Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About andrew207
andrew207
Path Finder
Member since:
07-27-2015
01-30-2025
Community Statistics
| Posts | 21 |
| Solutions | 0 |
| Karma Given | 17 |
| Karma Received | 9 |
| Member Since | 07-27-2015 |
Activity Feed
- Got Karma for Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?. 12-22-2023 04:04 PM
- Posted Re: DB Connect Addon Integration Issue - Microsoft SQL Server 2012 on Getting Data In. 11-22-2022 01:46 PM
- Karma DB Connect Addon Integration Issue - Microsoft SQL Server 2012 for kiranpanchavat1. 11-22-2022 01:46 PM
- Posted Re: DB Connect Addon Integration Issue - Microsoft SQL Server 2012 on Getting Data In. 11-20-2022 07:25 PM
- Posted Re: Clone all data received from one indexer to another indexer on Getting Data In. 09-13-2022 11:29 PM
- Posted How do I clone all data received from one indexer to another indexer? on Getting Data In. 09-13-2022 11:17 PM
- Posted Re: Splunk.exe writes "OK" to stderr when everything is ok on Getting Data In. 05-31-2022 09:04 PM
- Posted Re: Splunk.exe writes "OK" to stderr when everything is ok on Getting Data In. 05-31-2022 09:03 PM
- Karma Splunk.exe writes "OK" to stderr when everything is ok for jacobappleton. 05-31-2022 09:03 PM
- Got Karma for Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?. 01-27-2022 07:29 PM
- Got Karma for Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?. 01-27-2022 07:21 PM
- Posted Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer? on Splunk Enterprise. 01-27-2022 07:17 PM
- Tagged Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer? on Splunk Enterprise. 01-27-2022 07:17 PM
- Got Karma for Storing and retreiving encrypted credentials on Universal Forwarder. 12-15-2021 08:52 AM
- Karma Re: How to do cross validation in Splunk with a multisearch for andres91302. 08-11-2021 05:58 PM
- Karma Speedtest App Upload Value 1/6th of actual number for cameronjust. 02-07-2021 05:56 PM
- Posted Storing and retreiving encrypted credentials on Universal Forwarder on Splunk Dev. 10-25-2020 06:58 PM
- Tagged Storing and retreiving encrypted credentials on Universal Forwarder on Splunk Dev. 10-25-2020 06:58 PM
- Tagged Storing and retreiving encrypted credentials on Universal Forwarder on Splunk Dev. 10-25-2020 06:58 PM
- Karma Re: Delete triggered alert if condition no longer matched for michael_bates_1. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
11-22-2022
01:46 PM
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024 Just as a followup, performing this change to allow RSA keysizes of 1024 bits worked fine and when combined with explicitly specifying encrypt=false in the JDBC URL we now have working connectivity.
... View more
11-20-2022
07:25 PM
I have hit this problem too, and it's a bit awkward. Here's what I have learned: - Even with encrypt=false in your JDBC URL, authentication still occurs over TLS. - MSSQL 2014 uses 1024-bit keys by default - Newer versions of JRE/JDK (not sure when it changed) specify minimum key lengths of 2048 for RSA I am working to solve this by having the MSSQL team configure suitable certs signed by our PKI. As a temporary workaround you may be able to set this: #$JAVA_HOME/lib/security/java.security jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, RSA keySize < 1024 Notably, we are changing the disabled RSA keySize to <1024, which would allow the 1024-bit keys used by default in MSSQL14 -- even when SSL is explicitely disabled in the JDBC URL.
... View more
- Tags:
- Helo
09-13-2022
11:29 PM
Hello @gcusello I am performing the cloning from a source indexer, not from a uf. This means there is currently no outputs.conf configured, and your answer does not work. Thanks
... View more
09-13-2022
11:17 PM
Hello,
I have one indexer cluster that receives data over inputs.conf [splunktcp://9997].
I want to clone all data received by this indexer cluster on this port to another Splunk instance, which also listens on 9997. I understand this will double my license consumption.
Current: UF --> Indexer (stores all data)
Desire: UF --> Indexer (stores all data) --> Other Indexer (also stores all data)
How can I clone all data received on 9997 from one indexer to another?
Thanks
... View more
Labels
- Labels:
-
indexer
-
inputs.conf
-
universal forwarder
05-31-2022
09:04 PM
i mean 8.2.6, answers won't let me edit
... View more
05-31-2022
09:03 PM
Still happening in 7.2.6 June 2022 😞
... View more
01-27-2022
07:17 PM
3 Karma
I have an SHC and I am using an SHC Deployer to deploy apps to it. Those apps include Splunk ES which is very large. The latest 7.0.0 update for ES may be so large that it causes errors when I apply the cluster bundle.
I have tried increasing max_content_length in [httpServer] in server.conf, this did not work.
What configs can I change to increase this limit so I can use my SHC Deployer? It seems odd that I can't deploy an unmodified ES installation according to the documentation because it's beyond Splunk's limits.
splunk apply shcluster-bundle -target xxx -auth xxx
Error while deploying apps to target=xxx with members=x: Error while updating app=Splunk_SA_Scientific_Python_Linux_x86_64 on target=xxx: Non-200/201 status_code=413; {"messages":[{"type":"ERROR","text":"Content-Length of 2147484959 too large (maximum is 2147483648)"}]},...repeated for each member
... View more
Labels
- Labels:
-
administration
-
troubleshooting
10-25-2020
06:58 PM
1 Karma
I need to safely store encrypted credentials on a UF. I have a scripted input that needs to call an authenticated API endpoint. The authentication is not simple, hence using a scripted input. I have found that passwords.conf does not work on a UF, as creating the file seems to do nothing and hitting the create endpoint of the UF API returns "Method not allowed" for POST and "Not Implemented" for GET. Given the UF binary supports the show-decrypted function I should be able to manually encrypt my password and store it that way, but there doesn't seem to be an opposite to show-encrypted to do that. hash-passwd returns a non-reversible hash. How can I safely store encrypted credentials on a UF within the Splunk ecosystem from an app deployed by a DS?
... View more
Labels
- Labels:
-
rest API
-
scripted input
04-25-2019
09:56 PM
I mean literally delete the triggered alert. In the UI there's a button to delete them, in the REST API there's an endpoint to delete them. I would like an option to delete them if events occur as I described in OP
... View more
I have an alert that runs every 1 minute and triggers when latest(status) = stopped .
If the alert runs and sees latest(status) = running , I want it to delete the triggered alert if there is one.
Is there a way to do this in Splunk?
... View more
04-18-2018
10:09 PM
1 Karma
I have a batch file that executes PowerShell like so:
inputs.conf
[script://.\bin\myscript.bat]
disabled = 0
interval = 60
index = main
The script is (myscript.bat):
type "%PROGRAMFILES%\Splunk\etc\apps\TA-myapp\bin\print-info.ps1" | powershell.exe -noprofile -
The PowerShell we are executing is (print-info.ps1):
$ProcessList = (Get-Process | select Name,Handle)
$ProcessList | Add-Member scriptmethod ToString { 'Name="{0}" Handle="{1}"' -f $this.Name, $this.Handle } -Force
$ProcessList.ToString() | Out-File -Append -NoClobber -Encoding utf8 -FilePath "$env:programfiles\Splunk\etc\apps\TA-myapp\spool\print-info.log"
If I execute the .BAT script manually (double clicking it), this works fine and the file is appended with text as I expect. If Splunk executes it, the file is instead appended with
System.Object[]
How do I get Splunk to output the string that it's supposed to be outputting?
We are unable to use the PowerShell modular input in our environment.
... View more
11-19-2017
06:28 PM
It is almost certainly not possible natively, sorry!
... View more
11-19-2017
02:56 PM
Nothing above the normal requirements for a standalone search head -- so just include the default set of apps as normal and you're fine. Search head cluster logging information largely goes to index=_internal and other pre-existing default indexes.
... View more
01-04-2017
02:55 PM
I've created a modular input using the Python API. I would like to know how I can make parameters optional.
I have set hard-coded defaults in inputs.conf and in the script itself, however, the GUI add input page has all fields set to mandatory -- I would like to change this.
My scheme is defined in the python script itself, a sample is below. How can I make a parameter optional?
SCHEME = """<scheme>
<title>SOAP Polling</title>
<description>Get data from a SOAP Service.</description>
<use_external_validation>true</use_external_validation>
<streaming_mode>simple</streaming_mode>
<endpoint>
<args>
<arg name="param1">
<title>my title</title>
<description>my description</description>
</arg>
<arg name="param2"> <!-- I want to make this optional -->
<title>my title</title>
<description>my description</description>
</arg>
</args>
</endpoint>
</scheme>
"""
... View more
08-03-2016
04:27 PM
3 Karma
The answer by mdessus describes how to detect this issue.
Firstly, the ES Identity and Assets are merged every 5 minutes as a modular input, that explains why sometimes it will happen instantly and other times it can take a few minutes: http://docs.splunk.com/Documentation/ES/4.1.1/User/Identitymanagement#Merging_the_asset_and_identity_lists
What worked for me was the following:
Background: you have a lookup, ad_identity_list that is silently failing to load in to ES. The lookup is populated with good data, you've checked the logs for modular inputs and have seen that the merge is running properly, but no data Identity data is being populated in ES.
Make an interim lookup, called something like ad_identity_interim.
Copy whole ad_identity_list into ad_identity_interim.
Execute the following, to place only a few entries into the Identity lookup ES is trying to merge.
| inputlookup ad_identity_interim | head 5 | outputlookup ad_identity_list
Wait until the merge occurs and you should see the five entries in your Identity Center.
Continue adding incrementally until you have the whole list in there, making sure you wait for the merge to occur between each execution.
| inputlookup ad_identity_interim | head 50 | outputlookup ad_identity_list
| inputlookup ad_identity_interim | head 100 | outputlookup ad_identity_list
| inputlookup ad_identity_interim | head 500 | outputlookup ad_identity_list
| inputlookup ad_identity_interim | head 1000 | outputlookup ad_identity_list
You should now have all your identities in ES.
I'm unsure as to why this works, but the issue has occurred and this fix has worked for me in several completely different architectures. It seems as though once the initial list has populated that the updates to the lookup are loaded properly, so I haven't had to make a chain of saved searches to behave as described above; it works as expected once it's all initially loaded -- noting that I have only ever made minor changes on an ongoing basis.
... View more
05-10-2016
03:12 PM
You can place the TOR exit node list into a CSV then at search time use an inputlookup like so:
index=firewall [|inputlookup torexitnodes.csv | fields exitnodeip ]
Because Tor exit nodes change constantly you will probably need to have this CSV automatically updated by a script.
... View more
12-14-2015
03:53 PM
You're gonna have to escape the rogue quote.
field1",field2", "field3-sdasds"textdata blah blah\" ", "field4-#$%232"
Any quote that's supposed to be ingested as data rather than a delimiter should be escaped by whatever software is constructing the logs.
... View more
12-14-2015
03:37 PM
I have an authentication service.
This service uses EventID 10 which contains the name of the TargetApplication they are authenticating with, as well as a unique ID for the user's session.
The ID can then be correlated with EventID 11 (one Event10 to many Event11 relationship), which provides other details about the user. There are N instances of this event all containing data that needs to be correlated, and they all contain the ID for correlation. EventID 11 does not contain "target application", which has rendered me unable to use any simple methods of correlation.
If I use join, it will only join one of the EventID 11 entries; I need N entries.
If I use transaction, it fails because the EventID 11s do not contain the TargetApplication with which I am performing the initial search to retrieve a list of IDs. Transaction WILL work if I use an ID rather than a TargetApplication, but this is useless as I need more than one result per search.
If I use append/selfjoin, the TargetApplication search will be rendered useless, as when it is performing the append search for Event 11s, it will simply return all the results for every application because EventID 11 does not contain a TargetApplication.
So my question follows.
How do I use the output of a search
// returns list of EventID 10 with ID
TargetApplication=myApp
to power a new search
// returns a list of EventID 11 for the given ID, containing extra data for correlation.
foreach (resultingID in searchResults) {
search [ ID=resultingID EventID=11 ]
}
so I can correlate my data?
... View more
07-28-2015
07:43 PM
makemv suited my purposes.
An arbitrary number of fields should be scalable. Your solution would be a bit messy if there were thousands of "tasks". Thanks though!
... View more
07-27-2015
08:24 PM
input:
myCommand -myArgs taska taskb taskc
myCommand -myArgs taska
myCommand -myArgs taska taskb taskc taskd
What's the best way to capture this? At the moment I'm using the regex
myCommand (?P<args>\-\w+)(\s(?P<tasks>[A-z0-9\s]+))
It results in
1. tasks: "taska taskb taskc"
2. tasks: "taska"
3. tasks: "taska taskb taskc taskd"
How would I go about separating these or making them individual? I want to aggregate by "taska" and draw some nice graphs more easily.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-30-2025
08:25 PM
|
Karma from
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
