About blbr123

blbr123 · ‎06-03-2022

Yes I need help on creating the add-on if I have to apply the first solution

blbr123 · ‎06-03-2022

Ok then for what purpose the hosts is mentioned in inputs which I saw in some configurations

blbr123 · ‎06-03-2022

About second solution, We actually don't use transforms much, but work on props based on sourcetypes So not sure if this can be achieved just in props

blbr123 · ‎06-03-2022

Can't we achieve this mentioning the host details in inputs.conf Let's say [monitor://data/abc/vault.log] index=applog Host=dx096865 By doing this don't I get just the vault.log from just that host?

blbr123 · ‎06-03-2022

Hi All, I have around 30 Hosts forwarding logs to splunk. I have the below same paths in all the servers /data/abc/vault.logs /data/abc/vault_audit.logs /data/xyz/proxy.logs So I have created an app included inputs with all those above stanzas and pushed the app to all hosts. So by default all those hosts are sending the above mentioned logs to splunk. But I want 5 servers to send just the below log but not other logs /data/xyz/proxy.logs How to achieve this?

blbr123 · ‎06-01-2022

Is the index mentioned in the HEC configuration?

blbr123 · ‎05-17-2022

So when we mention CRC = <source> in inputs what actually happens. I have created a monitor stanza for one source and it isn't sending logs to splunk. When I checked internal logs it says failed to read file as it is too short check CRC something like that.

blbr123 · ‎05-17-2022

Hi All, Can someone please explain what is seekaddress and seekcrc in CRC in simple terms. I tried to check documentation but looks quit confusing. Read the below scenario but Little confused. The CRC from the file beginning in the database has no matching record, indicating a file that Splunk hasn’t seen before. Splunk picks it up and ingests its data from the start of the file and updates the database with the new CRCs and Seek Addresses as it ingests the file.

blbr123 · ‎05-02-2022

Hi All, I have configured inputs to monitor a file path but no events visible in Splunk. Checked internal index and found the below error

blbr123 · ‎04-22-2022

when i select always i get below error: FilesystemChangeWatcher [xxxxxx MainTailingThread] - error getting attributes of path "/opt/sw/ss/splunklogs/system.log.xxxxxxxxx.xxxxxx": Permission denied Insufficient permissions to read file='/opt/sw/ss/si/install/logs/noapp.log.xxxx.xxxx' (hint: Permission denied , UID: xxxxxx, GID: xxxxxxx) and the user has changed the permission to read the files for splunk user, and i have added restartSplunkd=true in server class to restart the splunk service for changes to be applied. But still same issue

blbr123 · ‎04-21-2022

There are 2 hots sending the logs: and can see the internal logs for both the hosts. For one of the hosts it gives error in internal logs: for log_level WARN TcpOutEloop] - Connect to x:x:x:x:9997 failed. Connection refused for log_level ERROR getting below error: StreamId:1234567 had parsing error:Unexpected character while expecting ':': ',' - data_source="/opt/splunkforwarder/var/spool/splunk/tracker.log" Does this indicate something wrong for monitoring?

blbr123 · ‎04-21-2022

i get this output when i run the command: -rw-r----- 1 abc xyz 716 Apr 22 01:16

blbr123 · ‎04-21-2022

@gcusello I am trying to read logs from another host using universal forwarder. Yes the splunk user has the read access to the log paths and files. Cannot check third one as user is not available.

blbr123 · ‎04-21-2022

Hello All, I have configured the inputs and props but unable to see the data in splunk. I have around 20 monitor stanza and all of them have same source type, below is my monitor stanza File to be monitored is below archive.log.DYYYYMMDD.Tnnnnnn [monitor:///opt/sw/ss/splunklogs/archive.log.*.*] index=abc disabled = 0 sourcetype=es:test:sd:logs Sample log file is below: where YYYYMMDD-Date ex-20220412 nnnnnn-6 digit timestamp ex- 171300 Below is props conf [es:test:sd:logs] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE= ^[\d+\-\d+\-\d+\s+\d+\d:+\d+:\d+.\d+\d+] MAX_TIMESTAMP_LOOKAHEAD=28 TIME_FORMAT=%d-%m-%y %H:%M:%S.%N TIME_PREFIX=^\w Below is the data on which REGEX was done. [2022-04-04 23:10:30.643] Please let me know if there anything wrong in my configurations in internal logs for log level error it shows below error. StreamId:123456 had parsing error:unexpected character while expecting ' : ' : ' , '

blbr123 · ‎04-18-2022

have you restarted the splunk service?

blbr123 · ‎04-11-2022

index=very_big_index caseNumber=1234567799 111222333444555666777 | stats values(phone_number) as phone by _time Name caseNumber UID

blbr123 · ‎03-29-2022

@PickleRick great thank you for that explanation, The only thing I am trying to understand is, Our application team said they are sending data to the syslog endpoint and we should see the data in splunk, So what does actually endpoint means here? Can you please explain how it processess according to the architecture mentioned.

blbr123 · ‎03-29-2022

One of our application team has sent syslog data to sc4s endpoint and we cannot see it in Splunk, I am trying to analyse how it works with the below architecture Basically F5 is a load balancer right how it will send data?

blbr123 · ‎03-29-2022

Hi All, Can someone please explain me the below architecture for Syslog.

blbr123 · ‎03-25-2022

My change request time window is over so I have to try it on Monday only.

blbr123 · ‎03-25-2022

@PickleRick great thank you but from search output how do I check if it's using previous time?

blbr123 · ‎03-25-2022

I tried this query index=_internal source=splunkd.log Does not show anything

blbr123 · ‎03-25-2022

@PickleRick it's not assuming the current timestamp of even processing, because now the time at my place is 5:28PM and the timestamp for the events I see is the same for all the events that is 11:05:29:000 AM.

blbr123 · ‎03-25-2022

@gcusello yes I have checked the CSV file and their is no header field which carries the timestamp so in that case how to get the real time? And is there any drawback or issue if I am ok with index time stamp?

blbr123 · ‎03-25-2022

So I am guessing I need to keep the timestamp field blank so that it takes indexed time stamp? @gcusello

Posts	74
Solutions	0
Karma Given	1
Karma Received	2
Member Since	‎03-16-2021

Online Status	Offline
Date Last Visited	‎09-25-2024 08:37 AM

props and transforms not working

Events Formatting

scripted input not working

Monitoring Database to see if it's running and sen...

Can I monitor a log from Aug 2022 if I installed a...

Why am I unable to see Logs first week of every mo...

Why can I not see logs in splunk

How to Monitor latest folder only?

How to block few logs from some specific hosts?

Can someone please explain what is seekaddress and...

Re: Block few logs from some specific hosts

Re: Block few logs from some specific hosts

Re: Block few logs from some specific hosts

Re: Block few logs from some specific hosts

How to block few logs from some specific hosts?

Re: SC4S and indexes

Re: Can someone please explain what is seekaddress...

Can someone please explain what is seekaddress and...

Configured inputs to monitor a file path but no ev...

Re: Data Onboarding issue

Re: Data Onboarding issue

Re: Data Onboarding issue

Re: Data Onboarding issue

Data Onboarding issue- unable to see the data in s...

Re: deployment server

Re: How to combine 2 searches with same value and ...

Re: Syslog architecture

Re: Syslog architecture

Can someone explain to me the below Syslog archite...

Re: Onboarding CSV File Data

Re: Onboarding CSV File Data

Re: Onboarding CSV File Data

Re: Onboarding CSV File Data

Re: Onboarding CSV File Data

Re: Onboarding CSV File Data

Are you a member of the Splunk Community?