Activity Feed
- Karma Re: Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf? for splunkjas1. 06-05-2020 12:49 AM
- Got Karma for Will Splunk Enterprise ever fully support for RHEL 7?. 06-05-2020 12:49 AM
- Got Karma for An error occurred while installing the app: 500. 06-05-2020 12:49 AM
- Got Karma for Issues with "missing" forwarder version after upgrade from universal forwarder 6.3.0 to 6.4.0?. 06-05-2020 12:48 AM
- Got Karma for Splunk App for Unix and Linux: Why is the app not showing memory info?. 06-05-2020 12:48 AM
- Got Karma for Locate when user(s) accessed dasboard. 06-05-2020 12:48 AM
- Got Karma for How to rename an index or move everything we have in the main index into another index?. 06-05-2020 12:47 AM
- Posted Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf? on Getting Data In. 09-25-2018 10:11 AM
- Tagged Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf? on Getting Data In. 09-25-2018 10:11 AM
- Tagged Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf? on Getting Data In. 09-25-2018 10:11 AM
- Posted RHEL 7 HF stopping after app deployed to it on Splunk Dev. 08-01-2018 05:32 AM
- Posted Re: need to limit what servers are sending logs to an indexer on Deployment Architecture. 07-03-2018 05:33 AM
- Posted need to limit what servers are sending logs to an indexer on Deployment Architecture. 07-02-2018 08:03 AM
- Posted Re: An error occurred while installing the app: 500 on All Apps and Add-ons. 05-21-2018 05:07 AM
- Posted Re: An error occurred while installing the app: 500 on All Apps and Add-ons. 05-15-2018 04:48 AM
- Posted Re: An error occurred while installing the app: 500 on All Apps and Add-ons. 05-14-2018 07:27 AM
- Posted An error occurred while installing the app: 500 on All Apps and Add-ons. 05-12-2018 04:47 PM
- Posted Will Splunk Enterprise ever fully support for RHEL 7? on All Apps and Add-ons. 09-19-2017 05:36 AM
- Posted Re: new version available message on Installation. 05-26-2017 05:11 AM
- Posted new version available message on Installation. 05-26-2017 04:57 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 |
09-25-2018
10:11 AM
I am trying to figure out how to filter out account names that end in $ for the 4656 event codes. i am currently using the following in transforms.conf:
REGEX = (?ms)(.*EventCode=4656.*)(Subject:.*Account Name:(\s*\w+\$)
DEST_KEY = queue
FORMAT = nullQueue
I have tried multiple combinations of the above and it never filters out.
... View more
08-01-2018
05:32 AM
I am having an issue were our RHEL 7 HF receives an update to an app, or a new app is installed, and instead of restarting like it does on our RHEL 6 SH, it just stops.
Is anyone else running into this and if so how did you fix this issue?
I just love the support they give to systemd systems.
... View more
- Tags:
- splunk-enterprise
07-03-2018
05:33 AM
This looks to break things.
Simplifying my setup a bit, IDX-1 receives limited eventIDs for all hosts, IDX-2 receives all eventIDs for a subset of hosts.
... View more
07-02-2018
08:03 AM
We have multiple window SUFs sending logs to a HF that then divide the winevent:security logs between two indexers. One indexer needs to receive logs from all servers, the second indexer needs to receive logs from only particular servers.
Any idea on how i can go about setting this up? I have a custom transform and props configs that will split the event ids between the two indexers, but i need to limit which servers go to the second indexer as well.
... View more
- Tags:
- splunk-enterprise
05-21-2018
05:07 AM
I have done it both ways. Yes, left side app listing is blank. Trying it from the manage apps does who the name. both ways fail with the same result.
... View more
05-15-2018
04:48 AM
/opt/splunk and all directories underneath are owned by the user running splunk.
... View more
05-14-2018
07:27 AM
all apps are affected by this.
... View more
05-12-2018
04:47 PM
1 Karma
Just upgraded Splunk from 7.0.0 to 7.1.0 and now whenever i try to update an app I receive "An error occurred while installing the app: 500" and instead of the app name in the response I get "Note: Updating None from Splunkbase might cause Splunk Enterprise to restart."
The server has internet access with no proxy. Anyone have an idea how to fix?
... View more
- Tags:
- splunk-enterprise
09-19-2017
05:36 AM
1 Karma
To be more specific, anyone know when there will be full support for RHEL 7? With services being moved over to systemd, Splunk is still using the deprecated init.d script.
I have moved it over to a systemd service script and running it manually will stop, start, and restart the service but if I update an application and restart it through the browser it just stops the service.
You would think that since almost every linux OS is going to systemd, and has been for years now, that Splunk would update its software to recognize and do both.
... View more
05-26-2017
05:11 AM
thanks for the info. this popped up while I was on 6.6.0 and the latest was 6.6.0. at least there is a valid reason now.
... View more
05-26-2017
04:57 AM
any idea why i am constantly receiving the new version available even though i am at the latest release? is there a bug in their system.
... View more
- Tags:
- splunk-enterprise
03-30-2017
08:55 AM
Found how to clean up the database. It is under Settings > Monitoring Console > Settings > Forwarder Monitoring Setup > Rebuild forwarder assets.
... View more
11-30-2016
04:49 AM
sourcetype=vmstat and doing a preview I do get the vmstat data.
I am looking at it both from the home page, metrics page, and hosts page. It shows nothing. The hosts page says both memory and disk is unknown and asks if they are enabled, which they are.
... View more
11-29-2016
04:45 AM
sysstat is installed on the systems. the issue isn't that we are not receiving information for those sourcetypes. we get them when we search for them, we just don't get them in the app for unix/linux even though the sourcetypes are configured in the app.
... View more
11-25-2016
05:41 AM
1 Karma
I am trying to get the Splunk App for Unix and Linux to show memory information and it does not show anything. I have verified that vmstats is running and sending information. I can search on sourcetype=vmstat and receive info for the servers.
Any help would be appreciated on how to rectify this issue.
... View more
06-24-2016
10:38 AM
No, no updates have been made to serverclass.conf. For the most part this is a stock install of Splunk with only the config files necessary to run changed(i.e. inputs, outputs, and the like). I have double checked the file and there is no specific server listed. It is a generic setup based on IP subnets and machine type. So I do not understand why with the upgrade i have ghosts hanging around showing up as missing.
... View more
06-23-2016
04:57 AM
1 Karma
i have upgraded all of our universal forwarders from 6.3.0 to 6.4.0 and roughly a third is showing as "missing" when looking at the forwarder version in the distributed management console. Is there any way to clean this up? I also notice a lot of servers that we have decommissioned showing up even after the log retention period of 90 days.
... View more
Labels
- Labels:
-
universal forwarder
03-25-2016
10:19 AM
1 Karma
We have a group that is required to record when they review their individual dashboard. We are trying to use Splunk to show they logged in and viewed their dashboard. I am having issues figuring out a search to determine when a dashboard was accessed and by whom.
I just need the initial get of the dashboard, not every search that is in the dashboard.
... View more
03-10-2016
05:51 AM
I do not have a local props.conf file, just the default props.conf.
... View more
03-09-2016
04:45 AM
There are multiples of these type logs in /var/log/messages. The only difference is the timestamp on them. Some come through ok and some get the leading portion cutoff.
... View more
03-08-2016
06:58 AM
Running Splunk Enterprise and Splunkforwarder, both on RHEL, and we are having issues with the front portion of some logs being cutoff while the back half remains and gets indexed. The datetime stamp and server name remains, but then the front half is removed. This occurs randomly for different events.
This is an example from the same server and timestamp:
From localhost
audispd: node=localhost type=SYSCALL msg=audit(1457382989.281:3703928): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=100 a2=0 a3=7fffdedde310 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=518
8 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)
From Splunk
=0 a3=7fffdeddec90 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=5188 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)
... View more
02-09-2016
04:56 AM
I have a global of 90days, so just assumed it included _internal.
Thanks for the quick response.
... View more
02-08-2016
09:19 AM
For some reason _internal is only available for the last 30 days even though it has not reached its max size limit stated in indexes.conf. Is there any way to increase the retention time for _internal and if so where?
... View more
12-09-2015
06:52 AM
Unfortunately I have not found a workaround for the shared libraries issue. Guess this will have to be a one off machine till I get this worked out.
... View more
