Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About wrangler2x
wrangler2x
Motivator
Member since:
03-25-2011
01-10-2021
Community Statistics
| Posts | 374 |
| Solutions | 19 |
| Karma Given | 95 |
| Karma Received | 143 |
| Member Since | 03-25-2011 |
Activity Feed
- Got Karma for Re: Splunk Admin Password. 12 hours ago
- Got Karma for Re: What do I do if rebuilding a bucket fails?. 06-25-2025 08:10 PM
- Got Karma for Re: Splunk Admin Password. 01-02-2025 02:42 AM
- Got Karma for Re: Splunk Admin Password. 07-29-2024 06:42 AM
- Got Karma for Re: Splunk Admin Password. 07-26-2023 06:54 AM
- Got Karma for Re: Splunk Admin Password. 06-15-2023 02:01 AM
- Got Karma for Re: How to determine how long splunk has been up?. 06-06-2023 12:03 AM
- Got Karma for Re: What does the heartbeatFrequency setting do in outputs.conf?. 06-01-2023 06:21 AM
- Got Karma for Re: Splunk shows vulnerable to CVE-2012-4929 in my Nessus vulnerability scan, what is going on?. 11-17-2022 06:55 PM
- Got Karma for Re: Is there a way to reload server class from the Splunk GUI?. 11-04-2022 11:04 AM
- Got Karma for Re: Splunk shows vulnerable to CVE-2012-4929 in my Nessus vulnerability scan, what is going on?. 07-28-2022 11:41 AM
- Got Karma for Re: How do I list all sourcetypes for each host per index, provided one sourcetype=apache?. 07-26-2022 06:33 PM
- Got Karma for Re: Use a field as the search in searchmatch. 07-08-2022 10:27 AM
- Got Karma for Re: How to log REST API calls?. 11-10-2021 03:15 AM
- Got Karma for Re: How to determine how long splunk has been up?. 08-20-2021 08:38 AM
- Got Karma for Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled?. 06-24-2021 08:31 AM
- Got Karma for Fast searches for a count of events in various ways. 06-09-2021 03:33 AM
- Got Karma for Re: How to reload deployment server passing credentials silently. 03-05-2021 01:07 PM
- Got Karma for Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled?. 01-13-2021 07:56 AM
- Karma Re: Use Splunk as Data Lake and report tool on Multiple Big Data for woodcock. 01-10-2021 07:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
11-05-2018
10:43 AM
These are all by default set as shown, so they can be omitted:
disabled = 0
start_from = oldest
current_only = 0
Don't know why the checkpointInterval is being changed, but the default is =0
Does anyone know if the path is //AD FS/Admin or //AD FS 3.0/Admin in AD FS 3.0?
... View more
11-05-2018
09:34 AM
In order to edit the Server Classes you need to have edit_deployment_server turned on. This allows creating/editing Server Classes, adding an app to the Server Class, and editing the client list. I did not have to enable edit_deployment_client for these functions, which is what I want this person to do be able to do, so I have left that off. I also enabled list_deployment_client and list_deployment_server.
... View more
11-02-2018
04:10 PM
We've got a special role for non-admin security team members and I'd like some of them to be able to use Forwarder Management (in the Settings menu) to add new clients to a Server Class. I can't figure out what the required Capabilities are that need to be added to their role.
... View more
10-26-2018
12:08 PM
This will work:
\S@[^\s]+\s+(?<SPF_RESULT>[^ ]+)
See it in action here: https://regex101.com/r/zzf5RJ/1
... View more
10-26-2018
11:53 AM
One thing you can't do with it is pipe to something else. This would normally show all the inputs.conf stanza names but in the app it just shows you usage info. Here on *nix:
$ splunk cmd btool inputs list --debug | grep "\["
/opt/splunk/etc/apps/unix/local/inputs.conf [script:///opt/splunk/etc/apps/unix/bin/ps.sh]
/opt/splunk/etc/apps/unix/local/inputs.conf [script:///opt/splunk/etc/apps/unix/bin/rlog.sh]
/opt/splunk/etc/apps/unix/local/inputs.conf [script:///opt/splunk/etc/apps/unix/bin/time.sh]
/opt/splunk/etc/apps/unix/local/inputs.conf [script:///opt/splunk/etc/apps/unix/bin/top.sh]
etc...
... View more
10-26-2018
10:34 AM
This works, but the snag I ran into is that I have an index that I use for test imports, and as I have not used it in a while, there are no license metrics for it in the license_usage.log. Consequently, the REST returns more rows due to this. I'd love to have a way for the index names in the REST search to be discarded if they don't match the ones coming back from the license usage search, but I could not figure out a way to do that. What I did do in the end was to modify the search after the REST call to discard those specific indexes. Here is the modified search, with the duplicative title column added so I could see where the mismatches were.
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" NOT idx=_* NOT idx=*summary*
| rename idx AS Index
| stats sum(b) as sumb by Index
| eval MB=sumb/1024/1024, Comment = "License usage"
| appendcols
[| REST /services/data/indexes
| search NOT title=_* NOT title=splunklogger NOT title=firedalerts NOT title=history NOT title=*summary* NOT title=sos NOT title=temp_index
| eval State=case(disabled==0, "Enabled", disabled==1, "Disabled <<===")
| eval "Retention Days"=frozenTimePeriodInSecs/86400
| fields title State "Retention Days" ]
| streamstats count as Row
| fieldformat MB=tostring(MB, "commas") `comment("rounds to two decimal places")`
| eval GB=round(MB/1024, 4)
| addtotals GB MB row=f col=t labelfield=Index label="Totals ==========>"
| table Row Index title GB MB "Retention Days" State
Thanks for your help!
... View more
10-25-2018
03:24 PM
The REST search
| REST /services/data/indexes
| search NOT title=_* NOT title=splunklogger NOT title=firedalerts NOT title=os NOT title=history
| sort title
| streamstats count as Row
| eval State=case(disabled==0, "Enabled", disabled==1, "Disabled <<===")
| eval "Retention Days"=frozenTimePeriodInSecs/86400
| fields Row title State "Retention Days"
| rename title AS Index
I actually added a couple of other fields to this search that came from a lookup table (one describes what's in the index and the other who to contact about systems in it) but I'm trying to keep it simple for this question. 🙂
The _internal license_usage.log search
index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" | rename idx AS Index
| eval MB=round(b/1024/1024,4)
| stats sum(MB) as MB by Index
| fieldformat MB=tostring(MB, "commas")
| addtotals MB row=f col=t
So, basically, what I want is to add to the results of the first search an additional column (MB) from the second search, by index row, with a total at the bottom of the MB column.
@MuS I've seen your many posts about combining searches without using a subsearch. I could not figure out how to make that work in this case. Is there a way? If not, then I still need help, because I never use subsearches!
... View more
10-25-2018
09:16 AM
I was rummaging around Splunk answers looking for information about the heartbeat function that forwarders use. in the Splunk Answers topic What does the heartbeatFrequency setting do in outputs.conf? rphillips_splunk states:
heartbeatFrequency =
1. How often (in seconds) to send a heartbeat packet to the receiving server.
2. Heartbeats are only sent if sendCookedData=true.
3. Defaults to 30 (seconds).
Heartbeat is a mechanism for the forwarder to know that the receiver (i.e. indexer) is alive. If the indexer does not send a return packet to the forwarder, the forwarder will declare this receiver unreachable and not forward data to it. By default a packet is sent every 30s.
I have been under the impression that the indexer does not need to communicate with forwarders except on port 8089 to send Deployment App bundles. I'm wondering what port the indexer uses to talk to the forwarder to convey this return packet rphillips_splunk mentions.
sendCookedData is a parameter in the tcpout stanza in outputs.conf. It is by default true, so it is set for all newly installed forwarders by default. I'm wondering what the effect would be on the forwarder if a firewall rule was blocking the indexer from getting the return packet to the forwarder after receiving the heartbeat transmission.
... View more
10-25-2018
08:46 AM
1 Karma
@rphillips_splunk What port on the forwarder does the indexer send this return packet to?
... View more
10-24-2018
02:37 PM
I checked the file handles thing after reading this and that all looks okay. Thanks for the suggestion.
Here is another interesting one (like from that one): https://answers.splunk.com/answers/43285/error-tcpinputproc-error-encountered-for-connection-from-timeout.html
... View more
10-24-2018
10:54 AM
More trouble last night. After working well all day, you see this in the logs (on the indexer/deployment server):
10-23-2018 11:01:07.879 -0700 ERROR TcpInputProc - Error encountered for connection from src=128.200.xx.xxx:35411. Local side shutting down
10-23-2018 11:01:21.860 -0700 ERROR TcpInputProc - Error encountered for connection from src=128.200.xx.xxx:43490. Local side shutting down
10-23-2018 11:01:40.685 -0700 ERROR TcpInputProc - Error encountered for connection from src=128.200.xx.xxx:43684. Local side shutting down
10-23-2018 11:01:40.803 -0700 ERROR TcpInputProc - Error encountered for connection from src=128.200.xx.xxx:43946. Local side shutting down
10-23-2018 11:02:10.822 -0700 INFO ClientSessionsManager - Adding client: ip=128.200.xx.xxx uts=sunos-sparc id=118563b1987538f45848645415b48e19 name=ECB32768-B062-47DC-B652-34D79B6B2B45
10-23-2018 11:02:10.822 -0700 INFO ClientSessionsManager - ip=128.200.xx.xxx name=ECB32768-B062-47DC-B652-34D79B6B2B45 New record for sc=OIT_SC_GLOBAL_CONF-FILES app=OIT_DA_GLOBAL_CONF-FILES: action=Phonehome result=Ok checksum=0
10-23-2018 11:02:10.822 -0700 INFO ClientSessionsManager - ip=128.200.xx.xxx name=ECB32768-B062-47DC-B652-34D79B6B2B45 New record for sc=OIT_NSP_INDEX_01 app=OIT_NSP_INDEX_DHCP_01: action=Phonehome result=Ok checksum=0
10-23-2018 11:02:10.822 -0700 INFO ClientSessionsManager - ip=128.200.xx.xxx name=ECB32768-B062-47DC-B652-34D79B6B2B45 New record for sc=OIT_NSP_INDEX_01 app=OIT_NSP_INDEX_IDM_01: action=Phonehome result=Ok checksum=0
10-23-2018 11:02:10.823 -0700 INFO ClientSessionsManager - ip=128.200.xx.xxx name=ECB32768-B062-47DC-B652-34D79B6B2B45 New record for sc=OIT_NSP_INDEX_01 app=OIT_NSP_INDEX_LDAP_01: action=Phonehome result=Ok checksum=0
... View more
10-23-2018
11:13 AM
I've got a metrics alert that runs every hour and sends me an email when the volume in my dhcp index is over a certain amount. The alert uses the stats command to sum MB (via | eval MB=round(kb/1024,3) ) for series="dhcp" and then uses where MB > max . This tripped yesterday so I went to do a top by MAC and DevName in the dhcp index and nothing returned in search for the last hour. So there are two curiosities here:
Why do the metrics data show indexed log data when...
the dhcp index doesn't have indexed log data during the same period?
Meanwhile, I checked for a connection on the indexer from the forwarder on the SSL port we use to take logs, and it was there (established). Wondering whether it was a forwarder problem (which has never been problematic before) or something wrong on the indexer, I finally decided to restart splunkd on the indexer (mainly because the admin for the forwarder was out sick). Voila, I started seeing logs in the dhcp index again.
This morning when I came in, I checked the dhcp index and no logs. I ran this search for metrics (pretty much the alert search without the where clause) with timepicker set to Last 60 minutes:
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" group=per_index_thruput series="dhcp"
| rename series as index
| eval MB=round(kb/1024,3)
| stats sum(MB) as MB by index
It came back with 200 MB. Crazy weird just like yesterday morning. According to this search the most recently received logs are the current time:
| metadata type=hosts index=dhcp | search host=dhcp*
| stats count by host totalCount firstTime recentTime
| convert timeformat="%m/%d/%Y %T" ctime(recentTime) ctime(firstTime)
| rename totalCount as Count recentTime as "Last Update" firstTime as "Earliest Update"
| fieldformat Count=tostring(Count, "commas")
| fields - count
As in when I just ran this it was 10:15 and 'Last Update' came back with 10:15:19. Yet index=dhcp search comes back with nothing.
Also, looking at Settings->indexes, I see that the Latest Event for the dhcp index is shown as four hours ago (now 10:33 in the morning).
I took a look at splunkd.log, greping it for the IP of the forwarder. There are some fairly recent (8:28 this morning) ClientSessionsManager action=Phonehome result=Ok checksum=0 log entries, and then there is this shorthereafterater:
10-23-2018 08:29:09.302 -0700 ERROR TcpInputProc - Error encountered for connection from src=IP_redacted:39683. Local side shutting down
I've redacted the IP address in this, but it is the IP of the forwarder.
The admin for the forwarder (a solaris 10 box running 6.2.1.4 currently) was in today and I got a look at the logs. I see it connected to my indexer yesterday after I restarted splunkd there, then I'm seeing this in the forwarder's logs from this morning (nothing after that connection yesterday until these):
10-23-2018 08:28:19.635 -0700 INFO TcpOutputProc - Connection to 128.195.xxx.xxx:9998 closed. default Error in SSL_read = 131, SSL Error = error:00000000:lib(0):func(0):reason(0)
10-23-2018 08:28:19.799 -0700 INFO TcpOutputProc - Connected to idx=128.195.xxx.xxx:9998
10-23-2018 08:28:35.707 -0700 INFO TcpOutputProc - Connection to 128.195.xxx.xxx:9998 closed. default Error in SSL_read = 131, SSL Error = error:00000000:lib(0):func(0):reason(0)
10-23-2018 08:28:35.909 -0700 INFO TcpOutputProc - Connected to idx=128.195.xxx.xxx:9998
10-23-2018 08:29:07.386 -0700 INFO TcpOutputProc - Connection to 128.195.xxx.xxx:9998 closed. sock_error = 32. SSL Error = error:00000000:lib(0):func(0):reason(0)
10-23-2018 08:29:07.518 -0700 WARN TcpOutputProc - Applying quarantine to ip=128.195.xxx.xxx port=9998 _numberOfFailures=2
10-23-2018 08:29:54.178 -0700 INFO TcpOutputProc - Removing quarantine from idx=128.195.xxx.xxx:9998
10-23-2018 08:29:54.339 -0700 INFO TcpOutputProc - Connected to idx=128.195.xxx.xxx:9998
I asked the admin to restart splunkd on the solaris box, and he did. I see a 'INFO PubSubSvr - Subscribed' phonehome in my splunkd logs and I see a new connection from the forwarder on my indexer. I don't see any errors involving the forwarder's IP address in my indexer's splunkd logs. However, I still do not see any logs in the dhcp index.
Oh, wait. Another quick look at the Settings->Indexes shows the Latest Event for the dhcp index as three hours ago -- it was four the last time I looked. Switching the search on the dhcp index to All time (real time) I can see logs streaming in with timestamps from earlier this morning -- it is playing "catch up," with events coming in ~8,000/minute.
My indexer is running RHEL 7 and:
$ cat etc/splunk.version
VERSION=6.5.2
BUILD=67571ef4b87d
PRODUCT=splunk
PLATFORM=Linux-x86_64
The forwarder has been faithfully sending me logs until this business began yesterday.
Any ideas what has been going wrong?
... View more
10-19-2018
03:10 PM
Okay, I figured it out. I had to click on Privacy Badger icon after the error occurred, then click on Disable Privacy Badger for this site.
Why manually editing the exception list did not fix it I do not know. But it works now. I reported this to IETF
... View more
10-19-2018
02:53 PM
When I get this message and I do <ctrl><shift>I a pane opens on the right which shows this (Chrome, by the way):
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT quickdraw.splunk.com/help/pro/6.5.2/splunkcore.homepage.docs/prod/default?locale=en-US&product=enterprise:1
I added quickdraw.splunk.com to the Disabled Sites list in Privacy Badger, and tried it again, and got the exact same thing.
I tried this on a co-workers browser and it worked fine, and then I noticed that quickdraw.splunk.com had redirected to docs.splunk.com, so I added that into the Disabled Sites list and it still does not work.
What did you do in Privacy Badger to allow this to work properly?
... View more
10-15-2018
03:58 PM
... | rex "sites\/\d+\/(?:templates\/)?(?<APIcall>[^?\s]+)"
Returns these results for APIcall:
Match 1
Group APIcall 160-173 alarmSessions
Match 2
Group APIcall 730-736 deltas
Match 3
Group APIcall 1284-1291 cmsInfo
Match 4
Group APIcall 1863-1878 actionTemplates
Match 5
Group APIcall 2442-2447 rules
Match 6
Group APIcall 3013-3065 network/instances/13b0ce18140337362f.1.0/points/isOn
Match 7
Group APIcall 3667-3682 actionTemplates
Your intro made it look to me like you wanted everything after sites/somenumber except in the 4th you specifically said the result should be actionTemplate so I skipped /templates/. However, you did not say that #6 should be just isOn so I include the longer result for that one. If you wanted just what MuS returned, you are also all set.
... View more
09-21-2018
10:24 AM
The URL I provided in the previous comment is fubar. I don't know where that particular answer went, and I've searched for it. What it said, in summary, is that if you go to Settings->Tabs->New (next to "List by field value pair") from anywhere within Splunk except the Search app, the likelihood of running into this bugginess goes up dramatically. From the search app it does not seem to happen anymore.
... View more
09-14-2018
09:06 AM
No, this has nothing to do with add-on software. I've configured Splunk to require Duo MFA at logon time. See this here:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureDuo
... View more
09-13-2018
03:17 PM
1 Karma
I'm on the 6.5.2 release and I have Duo turned on in the Splunk configs. It has been working great, but I just found out that I cannot login as user admin in Splunk Web. I get this message:
Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.
That's rather inconvenient! Surely there is a way around this?
... View more
09-13-2018
03:13 PM
It works great on the 6.5 release and up, and is built into Splunk now. Go to settings, How to set it up here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/ConfigureDuo
... View more
09-05-2018
10:13 AM
There is also a section titled, "Example: How to propagate apps from Primary to Secondary Deployment Server" in this Splunk wiki page: Deploy:DeploymentServer
... View more
08-21-2018
11:13 AM
1 Karma
Yes. As a result of changing the permissions it now reads:
access = read : [ admin, can_delete, splunk-system-role, user_itsecurity ], write : [ admin, can_delete, splunk-system-role, user_itsecurity ]
By default, it was globally shared with everyone.
... View more
08-21-2018
09:24 AM
Yes, sir, that did the trick. Thanks.
... View more
08-17-2018
04:10 PM
We use custom-built roles for different groups who use Splunk. Typically the users in their role are restricted to certain indexes, and further restricted to what hosts they can see by using tags (hosts are tagged by the tags associated with the roles that are allowed to see them). Our Palo Alto logs are in their own pan_index and only certain people in our IT Security group are allowed access to that index with their role. However, it seems that this does not extend into the Palo Alto Networks app for Splunk. It seems that anyone that can login can open the app and see things in the Incident Investigation Feed (_time, log_subtype, threat_name, severity, action, app, client_ip).
I'm wondering why that is so? Is there a way to restrict who can use the app?
... View more
08-03-2018
10:01 AM
Use:
http://your_splunk_host:port/debug/refresh?entity=admin/commandsconf
This just reloads commands.conf, I believe.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-10-2021
10:38 AM
|
Karma from
Karma given to
