About verbal_666

verbal_666 · ‎02-26-2020

Hi guys. Can you confirm Forwarder will never "merge" theese different inputs, holding same path? addon: etc/apps/addon1/default/inputs.conf [monitor:///tmp/] whitelist=.*\.log$|.*\.txt$ index=blabla sourcetype=blabla addon: etc/apps/addon2/default/inputs.conf [monitor:///tmp/] whitelist=.*\.json$|.*\.dat$ index=blabla sourcetype=blabla ... the first inputs from addon1 will be taken in consideration, while the second from addon2 will be rejected (conflict), without merging the whitelist for same original path "conflict"... so i absolutely need to take only 1 addon, holding all? addon: etc/apps/singleaddon/default/inputs.conf [monitor:///tmp/] whitelist=.*\.log$|.*\.txt$|.*\.json$|.*\.dat$ index=blabla sourcetype=blabla The singleaddon works, obviously.

verbal_666 · ‎12-08-2019

Hi. I took out this thread for an addition... for a problem i found in my infrastructure... The Infrastructure UFs -- [HF] -- IDX The problem ... do to firewall problems, all UFs have outputs to point to both HF and IDX, at the same time, in default stanza... some hosts join IDX directly (since fw blocks HF flow), some join HF only (same as before), some join both... i found that when some inputs go to IDX direcly i got my props (IDX only) parsed right, when passing through HF (no props), parsing is broken (HF-->IDX, HF parses source by default and passes wrong events to IDX which do not elaborate/parse props as well). The solution Deploying same props both to IDX, as well, and also to HF, by giving HF same DS as IDX has. Ok. The workaround (if possible, i don't think can do it) Bypass parsing (props) in HF and forwarding datas as a common UF to IDX. Is there a conf to match this behaviour? Thanks.

verbal_666 · ‎11-05-2019

Thanks again.

verbal_666 · ‎11-05-2019

Anyway, yes, this props did it, TIME_FORMAT=[%d/%m/%Y %T] SHOULD_LINEMERGE=false

verbal_666 · ‎11-05-2019

Ok, thanks. Is right the TIME_FORMAT = %m/%d/%Y %H:%M:%S you wrote up? Shouldn't be TIME_FORMAT = %d/%m/%Y %H:%M:%S ? date +'%d/%m/%Y %H:%M:%S' 05/11/2019 13:10:24 Right?

verbal_666 · ‎11-05-2019

Thanks. As i wrote in main post, i'll (eventually) write the correct props in Indexer(s) asap. The question now is: why i have many others logs, from other forwarders, logging like 2019/05/11 without their sourcetype stanza in props, and are still logging Europe since 01/11? Also, on same host, same forwarder, others logs are logged randomly 05/11 and 11/05, today. Example, 3 events are 05/11, other 3 are 11/05! Strange behaviour..... Thanks, anyway.

verbal_666 · ‎11-05-2019

Splunk Forwarder 7.0.2 (Windows 64 bit) Splunk Enterprise 7.0.0 (Linux) The strange problem: until 31/10, Europe TZ, logs are correctly indexed with this format (no Indexer props configured, set by default) [31/10/2019 23:59:55] [URL] [HTTP_RC] From 1/11, Splunk starts switching %m & %d in USA_TZ, so [01/11/2019 00:00:00] [URL] [HTTP_RC] become with timestamp (Europe) == 11/01/2019 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And also today, i have 11/05/2019, but logs are [05/11/2019 00:00:00] [URL] [HTTP_RC] Why??????????????????? I know i should force the props in Indexers, such as, CHARSET = UTF-8 TIME_FORMAT = %d/%m/%Y %T SHOULD_LINEMERGE = false NO_BINARY_CHECK = true But why until 31/10 i have NO DATE PARSING problem at all? Suggestions? Thanks.

verbal_666 · ‎10-21-2019

verbal_666 · ‎10-21-2019

Found the problem. Inputlookup passes variables to the map with double-quotes,so a single host is get, a list in IN clausole not. Ex. host1,host2 become, literally, "host1,host2" so IN("host1,host2") is not parsed good, host1 IN(host1) in parsed good, without double quotes, but also making quoted works with single host. Null-string is passed as "". Trying to remove the quotes. Another workaround, bad, but working,is something like adding single host fields in csv, h1,h2,h3,h4 and (host=$h1$ OR host=$h2$ OR host=$h3$ OR host=$h4$) in the map search. Very bad, but it works.

verbal_666 · ‎10-21-2019

Thanx a lot. But i have built this little "Engine" for the "map" command; in reality the csv has many many more fields (earliest, latest, thresholds, pattern to find etc.....). MAP command works perfecly, only the IN clausole does not when i have more than 1 host!!!!!!! 😐 .....also, the "table host,source" up is only an example, in the real searches i have more than 10 piped commands. It works, but the "host IN" with multiple hosts NOT 😐 😐 😐 With the subsearch i need to change many things. Also, the subsearch up, i think, should be ended with a "format" command and also hostnames renamed in "host" to work fine. I prefer to fix the "map", for now. Thanks a lot. ps. i fixed as workaround the "IN problem" with a tag/eventtype in front who make me permit to search what i need |map maxsearches=50 search="search tag=MYTAG source=$source$|table host,source" ....tag/eventtype contain index and hosts i need.................. i want to bypass also tag.

verbal_666 · ‎10-21-2019

As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search. Here's my search, |inputlookup list.csv|where tag="locals" |map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source" First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok). Second line, the map, does not work with IN clausole and "hostnames" field with more than 1 host. list.csv NOT WORKING tag hostnames source locals host1,host2 /tmp/*logs locals host1,host2 /tmp/*TXT locals host1,host2 /tmp/*json WORKING tag hostnames source locals host1 /tmp/*logs locals host2 /tmp/*logs locals host1 /tmp/*TXT locals host2 /tmp/*TXT locals host1 /tmp/*json locals host2 /tmp/*json I also tried a host IN(*$hostnames$*) but this is like an IN(**), variable seems to be null, but i can display if i try a |makeresults|eval host=$hostnames$|table host Why? Suggestions?

verbal_666 · ‎09-17-2019

Resolved also the "props path problem", adjusting the "metadata/local.meta" of the TA, setting global.

verbal_666 · ‎09-16-2019

Another strange behaviour. This is the perfect/right props.conf to index the json, also more complicated (1000 records with multiple arrays), [my_json] pulldown_type = true INDEXED_EXTRACTIONS = json KV_MODE = none category = Structured TRUNCATE=0 JSON_TRIM_BRACES_IN_ARRAY_NAMES=true NOW, on my test-Environment (single istance idx,sh all), 1) if i let props.conf stay in etc/apps/MY_TA/default/ , fields are duplicated, no truncate (seems the TA works as a simple Forwarder) 2) if i move the props.conf in etc/system/local, json is perfectly indexed (now seems the props is used as Indexer) ...

verbal_666 · ‎09-15-2019

The only problem is now with much complex json format, like {} formatted, { "data": [ { "displayName": "First Name", "rank": 1, "value": "VALUE" }, { "displayName": "Last Name", "rank": 2, "value": "VALUE" }, { "displayName": "Position", "rank": 3, "value": "VALUE" }, { "displayName": "Company Name", "rank": 4, "value": "VALUE" }, { "displayName": "Country", "rank": 5, "value": "VALUE" } ] } This is not indexed with multiple events, but single events and multivalue fields...

verbal_666 · ‎09-15-2019

Find a solution. I used the "preconfigured" "_json" sourcetype in "/opt/splunk/etc/system/default/props.conf" [_json] pulldown_type = true INDEXED_EXTRACTIONS = json KV_MODE = none category = Structured description = JavaScript Object Notation format. For more information, visit http://json.org/ ... ingestion produced no duplicated fields...

verbal_666 · ‎09-13-2019

Splunk Enterprise 7.0.2 Can't get rid of duplicated fields indexed in a json format. I tryied all combinations, in IDX Env and SH Env, both equals, then different, no way AT ALL. JSON, very simple: [ { "name": "Name1", "id": 1, "age": 20 }, { "name": "Name2", "id": 8, "age": 30 }, { "name": "Name3", "id": 12, "age": 40 } ] Props IDX and SH, equal, [JSON] INDEXED_EXTRACTIONS = json SHOULD_LINEMERGE = true NO_BINARY_CHECK = true CHARSET=UTF-8 KV_MODE = json AUTO_KV_JSON = true Results, I can't "mvdedup" all fields, also because this is a simple test json, then i'll have to index complex with arrays and hundreds fields... Solutions? It's getting me mad!!! Thanks.

verbal_666 · ‎08-26-2019

Addon: i also used the "trick" here, https://answers.splunk.com/answers/417403/how-to-extract-fields-from-splunk-db-connect-2-dat.html .... and i got it, works search-side, _raw-side.... remain the problem index-side, fields are saved/indexed with wrong field.name.

verbal_666 · ‎08-26-2019

Hi guys. I had a correct DB-Connect connection with a right SELECT with right importing of the table/fields i want. A problem: 1) raw datas seems to be right, ex, 2019-xx-xx 01:00:00.000, TIPOLOGIA="XXXXX", CATEGORIA="XXXXX", HOSTNAME="XXXXX", SISTEMA OPERATIVO="XXXXX" ... timestamp is right, fields are in the raw data... 2) now the problem... i can search the raw data as well, as said, but Splunk Enterprise 7.0.0, index time, create wrong fields... when found a [SPACE] in field.name ......... so "SISTEMA OPERATIVO" becomes "OPERATIVO", in field cut "SISTEMA[space]"....... 3) solution #1: transform field in select " select 'SISTEMA OPERATIVO' as ''SISTEMA_OPERATIVO' ........... "; ok, but i have many fields with this absurd develop (developers should be whipped!!!) 4) solution #2: i can certainly act in indexing time with props/transforms, right? May i use "CLEAN_KEYS" in transforms, with precedente REPORT- in props to do the "trick"? Or something similar? Thanks.

verbal_666 · ‎06-12-2019

This, obviously, works, TA_LOG/default/inputs.conf [monitor:///tmp/*.TXT] index=main sourcetype=TMP:TXT crcSalt = <SOURCE> followSymlink = true TA_LOG2/default/inputs.conf [monitor:///tmp_ln/*.TXT] index=test sourcetype=TMP:TXT_BIS crcSalt = <SOURCE> followSymlink = true IMHO, crcSalt should work in same stanza, multiple inputs.conf and so... IMHO it does not work!!!!!

verbal_666 · ‎06-12-2019

So, 2 stanzas in 2 inputs.conf in the same forwarder instance work with crcSalt = xxx ? Try soon on test environment. Thanks. ps. nope, TA_LOG/default/inputs.conf [monitor:///tmp/*.TXT] index=main sourcetype=TMP:TXT crcSalt = one TA_LOG2/default/inputs.conf [monitor:///tmp/*.TXT] index=test sourcetype=TMP:TXT_BIS crcSalt = two Results always in ingesting to "main". In my opinion crcSalt = xxx does not work as it should.

Posts	114
Solutions	5
Karma Given	17
Karma Received	7
Member Since	‎03-15-2017

Online Status	Offline
Date Last Visited	2 weeks ago

Is there documentation for an Icons list we can in...

Why can't I get a role to query _internal?

What are the Best Practices regarding managing que...

Why License Usage has empty fields?

DROP and GET events by pattern filters?

Is there a way to remove WARNING Banner?

Is it unsafe to upgrade from 7.0.x to 8.2.x?

Does Splunk "Clean All" make itself a backup of au...

NMON ADDON: permissions

BEST PRACTICE: maxKBps

Forwarder - inputs.conf "merging"

Re: How do I configure a heavy forwarder not to in...

Re: Splunk Forwarder - timestamp switched!!!

Re: Splunk Forwarder - timestamp switched!!!

Re: Splunk Forwarder - timestamp switched!!!

Re: Splunk Forwarder - timestamp switched!!!

Splunk Forwarder - timestamp switched!!!

Re: Can't MAP a host field with IN clausole in a m...

Re: Can't MAP a host field with IN clausole in a m...

Re: Can't MAP a host field with IN clausole in a m...

Can't MAP a host field with IN clausole in a map s...

Re: JSON - Duplicated Fields

Re: JSON - Duplicated Fields

Re: JSON - Duplicated Fields

Re: JSON - Duplicated Fields

JSON - Duplicated Fields

Re: DB-Connect - Extract OK, but need some fields ...

DB-Connect - Extract OK, but need some fields tran...

Re: How to index same source to multiple indexes

Re: How to index same source to multiple indexes