I have quite a few database inputs I would like to migrate across to DB Connect 2 but this is holding them up.
I'd prefer not to convert them in SQL as a "fix"
... View more
12-01-2015
05:41 PM
Hi All,
Just getting the community consensus here. Cisco ASA log events for Built and Teardown essentially contain the same information
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.html
The Cisco ASA TA does the following for each type of event
Built
Extracts standard fields
Extracts direction
swaps around src and dest fields for Outbound connections
Teardown
Extracts standard fields
Extracts bytes and duration
Now, is direction really that relevant as it can be inferred from the src and dest fields?
The rest of the fields are pretty much replicated between the two types of events.
Which brings me to my main question: Will dropping "Built" events have any impact on Splunk Enterprise Security dashboards?
It would essentially halve the traffic ingested into Splunk for the firewall.
... View more
11-29-2015
07:35 PM
Also that troubleshooting section you linked to is peppered with DBX 1 config commands. In particular "If your timestamp is not of type datetime/timestamp"
The documentation is wrong or the web GUI config creation when entering timestamp columns is wrong. Either way that is pretty poor form for a troubleshooting page having a red herring in there like that.
... View more
11-29-2015
07:31 PM
I thought this line handled setting the timestamp as that column for my input?
input_timestamp_column_name = EVENT_TIMESTAMP
It should be noted that the config I showed above was the result from using the web GUI. I did not try to tweak anything.
It should also be noted the old DBX 1 app handled a millisecond timestamp just fine. So unsure why DB Connect 2 is breaking so spectacularly?
Looking at my old working DB Connect 1 inputs.conf it was
[dbmon-tail://SVR-DEV/SVR-DEV]
host = dev-oracle
index = application
interval = auto
output.format = mkv
output.timestamp = 1
output.timestamp.column = EVENT_TIMESTAMP
query = Select * from log.log_event_logs {{WHERE $rising_column$ > ?}}
sourcetype = db:svr
table = SVR-DEV
tail.rising.column = EVENT_LOG_ID
disabled = 0
... View more
11-29-2015
06:12 PM
Hi All,
Seeing some very strange results from a DB input.
[mi_input://SVR-DEV]
connection = SVR-DEV
index = server_application
interval = 43200
max_rows = 10000
mode = tail
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = Select * from log.log_event_logs
source = dbx2:svr-dev
sourcetype = db:svr
tail_follow_only = 1
tail_rising_column_name = EVENT_LOG_ID
tail_rising_column_number = 4
ui_query_catalog = NULL
ui_query_mode = advanced
ui_query_schema = undefined
ui_query_table = undefined
input_timestamp_column_name = EVENT_TIMESTAMP
input_timestamp_column_number = 11
tail_rising_column_checkpoint_value = 215663
disabled = 1
Now for the interesting part. DB Connect 2 performs the following
"2015-12-30 08:50:10" EVENT_LOG_ID=157931, EVENT_TIMESTAMP=1419889810000, EVENT_TYPE="INVALID_ROLE", EVENT_SEVERITY_CODE="ERROR", EVENT_TEXT="Message authorization failed for id:", EVENT_DETAIL_DATA="A............
Note EVENT_TIMESTAMP=1419889810000
which is a millisecond timestamp of 1419889810.000
which equates to Mon, 29 Dec 2014 21:50:10 GMT
adjusting for timezone +10 hours = Mon, 30 Dec 2014 8:50:10
So the first issue here is DB Connect 2 added a year to the date!
The second issue is _time for this event is 24/11/2015 08:50:10.000!
I can see the time 8:50:10 is right but where did it get 24/11/2015 from???
Further investigation into the event in Splunk 24/11/2015 was the index time.
So does anyone know to resolve this
The timestamp is getting broken in ingestion of the data (adding one year)
_time is a Frankenstein combination of index_time (date) and the timestamp (time)
To be clear no changes have been made to MAX_DAYS_AGO (default 2000 days) and MAX_DAYS_HENCE (default 2 days) so these should be fine with defaults.
The only other thing I can think of would be a props.conf entry for the TIME_FORMAT to specifically tell Splunk to match the output_timestamp_format in the DB input definition. But it is a pretty standard format I would have thought Splunk would recognise it in an instant.
... View more
- Tags:
- Splunk DB Connect
11-11-2015
04:32 PM
3 Karma
So this example dashboard will work on any Splunk instance.
Myself and our other engineers can't seem to get the input at the top of the form to update?
The only solutions we can think of would be either custom javascript or have the page submit to itself with the fields passed in the URL.
Test dashboard below.
<form>
<label>Drilldown Example Table Complex</label>
<fieldset submitButton="false">
<input type="text" token="component">
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd| stats count(eval(log_level="INFO")) as INFO count(eval(log_level="ERROR")) as ERROR by component</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<drilldown>
<condition field="component">
<set token="component">$click.value$</set>
<set token="log_level">*</set>
</condition>
<condition field="INFO">
<set token="log_level">$click.name2$</set>
<set token="component">$click.value$</set>
</condition>
<condition field="ERROR">
<set token="log_level">$click.name2$</set>
<set token="component">$click.value$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Search = index=_internal component="$component$" log_level="$log_level$"</title>
<search>
<query>index=_internal component="$component$" log_level="$log_level$"</query>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
... View more
11-02-2015
07:58 PM
Hi All,
Just trying to work out how to use eventgen for multiline logs such as oracles' hideous audit file.
Audit file /ora/app/oracle/admin/cdh/adump/oracle_audit_log.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
ORACLE_HOME = /ora/app/oracle/product/11.2.0.4/db_1
System name: SunOS
Node name: hostname-oracle4
Release: 5.10
Version: Generic_150400-26
Machine: sun4v
Instance name: this_instance
Redo thread mounted by this instance: 1
Oracle process number: 90
Unix process pid: 5542, image: oracle@hostname-oracle4
Mon Nov 2 11:33:30 2015 +11:00
LENGTH: "223"
SESSIONID:[8] "23491997" ENTRYID:[1] "1" USERID:[6] "SIEM_TEST1" ACTION:[3] "44" RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "24" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[9] "847685182" SESSIONCPU:[1] "4"
Mon Nov 2 11:33:33 2015 +11:00
LENGTH: "223"
SESSIONID:[8] "23491997" ENTRYID:[1] "1" USERID:[6] "SIEM_TEST1" ACTION:[3] "115" RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "24" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[9] "847685182" SESSIONCPU:[1] "4"
I have tried this in evengen.conf
[oracle_audit_log.aud]
disabled = false
mode = replay
index=sec_database
sourcetype=oracle:audit:text
# breaker= ^\r\n
bundlelines = true
## Generate all events in sample
count = 0
earliest = -5m
latest = now
interval = 300
outputMode=spool
spoolFile = sample.oracle
# host.token
# host.replacement = hosts.list
## Replace timestamp
token.0.token = \w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4}
token.0.replacementType = timestamp
token.0.replacement = %a %b %d %H:%M:%S %Y
But it throws this error
2015-11-03 13:55:51,350 INFO Retrieving eventgen configurations from /configs/eventgen
2015-11-03 13:55:51,894 INFO Creating timer object for sample 'oracle_audit_log.aud' in app 'TA_ob-3_oracle_eventgen'
2015-11-03 13:55:51,896 INFO Starting timers
2015-11-03 13:55:51,898 ERROR Can't find a timestamp (using patterns '['\\w{3}\\s+\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}\\s+\\d{4}']') in this event: 'LENGTH: "223"
'.
2015-11-03 13:55:51,901 ERROR Exception in sample: oracle_audit_log.aud
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-Eventgen/bin/eventgen.py", line 47, in run
partialInterval = self.sample.gen()
File "/opt/splunk/etc/apps/SA-Eventgen/lib/eventgensamples.py", line 506, in gen
self._lastts = self._getTSFromEvent(self._rpevents[self._currentevent])
File "/opt/splunk/etc/apps/SA-Eventgen/lib/eventgensamples.py", line 702, in _getTSFromEvent
raise ValueError("Can't find a timestamp (using patterns '%s') in this event: '%s'." % (formats, event))
ValueError: Can't find a timestamp (using patterns '['\\w{3}\\s+\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}\\s+\\d{4}']') in this event: 'LENGTH: "223"
'.
I'm guessing it is trying to find a timestamp on every line, but obviously one does not exist.
I even tried messing around with breaker.
I even removed all the junk at the top of the log with no luck.
Any ideas would be appreciated.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-01-2026
01:40 AM
|
