Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dsmc_adv
dsmc_adv
Path Finder
Member since:
03-11-2014
06-29-2022
Community Statistics
| Posts | 31 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 5 |
| Member Since | 03-11-2014 |
Activity Feed
- Got Karma for Re: How to count the number of times Splunk is restarted.. 12-06-2022 03:30 AM
- Got Karma for How to access to Mongo KV Store from Mongo client?. 01-17-2021 10:54 AM
- Karma Re: Why is CSV Timestamp recognition not working with my current props.conf for our production 6.3.2 indexer cluster? for acharlieh. 06-05-2020 12:48 AM
- Karma Re: Can we redirect an index from a heavy forwarder to a different heavy forwarder? for ryanoconnor. 06-05-2020 12:48 AM
- Got Karma for How to access to Mongo KV Store from Mongo client?. 06-05-2020 12:48 AM
- Got Karma for How to access to Mongo KV Store from Mongo client?. 06-05-2020 12:48 AM
- Karma Re: Is there a limit on the number of events returned from the transaction? for kace. 06-05-2020 12:47 AM
- Karma Re: How to use transaction command for MuS. 06-05-2020 12:47 AM
- Karma Re: How to count the number of times Splunk is restarted. for yannK. 06-05-2020 12:47 AM
- Karma Is there any way to overlay vertical lines for event marking in Splunk timecharts? for aramirez_evolut. 06-05-2020 12:47 AM
- Karma Questions about Splunk Queues. for Genti. 06-05-2020 12:45 AM
- Posted Filter console outputs from Jenkins loggers on All Apps and Add-ons. 06-29-2018 04:27 AM
- Posted Re: Send email alerts in gz format on Alerting. 06-05-2018 09:59 AM
- Posted Re: Send email alerts in gz format on Alerting. 05-03-2018 09:36 AM
- Posted Re: Send email alerts in gz format on Alerting. 04-26-2018 03:51 AM
- Posted Send email alerts in gz format on Alerting. 04-26-2018 03:08 AM
- Tagged Send email alerts in gz format on Alerting. 04-26-2018 03:08 AM
- Posted Re: Why is CSV Timestamp recognition not working with my current props.conf for our production 6.3.2 indexer cluster? on Getting Data In. 05-05-2017 06:34 AM
- Posted Re: Why can't I delete kvstore collections using the REST API via Python? on Splunk Dev. 02-01-2017 07:06 AM
- Posted Lookup File Editor App for Splunk Enterprise: Can a user create a collection from the lookup editor? on All Apps and Add-ons. 01-30-2017 04:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-29-2018
04:27 AM
My splunk instance is indexing lots of console errors performed by a job that I cannot determine. I discarded a time ago the .log files that are in the workspace but now I have 1gb of data indexed by day:
index =jenkins_console
source = logger://org.biouno.unochoice.AbstractUnoChoiceParameter
log_thrown: java.lang.RuntimeException: Failed to evaluate script: No such property: url for class: Script1
How do I determine where is coming from, and then how I fix it or discard these messages ?
... View more
06-05-2018
09:59 AM
I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:
https://github.com/rmacian/splunk-gzip-alerts
... View more
05-03-2018
09:36 AM
That would be super easy for me that I have rights to access with the splunk cli but the user, who defines the search in the ui and wants to get the results doesn't.
... View more
04-26-2018
03:51 AM
This app involves lookups and if I add a lookup with a 500000 results the bundle size would be affected, but thanks
... View more
04-26-2018
03:08 AM
I want to get more than 10000 results and after reading some answers about the limits in the email and I realized that if I bump from 10000 to 500000 results I will have a huge file that I will not be able to send by email. So I started to attack this.
My first thought was to directly send with a custom alert action. A ptyhon script that emails the results_file through as is easy accessible by the results_file payload but this gives me raw results that I will have to parse (how?). The other alternative is to modify the default email script for my specific app. Any advice ?
Is strange that the default email action only sends plain csv files and not give the option of compressing it.
... View more
05-05-2017
06:34 AM
Worked for me too. It was turning month/day in the _time field and I didn't understand why
... View more
02-01-2017
07:06 AM
I cannot delete either. I get an error:
curl -k -s -u admin:changeme https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config/test_collection_collection -X DELETE
<msg type="ERROR">Object id=test_collection_collection cannot be deleted in config=collections.</msg>
... View more
01-30-2017
04:34 AM
I can create a new lookup with the admin user and thus create a new collection. When I try to use another user which has permissions to write to the app I get a "You do not have permission to make a KV store collection" message.
I just tried to add rest_get and rest_set capabilities but does not work.
Update:
I've been performing some tests. When you create the lookup from the admin user it creates the collection under $SPLUNK_HOME/etc/apps/appsname/local/collections.conf and under the local.meta it sets the owner to admin user. I have not seen how to change the owner through the UI, so this collection is not usable by any user othen than admin.
The api is more specific and tells you need the admin_all_objects capability (aka an admin user)
$ curl -k -u poweruser:password -d name=mycollection https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">You (user=poweruser) do not have permission to perform this operation (requires capability: admin_all_objects).</msg>
</messages>
</response>
What's the point to create a collection from the UI if only admin user can use it and you need to modify the files directly to change this behaviour?
... View more
11-17-2016
07:42 AM
Keep in mind that that raw events are only supported in Splunk 6.4 and onwards
http://dev.splunk.com/view/event-collector/SP-CAAAE8Y
... View more
06-07-2016
04:57 AM
3 Karma
Hi all,
I'm using icinga to monitor my servers and I would like to use the mongo plugin to monitor the kv store. The problem is that it is password protected and I cannot query with admin privileges. Is the password known?
... View more
06-06-2016
11:47 PM
Thanks for the response, I will be commenting every question you asked in the following lines:
Do you have any reason to not connect your new HF directly to your indexers? It seems like an odd topology to have HF --> HF --> Indexers.
Yes, there is a reason why we want to do this. We want to separate and filter separate things in every HF. In the first one we will redirect indexes and on the other one we will filter events. In both we are using props and transforms files to do this.
Is the universal out of the picture now and you've replaced the Universal Forwarder with a Heavy Forwarder?
Yes, the universal no longer exists. Now we have only HF.
Will it still match on the same hostname? You're doing that filtering in props with a specific hostname so make sure that hasn't changed.
Yes, the hostname is the same.
We are asking the community because we are not sure if this is even something possible. It is our desire, due to topology needs but if it is not possible we will move back to the configuration we had before.
Thanks!
Best Regards
... View more
06-06-2016
04:01 AM
Hi,
We are currently on version 6.3.3. The situation is the following:
We had a configuration of a Universal Forwarder that connected to a Heavy forwarder and that connected to an indexer. In that heavy forwarder, we did some index redirecting as the following:
transforms.conf
[Redirect1]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = redirect_test_index
props.conf
[host::TestHost]
priority = 100
TRANSFORMS-test1= Redirect1
The data from testhost was being sent by the universal forwarder that I previously mentioned. This worked fine as we indexed the information into the redirect_test_index
We wanted to do that redirecting on our universal forwarder server, not on the heavy forwarder. What we did was to migrate that universal forwarder to a heavy forwarder, and we have kept the connection like it was on the old universal forwarder (that now is a heavy forwarder). We removed the redirecting configuration from the old heavy forwarder to the new one, but it doesn't seem to work.
We have the new HF connect to the old HF, the new HF is not directly connected to an indexer. Could that be the issue?
The topology is: HF1 (old UF) -> HF2 -> Several Indexers
Thanks in advance,
Best Regards
... View more
05-16-2016
02:23 AM
The information you are looking for is in etc/pooling/pooling.ini
[general]
guid = 80D0C74D-0819-4AA4-B5D8-C5EB5e41029B
kvstore_secret = 5cdae94f7015f55698abb975R2c7818e3fabaa9e3001f61b3942ee3bfd854338
kvstore_active_members = 99145D4E-6AF2-4D0C-8DCB-269027785CAD,B76C11A2-49F1-458A-9EA2-7C877B06CAF4
kvstore_sync_master = B76C11A2-49F1-458A-9EA2-7C877B06CAF4
[kvstore]
host1 = host1.mylocaldomain:8191
host2 = host2.mylocaldomain:8191
So, I suppose that must be part of head pooling in order to read this configuration and sync the mongo db
... View more
05-16-2016
02:18 AM
I think is a must to have 3 members to have mongo replication work, can anyone confirm it?
... View more
05-11-2016
02:28 AM
1 Karma
I downvoted this post because it doesn't return all the values
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-29-2022
09:28 AM
|
