Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MarkSplunker
MarkSplunker
Explorer
Member since:
08-11-2015
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 08-11-2015 |
Activity Feed
- Got Karma for " Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ?. 06-05-2020 12:49 AM
- Posted Re: " Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ? on All Apps and Add-ons. 10-25-2017 07:35 PM
- Posted Re: " Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ? on All Apps and Add-ons. 10-25-2017 06:49 PM
- Posted " Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ? on All Apps and Add-ons. 10-20-2017 06:31 PM
- Tagged " Splunk Add-on for Tenable:" How can I resolve basic SSL connection failure throwing error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed" ? on All Apps and Add-ons. 10-20-2017 06:31 PM
- Posted Re: How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-14-2015 12:22 PM
- Posted Re: How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-14-2015 09:46 AM
- Posted Re: How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-14-2015 09:41 AM
- Posted How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Tagged How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Tagged How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Tagged How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Tagged How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Tagged How do I fix "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." on Splunk Search. 08-13-2015 05:02 PM
- Posted Re: Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-12-2015 11:37 AM
- Posted Re: Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-12-2015 11:32 AM
- Posted Re: Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-12-2015 09:50 AM
- Posted Re: Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-12-2015 09:41 AM
- Posted Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-11-2015 11:48 AM
- Tagged Is there a way to search for all Splunk error messages? I'm looking for a solution to "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error." on Splunk Search. 08-11-2015 11:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 |
10-25-2017
07:35 PM
Hello again Nick*.
I tried your second approach and it is working. Thanks so much!
BTW, on Windows, the path for nessus.conf is C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\local\nessus.conf.
I haven't sniffed the wire yet to see if traffic is NOT encrypted as a result of this tweak, but will check tomorrow. Thanks again.
... View more
10-25-2017
06:49 PM
Hi, Nick*.
Thanks for responding. Firefox thinks it's ok. That's where I started: connecting to SC, then exporting the chain. The directions implied that I simply copy the file into the proper directory and rename it, but if they mean something other than that please let me know.
... View more
10-20-2017
06:31 PM
1 Karma
Following the instructions to "Troubleshoot the Splunk Add-on for Tenable" at https://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot I copied the PEM file from Firefox (with its default .crt extension) over to $SPLUNK_HOME/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/ and renamed it to cacerts.txt. I'm still getting the same error. One of the forums suggested exporting from Firefox 'with chain', so I tried that as well and it failed. Restarting Splunk each time still did not fix the problem. This is a single standalone Splunk installation. Any thoughts? Thanks.
... View more
- Tags:
- splunk-enterprise
08-14-2015
12:22 PM
Excellent! Thank you Raschko, that did it. I didn't realize that rex would keep looking past the final double quote and get confused. I guess we need to fully terminate that command and start a new search. Thanks again!
... View more
08-14-2015
09:46 AM
Hi, Jeffland. I don't know how to post regex as code, and a google search didn't provide a useful answer. Can you explain how to do that, or post a link? Thanks for your help.
... View more
08-14-2015
09:41 AM
Hi, MuS. Thanks for responding. From my understanding and experience, subsearches provide an argument to the primary search. The subsearch runs first and provides results in the field DeviceName, which are then used to pull matching events in the primary search. When I tried inserting a | as you suggested it throws the error message: "Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '228' of search query 'search source="File1.c...{snipped} {errorcontext = me>.*)" | [ search so}'."
... View more
08-13-2015
05:02 PM
Why does this rex query work fine in a simple search, but then fail when used in both a primary and a subsearch? I need to parse fields in both places. I built an initial query that worked fine alone, then created a subsearch and copied/pasted the identical rex into it. It now fails with the error "Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector." This doesn't make sense to me since it worked alone, but now with two copies of them it fails.
What do you think is going on, and how do I fix it? The purpose is to find Devices with Tasks that failed at one time, but where a later Task succeeded. Thanks so much.
Here is the code, although for some reason the * asterisks after each dot (.) in the regexes don't seem to come through in the preview window:
source="File1.csv" index="inventory-legacy" | regex Notes="^Succ.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" [ search source="File1.csv" index="inventory-legacy" | regex Notes="^Fail.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" | dedup DeviceName, TaskID | fields DeviceName ] |sort -_time, +TaskID, +DeviceName | table _time, TaskID, DeviceName, Description, Notes
More background: Initially I tried a simple query using (Notes="Succ*" OR Notes="Fail*") [thank you RickGalloway for your input] which does indeed pull all records, both successes and failures, but it's not quite what I want. I created the subsearch to first identify Devices associated with a particular TaskID that attempted an action at one time and failed. Once we have that pool of devices, the primary search looks to see which of those devices subsequently ran with a new TaskID that did succeed. Using a subsearch should greatly reduce the events returned, and will provide the answer I need to the question: "Which TaskID (a set of tests run on a Device) subsequently succeeded after a previous TaskID (different tests) had failed?" Thanks!
... View more
08-12-2015
11:37 AM
Chris, thanks for your answer about error messages. I know some people are using Splunk to review sourcecode, so I'm sure you are doing something similar internally as well. Perhaps that will help pull out those pieces of code that identify error messages for amplification. We'll be interested to see the improvements you speak of.
Do you have any feedback on my more important question? Why is the very same rex query failing when used in a primary/subsearch context, but works fine when used alone in a single query statement?
... View more
08-12-2015
11:32 AM
Rich, Thanks again for your input. We'll see what happens.
... View more
08-12-2015
09:50 AM
I tested the code you suggested and it is similar to what I started with originally. It does pull all records, both successes and failures, but it's not quite what I want. The subsearch is to first identify Devices associated with a particular TaskID that attempted an action and failed. Once we have that pool of devices, the primary search looks to see which of those devices subsequently ran with a new TaskID that did succeed. This will greatly reduce the events returned, and will provide the answer I need to the question: "which TaskID (a set of tests run) succeeded after a previous TaskID (different tests) had failed previously. Thanks again for your help.
... View more
08-12-2015
09:41 AM
Hi, Rich. Thanks so much for responding. I guess I could have been clearer with my first question regarding "all Splunk error messages", but I am asking for a listing from Splunk of all error messages that their code generates, what causes each to trigger, and possibly how to fix the underlying cause of the problem. I am not asking how to view errors that have been logged in my system, but rather the meaning of any error message I encounter. Thanks again, especially if you have an answer to that.
As for Question 2 I will try the code you suggested.
... View more
08-11-2015
11:48 AM
Question 1: Is there a centralized place to search for all Splunk error messages? Searching answers.splunk.com I've not been able to find a reference to, or solution for,
"Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector."
Question 2: Why does this rex query work fine in a search, but then fail when used in both a primary and a subsearch? I need to parse fields in both places. I built an initial query that worked fine alone, then created a subsearch and copied/pasted the rex into it. It now fails with
"Error in 'rex' command: Invalid argument: '(' The search job has failed due to an error. You may be able view the job in the Job Inspector."
What do you think is going on, and how do I fix it? The purpose is to find Devices with Tasks that failed at one time, but where a later Task succeeded. Thanks so much.
Here is the code, although for some reason the * asterisks after each dot (.) in the regexes don't seem to come through in the preview window:
source="File1.csv" index="inventory-legacy" | regex Notes="^Succ.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" [ search source="File1.csv" index="inventory-legacy" | regex Notes="^Fail.*" | transaction Description | rex field=Description "^(?<TaskID>[^-]+).*" | rex field=Description "^[^-]+-(?<DeviceName>.*)" | dedup DeviceName, TaskID | fields DeviceName ] |sort -_time, +TaskID, +DeviceName | table _time, TaskID, DeviceName, Description, Notes
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
