Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Lucas_K
Lucas_K
Motivator
Member since:
01-18-2012
08-26-2024
Community Statistics
| Posts | 498 |
| Solutions | 46 |
| Karma Given | 157 |
| Karma Received | 263 |
| Member Since | 01-18-2012 |
Activity Feed
- Posted Re: Trigger shell script from dashboard button on All Apps and Add-ons. 08-26-2024 03:33 PM
- Got Karma for Re: How to fix broken Menu Icons in the app navigation drop-down menu?. 02-13-2023 05:52 AM
- Got Karma for Re: How to fix broken Menu Icons in the app navigation drop-down menu?. 05-28-2022 11:09 PM
- Got Karma for Re: Search head cluster hybrid search error : "Gave up waiting for the captain to establish a common bundle version...". 05-26-2022 05:41 AM
- Got Karma for Daylight savings vs scheduled search fun.. 08-10-2021 07:44 PM
- Got Karma for Re: Daylight savings vs scheduled search fun.. 08-10-2021 07:44 PM
- Got Karma for Re: Why is INDEXED_EXTRACTIONS=csv not working in props.conf?. 07-28-2021 07:12 AM
- Got Karma for Re: which sendemail.py to use. 07-22-2021 02:52 AM
- Posted REST API Modular Input : Polling interval is not consistant on All Apps and Add-ons. 03-29-2021 06:40 PM
- Posted Re: Trigger shell script from dashboard button on All Apps and Add-ons. 09-24-2020 07:28 PM
- Karma Re: Trigger shell script from dashboard button for sideview. 09-24-2020 07:26 PM
- Karma Re: Trigger shell script from dashboard button for sideview. 09-24-2020 07:26 PM
- Karma Re: Working with CSV for richgalloway. 06-05-2020 12:51 AM
- Got Karma for Re: How do I figure out what the real problem is with my index cluster?. 06-05-2020 12:51 AM
- Got Karma for Re: set of dashboards with in a dashboard. 06-05-2020 12:51 AM
- Got Karma for Re: set of dashboards with in a dashboard. 06-05-2020 12:51 AM
- Got Karma for User profile web UI option "Restart background jobs when the Splunk software is restarted" what does it actually do?. 06-05-2020 12:50 AM
- Karma Re: Poor ldapsearch performance - SA-ldapsearch app for dfronck. 06-05-2020 12:49 AM
- Karma Re: Poor ldapsearch performance - SA-ldapsearch app for datasearchninja. 06-05-2020 12:49 AM
- Karma Re: Summarizing data and storing it in a metrics index (Splunk 7.0.0) for esix_splunk. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 3 | |||
| 1 | |||
| 0 | |||
| 1 |
07-17-2016
11:23 PM
According to this post kvstores get replicated to indexers.
Is there a way to disable or specifically control this behaviour.
We have a kvstore > 100GB that doesn't need to be replicated. And I believe this may be causing performance issues.
... View more
07-17-2016
09:25 PM
PDF generation has changed over the different versions of splunk.
There used to be the pdf server addon that did a "like for like"/"as-is" dashboard generation. Support for this stopped at version 6.
There is another app "Report Sender" that can potentially do a very similar job here -> https://splunkbase.splunk.com/app/2614/
I havn't personally tested it myself yet.
... View more
07-15-2016
07:07 PM
We had exec level management make business decisions based on incorrect time information due to this. As their login was gmt timezoned the presentation of dashboards was out by 10 hours.
It wasn't until engineering came back and said "it's impossible for those figures to be that at those times" that the logged in users profile was checked.
So yes, "absolute hell" was accurate and highly embarrassing when we were directly competing with other big data systems at the same time to produce the reports. It's hard to be an avangelist for a product when the simplest of fixes never make it into the product. I have a dozen other similar reported fixes.
... View more
07-14-2016
11:17 PM
Create a list of those variables (potentially from another search or even a lookup file for ease of modification using an APP) and then run the searches via a map command.
This way you can have the same search run over and over with just different variables.
Map command - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map
Cut & Paste Example :
| eventcount summarize=false index=*
| map maxsearches=1000 search="| metadata type=sourcetypes index=\"$index$\" splunk_server=\"$server$\" | eval index=\"$index$\" | eval server=\"$server$\" "
| fields index server sourcetype totalCount | stats sum(totalCount) AS eventCount by index, sourcetype
Note that the internal search is surrounded by quotes of its own! The variables are surrounded by single dollar signs on either side.
... View more
07-14-2016
07:30 PM
6 Karma
I'd previously raised this years ago as a support ticket but it hasn't been added so I thought i'd post it here as it is an on going issue and it causes no end to the absolute hell that it has caused.
There is no Melbourne or Sydney Australia time zone in the gui for users to set their correct time zones. This still exists in the latest v6.5.
As our search heads support users from all over the world setting it as a default isn't appropriate.
Supports original suggestion of telling users to use Hobart, does functionally work but is very unprofessional to be telling high level managers that they are in a different part of the country 😉 Like telling a New Yorker they are from Florida I suppose.
The fix is so very, very simple. Yet has missed 2 large version releases (v5 and v6).
./etc/apps/search/default/data/ui/manager/authentication_change_user_password.xml
Find Line 109
109 <opt value="Australia/Hobart" label="(GMT+10:00) Hobart"/>
Add
110 <opt value="Australia/Melbourne" label="(GMT+10:00) Melbourne"/>
111 <opt value="Australia/Sydney" label="(GMT+10:00) Sydney"/>
After
... View more
07-14-2016
07:08 PM
If you utilise a new deployment server the app checksum's that is provided to the client will differ. As such the client will remove the old app(s) and install the new one(s).
This is why you need to use "sticky sessions" if you load balance deployment servers. Each deployment servers checksums are unique even if they contan that EXACT same (ie. md5sum shows exactly the same) files.
If you replace one deployment server for another this same behaviour will occur also.
The delay in replacing the app will be the phonehome time. This is also based on the initial start time of the instance.
... View more
07-12-2016
03:35 AM
Shouldn't you be listening on port 9997 on your indexer?
Unless your outputs in your HF are doing raw udp transfers (for some bizarre firewall reason perhaps?) you have your hf incorrectly configured.
... View more
07-12-2016
03:29 AM
Unfortunately not.
... View more
07-11-2016
10:50 PM
hmm so 1 minute for 500k lines is acceptable? (according to that post).
That would make my lookup twice as fast as theirs for the same number of objects.
Still looking for information on improving performance.
July 26th edit: so in comparison to that post I am running at double that expected speed already. So i'd guess this is the best I can hope for.
... View more
07-11-2016
10:48 PM
Is this accurate as of 6.4? Is there any documentation on this at all?
We have kv stores in excess of 80GB per collection. If they are indeed distributed to search peers this would be an issue.
... View more
07-07-2016
06:31 PM
Does anyone have any ball park performance figures for what a kv store should perform like with 5mill+ entries for the specs below?
I have a kv store with around 5.5 million entries and it takes over 5 minutes to return from a simple lookup search.
ie. | localop |inputlookup session_kv | stats count
Runtime : 326 seconds.
This is running on a standalone hardware search head Splunk v6.4.1 Linux x64.
Basic System specs
100GB ram.
16 x Intel(R) Xeon(R) CPU X6550 @ 2.00GHz
DMC info
Collection size 7901MB
Acceleration size 577MB
Resident memory 8307MB
Virtual memory 21000MB
I've tried tweaking some of the available limits.conf settings, but lookup speed has not varied by much.
limits.conf
[default]
max_mem_usage_mb = 10000
[kvstore]
max_queries_per_batch = 20000
max_rows_per_query = 1000000
max_queries_per_batch = 20000
max_size_per_result_mb = 1000
max_accelerations_per_collection = 0
max_fields_per_acceleration = 0
max_threads_per_outputlookup = 0
I don't know of any other things I should do to try and improve the kv's performance.
Ideas?
... View more
06-02-2016
03:02 PM
1 Karma
The fix
File: /opt/splunk/share/splunk/search_mrsparkle/exposed/css/build/bootstrap.min.css
Reason: Seems to have been a typo in which a "\9" was inserted after the normal auto value.
Line 7 .
Find
auto\9
Replace with
auto
Restart splunk.
... View more
06-02-2016
06:19 AM
As the Splunk bug fix url doesn't work anymore, I might as well post here.
Bug manifests as a logo banner that is stretched across the width of the navigation bar. This only occurs in Internet Explorer.
File: /opt/splunk/share/splunk/search_mrsparkle/exposed/css/build/bootstrap.min.css
Seems to have been a typo in which a "\9" was inserted after the normal auto value.
Line 7 .
Find
auto\9
Replace with
auto
Restart splunk.
... View more
05-19-2016
07:11 PM
So did you figure out a full config example on how this was used?
Can you clone to a different index?
... View more
05-19-2016
07:07 PM
Clone_sourcetype. Hmm haven't seen that one before will have to investigate the one.
... View more
05-19-2016
07:06 PM
Thanks! Unfortunately it doesn't get me the "like for like" proof I'm after it will also be a large resource hog to do so. Search time exceeds the time frame so it can't keep up with the incoming data.
It's a non trivial volume of data hence the entire requirement to do it on the way in.
I think I'm going to just pull the trigger on it and pray this fixes the issue.
... View more
05-10-2016
05:25 PM
I have a situation where I'd like to duplicate some or all events going to one index into another.
The only point at which I can touch the data is as it hits the indexers. I can't use another heavy forwarder to do the duplication in flight.
In reading the docs, I've come up with this, but I think I'm missing something fundamental.
At a basic level below is sort of what I want:
props.conf
[mydupesourcetype]
TRANSFORMS-duplicate = original_index, duplicate_index
transforms.conf
[original_index]
FORMAT = indexa
REGEX = (.)
DEST_KEY = _MetaData:Index
[duplicate_index]
REGEX = mydupesourcetype
FORMAT = indexb
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Routeandfilterdatad
This would mean the props and transforms above would never work as it would just rename the index in the duplicate_index stanza.
... View more
05-10-2016
04:26 PM
Thanks. yeah on the machines I tried it on i couldn't get the splunk cmd openssl output to redirect to a file using the ">". Not sure if it was a windows 10 issue. Directly calling the openssl was the way that it worked in the end.
... View more
Finally got the renew script to run on a windows machine using only existing splunk binaries.
@echo off
set PATH=%PATH%;C:\Program Files\SplunkUniversalForwarder\bin\
powershell -ExecutionPolicy ByPass -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\ssl_check_windows-x64\bin\s-renewcerts.ps1" -defaultCA -liveCA -serverCert -opensslConf "C:\Program Files\SplunkUniversalForwarder\openssl.cnf" -splunkHome "C:\Program Files\SplunkUniversalForwarder"
So far its only been tested on windows10. Any ideas on how to automatically grab the splunk home path into a variable would be great.
... View more
05-05-2016
10:23 PM
I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.
Below is my scripted input
inputs.conf
[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca
ssl_check_ca.bat
@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%
It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.
2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"
Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.
... View more
05-05-2016
10:19 PM
Its not a unix box. Its windows.
Please try what your suggesting on a windows machine and seeing what happens. 😉
... View more
05-04-2016
10:59 PM
Does anyone have a nice windows scripted input that will output the local certificate end date?
ie. something like
inputs.conf
[script://.\bin\ssl_check.bat]
disabled = false
index = ssl_check
interval = -1
sourcetype = ssl_check
ssl_check.bat
"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem"
My problem is that the windows openssl opens its own little window and doesn't output to stdout. As such there isn't any text for the input to grab.
edit: i've tried numerous x509 parameters but nothing seens to want to output a text version of the certificate to a file. All the -out or -text options only output to the spawned console which can't be grabbed.
We need this to verify remediation work.
... View more
04-30-2016
04:11 AM
+1 thanks joshd.
You wouldn't believe the number of forwarders we have to figure out the owners for. I ran a report and just for the ones that actually forward internal logs for our original estimates were off by 50% This would have had a massive negative impact on the company I work for. And might have resulted in some ass kicking somewhere along the line. There were already factions that were anti Splunk and this would only added to their arsenal.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-26-2024
07:26 PM
|
Karma given to
