Activity Feed
- Karma Re: How to replace the value of field for another field value if a certain condition is met? for woodcock. 09-27-2024 04:54 AM
- Posted Re: "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing on Knowledge Management. 09-11-2024 03:35 AM
- Karma "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing for hrawat. 09-11-2024 03:27 AM
- Karma Re: Splunk Support for Active Directory: Is it possible to pass a variable in to ldapsearch? for IngloriousSplun. 07-17-2024 07:21 AM
- Got Karma for Re: How to resolve issues with mongod startup such as "Failed to start KV Store process" error?. 08-22-2023 05:32 AM
- Got Karma for Re: KVStore failure after upgrade to 9.0. 07-29-2023 08:35 AM
- Posted Re: KV Store status failed after upgrade to 8.0.4.1? on Splunk Enterprise. 07-07-2023 09:09 AM
- Posted Re: How to resolve issues with mongod startup such as "Failed to start KV Store process" error? on Knowledge Management. 07-07-2023 09:07 AM
- Posted Re: Why am I experiencing KVStore Failure using Red Hat Linux 7.5 and Splunk 7.3.4? on Knowledge Management. 07-07-2023 08:12 AM
- Posted Re: Why is KV Store certificate renewal not working? on Knowledge Management. 07-07-2023 08:07 AM
- Karma Re: Why is KV Store certificate renewal not working? for helge. 07-07-2023 08:04 AM
- Karma Re: Can't add UDP input because of error "UDP port 514 is not available." Why? for gkanapathy. 06-21-2023 08:37 AM
- Posted Re: KVStore failure after upgrade to 9.0 on Splunk Enterprise. 02-05-2023 06:04 AM
- Karma Why is there KVStore failure after upgrade to 9.0? for bigfatyeastroll. 02-05-2023 05:59 AM
- Karma Re: After upgrading to 6.5.0, KV Store will not start for claudio_manig. 01-18-2023 05:43 AM
- Karma After upgrading to 6.5.0, KV Store will not start for jcrabb_splunk. 01-18-2023 05:42 AM
- Karma Re: Universal Forwarder 8.0 upgrade path from 6.x for burwell. 12-07-2022 03:37 AM
- Karma Why am I getting this error "HttpInputDataHandler - Failed processing http input"in splunkd.log on heavy forwarder? for lukasmecir. 08-01-2022 06:57 AM
- Karma Re: ldapsearch error_message=password is mandatory in simple bind for jamesdsteel. 07-05-2022 06:58 AM
- Posted Re: External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration s on All Apps and Add-ons. 06-14-2022 05:23 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 |
09-11-2024
03:35 AM
On a Linux HF, was seeing this error in 9.0.5.1 and now in 9.2.1 as well. it worked after disabling the set "persistentQueueSize" parameter in inputs.conf. This is the only change we did. Thank you.
... View more
07-07-2023
09:09 AM
https://community.splunk.com/t5/Knowledge-Management/Why-is-KV-Store-certificate-renewal-not-working/td-p/471252 On Windows, you may get the following error message in mongod.log: Fatal Assertion 50755 at src\mongo\util\net\ssl_manager_windows.cpp 1609 To fix the error that causes mongod to terminate, you need the following in addition to deleting server.pem: Open Windows certificate management MMC for the local computer ( certlm.msc ) Navigate to Personal > Certificates Delete any entries named SplunkServerDefaultCert Restart splunk.
... View more
07-07-2023
09:07 AM
1 Karma
https://community.splunk.com/t5/Knowledge-Management/Why-is-KV-Store-certificate-renewal-not-working/td-p/471252 On Windows, you may get the following error message in mongod.log: Fatal Assertion 50755 at src\mongo\util\net\ssl_manager_windows.cpp 1609 To fix the error that causes mongod to terminate, you need the following in addition to deleting server.pem: Open Windows certificate management MMC for the local computer ( certlm.msc ) Navigate to Personal > Certificates Delete any entries named SplunkServerDefaultCert Restart splunk.
... View more
07-07-2023
08:12 AM
https://community.splunk.com/t5/Knowledge-Management/Why-is-KV-Store-certificate-renewal-not-working/td-p/471252 On Windows, you may get the following error message in mongod.log: Fatal Assertion 50755 at src\mongo\util\net\ssl_manager_windows.cpp 1609 To fix the error that causes mongod to terminate, you need the following in addition to deleting server.pem: Open Windows certificate management MMC for the local computer ( certlm.msc ) Navigate to Personal > Certificates Delete any entries named SplunkServerDefaultCert Restart splunk.
... View more
07-07-2023
08:07 AM
This worked after lot of research. Thank You.. Just for others.. Dont run certmgr.msc on server. Instead run certlm.msc to see the "SplunkServerDefaultCert" entries. I was doing this wrong.
... View more
02-05-2023
06:04 AM
1 Karma
You logs indicate a old pem cert. have you tried renaming the server.pem file under splunk/etc/auth. then restarting splunk service. most KV store isues are resolved with this action. 2022-06-29T15:04:51.149Z F NETWORK [main] The provided SSL certificate is expired or not yet valid.
... View more
06-14-2022
05:23 AM
This seems to be a known issue and solution is available in the documentation link below. Creating the local\commands.conf worked for us. https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/Workaroundfordefaultconfigstanzaerrorsindistributedenvironments
... View more
- Tags:
- error
- ldapfilter
11-15-2021
10:23 AM
Hi All, We are working on getting Appian data to splunk. Appian has been configured to push the logs to splunk syslog endpoint. We have tried several things but the data received in splunk is still encrypted. https://docs.appian.com/suite/help/21.2/Log_Streaming_for_Appian_Cloud.html#prerequisite-checklist Below is the config of splunk. Please help us if you have done this is past or have knowledge on how to fix this. Splunk Version : 8.1.4 etc\apps\search\local\inputs.conf [tcp://514] connection_host = ip index = appian sourcetype = syslog [SSL] requireClientCert = false serverCert = $SPLUNK_HOME\etc\auth\splunkweb\myDataCertificate.pem sslVersions = tls1.2 cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256 Note : myDataCertificate.pem is a combination of server+interimCA+rootCA. Sample Encrypted Data 10/10/21 8:04:18.000 PM \x00\x00\x00\x9E\x00\x9F\xC0|\xC0}\x003\x00g\x009\x00k\x00E\x00\xBE\x00\x88\x00\xC4\x00\x00\xA2\x00\xA3\xC0\x80\xC0\x81\x002\x00@\x008\x00j\x00D\x00\xBD\x00\x87\x00\xC3\x00\x00f\x00\x00D\x00\x00\x00\x00\x00\x00\xFF\x00\x00\x00#\x00\x00\x00 10/10/21 8:04:18.000 PM \xC0r\xC0\xC0\xC0/\xC00\xC0\x8A\xC0\x8B\xC0\xC0'\xC0\xC0v\xC0\xC0\x00\x9C\x00\x9D\xC0z\xC0{\x00/\x00<\x005\x00=\x00A\x00\xBA\x00\x84\x00\xC0\x00
... View more
- Tags:
- Appian
- integration
Labels
- Labels:
-
inputs.conf
04-01-2021
07:49 AM
i was fed up deleting the fishbucket multiple times and using the btprobe. deleting the "application" file under "\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog" did the job. thank you.
... View more
01-03-2018
11:31 PM
Hi, Thank you for the answer. Could you please share an example connection configuration that you did. may be a screenshot from dbconnect will help.
... View more
10-14-2016
02:17 AM
1 Karma
hi, try this query
index=yourindex |stats values(Date) values(Source) values(Label) count by Host
i tried it on my data and results look like what you asked for.
... View more
10-13-2016
03:49 AM
1 Karma
i copy pasted your query and it didn't sort. i just deleted the "-" character before MegaBytes and typed it again.
the search query gave me sorted results. Strange Though.
index=_internal source=*license_usage.log type=Usage | eval MB = round(b/1024/1024,1) | chart sum(MB) as MegaBytes by h | rename h as device | sort -MegaBytes
... View more
10-12-2016
07:55 AM
Thanks Luke.. The explanation in wiki link was a bit complex and took time to understand but it certainly supports your answer.
I was running two parallel daily reports - one based on _time and the other based on _indextime to verify if my retention values were working as expected. But both confusing me.
Now i will concentrate on _time based one for my further analysis.
Thanks Again.
... View more
10-12-2016
06:40 AM
hi, when we set frozenTimePeriodInSecs=30 days for an index. i have read through the documentation and forums that the bucket moves to frozen state when all the data in the given bucket is more than 30 days old. but i need some more clarity. basically the condition i think is one of the below for the latest event in the bucket.
_time > frozenTimePeriodInSecs
OR
_indextime >frozenTimePeriodInSecs
Please let me know which time controls the retention.
... View more
07-18-2016
06:24 AM
The RDS SQL Instance on the AWS environment is an end point ( egs: mssql2016db.xfd4uv5wrty.us-west-2.rds.amazonaws.com ). we can connect to this instance through SQL Express or SQL Mgmt Studio, using credentials on port 1433. The instructions are here in the link below to do the same.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToMicrosoftSQLServerInstance.html
When we try to do the same with "Splunk DB Connect-2", we get an "Internal Server Error" or "Operation Timed Out".
The RPC server is up and all the supported drivers are downloaded and available. We can connect to a local SQL DB, but not sure if we are doing anything wrong when connecting to AWS RDS.
http://docs.splunk.com/Documentation/DBX/2.2.0/DeployDBX/Supporteddatabases
Has anyone tried doing this?, if yes please point us to the documentation.
... View more
- Tags:
- splunk-enterprise
05-17-2016
10:00 AM
We have a custom Python script that we use to send "event" to service-now from Splunk. This is working fine in Splunk 6.1.8 (Splunk App for ServiceNow 2.4).
The same Python script is not working on Splunk 6.3.0 (latest Splunk App for ServiceNow 4.0.1). The reason we use a custom Python script is because our events module in ServiceNow is a customized one and fields names differ from the standard fuji version.
Please let me know if you have faced the same issue and have a solution.
... View more
08-03-2015
09:11 AM
Hi Woodcock.. Thank You for your response, as said by you I see that lagsecs=-1 and lagsecs=-2 for some events. To Troubleshoot the time zone issues, we tried defining time zone in the props.conf ( TZ=Asia/Calcutta) file @ \SUF\Input_app\local\ on the host. But we didn't see any improvements. Please suggest if you know the possible fix.
... View more
07-30-2015
10:08 AM
Hi,
We have the same app deployed on multiple Domain Controllers. On some DC's, the data indexed in Splunk is older by 2.5 Hours or so. Though the DC has latest entries in Event Log, they appear in Splunk (6.1.8) only after a certain duration of time.
We have tried upgrading the forwarder version, and also configuring thruput in limits.conf, but doesn't work.
Please help.
... View more