×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- About badrinath_itrs
badrinath_itrs
Communicator
Member since:
09-09-2015
09-22-2024
Community Statistics
| Posts | 69 |
| Solutions | 10 |
| Karma Given | 22 |
| Karma Received | 20 |
| Member Since | 09-09-2015 |
Activity Feed
- Posted Re: Custom Javascript Visualization in Dashboard on Dashboards & Visualizations. 09-21-2024 09:34 PM
- Karma Re: index cluster master behind aws elb for dxu_splunk. 06-29-2024 06:57 AM
- Karma Re: Custom search command for distributed search for hexx. 05-06-2024 09:05 PM
- Karma Re: How can we ingest MDI logs to Splunk? for jconger. 04-11-2024 12:55 AM
- Karma Re: Splunk Add-on for AWS Problem with Self Signed Certificate for thambisetty. 04-11-2024 12:51 AM
- Got Karma for Re: Why doesn't the modification propagate to the search head cluster via the deployer ?. 11-23-2023 08:08 AM
- Karma Re: Auto Scaling Splunk Indexer Cluster for scelikok. 11-13-2023 04:19 AM
- Posted Re: Unable to login in splunk enterprise on Dashboards & Visualizations. 11-11-2023 06:24 AM
- Posted Re: Unable to login in splunk enterprise on Dashboards & Visualizations. 11-11-2023 03:26 AM
- Posted Re: Why doesn't the modification propagate to the search head cluster via the deployer ? on Deployment Architecture. 11-08-2023 04:15 AM
- Posted Re: Splunk Add-on for AWS Problem with Self Signed Certificate on All Apps and Add-ons. 11-21-2022 05:55 PM
- Got Karma for Re: How to clean KVstore on search head cluster nodes. 01-26-2022 07:33 AM
- Got Karma for Re: Splunk with React. 11-25-2021 06:50 AM
- Posted Re: Splunk with React on Splunk Cloud Platform. 11-24-2021 07:12 PM
- Got Karma for Re: Unable to stop splunk. 11-17-2021 09:47 PM
- Karma Using Splunk SDK for Javascript in Angular 2+ application for kennyyang. 11-17-2021 09:41 PM
- Posted Re: Unable to stop splunk on Deployment Architecture. 11-17-2021 06:31 PM
- Posted Re: How to ingest only those lines from the log that start with "date/time" on Getting Data In. 11-17-2021 06:24 PM
- Karma Re: Ignoring any data record that begins with a "#" character for richgalloway. 11-17-2021 06:23 PM
- Karma Re: Startwebserver 0 for isoutamo. 11-17-2021 06:14 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
09-21-2024
09:34 PM
This is the old way of using the custom JS and CSS for react visualisation, instead can you follow new framework to develop react app
... View more
11-11-2023
06:24 AM
Hi @Praz_123 , Can you check your authentication.conf file and confirm you are using LDAP and also start checking the splunkd.log and see what errors appears related to login to debug further.
... View more
11-11-2023
03:26 AM
Hi @Praz_123, Do you know if the user is a SPLUNK local user or LDAP user ?
... View more
11-08-2023
04:15 AM
1 Karma
Hi @pmerlin1 , Can you please elaborate any specific file changes which are not getting replicated ? There could be a possibility that those changes might have been changed at run time, hence they are not getting updated from deployer ? Refer below document for more details. https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges
... View more
11-21-2022
05:55 PM
@Raja_splunk_88 , I would not recommend to go down this path and the changes gets lost during upgrade etc. May be better to configure the TA not to use HEC and send to normal splunk port. If you still want to make the changes , search for hec_config.py under the TA directory and make below changes for enableSSL flag setting to 0 from 1 . Sample changes below. if not hec_input:
logger.info("Create HEC data input")
hec_settings = {
#"enableSSL": 1, ## Does not work with self signed cert
"enableSSL": 0,
"port": port,
"output_mode": "json",
"disabled": 0,
}
... View more
11-24-2021
07:12 PM
1 Karma
Hi @ChintanaM , I am also new to react but have stated to watch below session to get me going. https://conf.splunk.com/files/2021/recordings/DEV1134A.mp4 and Also this page is really a good start. https://bestofreactjs.com/repo/zepdev-kveditor-react-rich-text-editing
... View more
- Tags:
- @
11-17-2021
06:31 PM
1 Karma
@rdelhorbe @dm1 , If you are running Splunk as systemd service, then it would be better if you use below command to stop SPLUNK. systemctl stop Splunkd ( # Stop Splunk ) systemctl status Splunkd ( # Status Splunk ) systemctl start Splunkd ( # Start Splunk ) If you have not setup SPLUNK properly to run as systemd service you would need to login with root user to stop it. Refer this page for more details as how to properly configure Splunk to run as systemd service. https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/RunSplunkassystemdservice
... View more
11-17-2021
06:24 PM
@mlevsh , This question is already answered in the past. Can you please look into below link and see that helps. Ignoring-any-data-record-that-begins-with-a-quot-quot-character You can do this with props and Transforms as mentioned in the above post.
... View more
11-16-2021
03:39 PM
If this enterprise SPLUNK installation , it should be enabled in web.conf in $SPLUNK_HOME/etc/system/default. You can try adding below settings in $SPLUNK_HOME/etc/system/local/web.conf [settings]
startwebserver = 1
... View more
11-16-2021
02:18 PM
1 Karma
I have not tried that option but will give a try as well.
... View more
11-16-2021
02:17 PM
The Webserver gets restarted automatically if that is enabled as startwebserver =1 in web.conf. Can you check if you have a file in $SPLUNK_HOME/etc/system/local/web.conf that disable the webserver ? if not create a file and enable the settings ?
... View more
11-16-2021
03:41 AM
This question was asked 2 years back, I am also having same problem and just wanted to check if anyone has any luck in importing the sdk in Angular. I found its very hard as there is hardly any documentation available . @kennyyang , Did you manage to get this working ?
... View more
05-13-2021
01:25 AM
Checked with SPLUNK Support and got below response. Splunk_TA_aws is using Python's urllib3 module (https://pypi.org/project/urllib3/) across the board (not just for Kinesis), and this module is coded to do SSL certificate verification. I'm afraid tweaking it will affect the entire TA. As of now I have modified the code to use http when sending data to HEC to resolve the issue. Below file has been modified. Splunk_TA_aws/bin/3rdparty/python3/splunktalib/hec_config.py
... View more
05-11-2021
09:31 PM
We are using the Splunk Add-on for AWS (Version : 5.0.3) and SPLUNK version 8.0.8 . We would like to leverage the SPLUNK Add-on to consume data from Kinesis Stream and internally send data to SPLUNK HEC end point . When it is sending data to Internal HEC end point ( port : 8088) it is throwing error as below for the self signed certificate being used for SPLUNK HEC.
Does anyone know how to disable the SSL certificate validation in the add-on ?
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/event_writer.py", line 252, in write_events
data=event, http=self._http)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/rest.py", line 31, in splunkd_request
data, timeout, retry)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/rest.py", line 62, in urllib3_request
data, timeout, retry, urllib3_req)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/rest.py", line 97, in do_splunkd_request
raise e
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/rest.py", line 93, in do_splunkd_request
data, timeout)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/splunktalib/rest.py", line 57, in urllib3_req
preload_content=True)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/request.py", line 80, in request
method, url, fields=fields, headers=headers, **urlopen_kw
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/request.py", line 171, in request_encode_body
return self.urlopen(method, url, **extra_kw)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/poolmanager.py", line 330, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/connectionpool.py", line 760, in urlopen
**response_kw
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=8088): Max retries exceeded with url: /services/collector (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
01-19-2020
04:01 PM
The configuration errors are being recorded in splunkd_stdout.log with "Invalid key in stanza" during server restart. May be worth of getting this information from this log instead of running rest command.
... View more
01-16-2020
02:16 PM
Can you check the errors and warning you are receiving for date time parsing on the receiving SPLUNK instance
... View more
01-09-2020
01:44 AM
You can use the below app or similar app to view conf files from SPLUNK interface.
https://splunkbase.splunk.com/app/4353/
... View more
01-09-2020
01:38 AM
Hello, is the UF managed via Deployment servers ? If yes, you can restart them when you push a change from Deployment server using restart flag.
If they are not managed by Deployment server, then you can use puppet or chef or ansible depending on your environment to restart UF.
... View more
01-08-2020
01:24 PM
1 Karma
You need to identify which KVStore collection is taking lot of space and decide if that is required or not . Don't just remove all KVStore collections in your SHC environment unless you understand the impact.
I would start with Checking the KVStore collection size in DMC and find out which collections are taking more size and go from there.
If you need to remove one collection individually in SHC, you can use | outputlookup
to remove it.
If you decide to backup your kvstore and restore it later you can refer below documentation .
https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/BackupKVstore
To delete the KVStore on members you can refer below documentation.
Refer documentation https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/ResyncKVstore
... View more
01-07-2020
07:01 PM
We were using an LDAP user for authentication and the authentication was taking more time , hence it was slowing the KVStore update using API.
... View more
01-06-2020
01:35 PM
Can you take a backup of server.conf and remove sslKeysfilePassword stanza as this is deprecated and also sslPassword stanza. Restart SPLUNK, it should add the default sslPassword values again.
The error you see is related to bad password on SSL Certificates .
... View more
01-06-2020
01:28 PM
1 Karma
SPLUNK does not support ingestion of .xel format logs directly, but you can use the sys.fn_xe_file_target_read_file function on the SQL server side to convert the logs and may use DB Connect to ingest the data into SPLUNK .
... View more
01-05-2020
08:47 PM
You can add the proxy configuration in splunk-launch.conf and also add NO_PROXY setttings as well.
Refer https://answers.splunk.com/answers/555493/how-to-configure-exceptions-to-proxy-config-in-spl.html for more details.
Most of the code will honor the proxy setting at OS level .
... View more
01-05-2020
08:43 PM
It looks like you are using proxy setting either as environment variable in your environment or in splunk-launch.conf .
Please blacklist localhost IP in proxy settings and try to upload it. If possible temporarily disable the proxy setting and upload it and see it works.
... View more
01-05-2020
07:27 PM
In one of our SPLUNK SH Cluster environment, inserting records into KVStore using rest command is taking lot of time and I am able to post only 20 Records into the collection in one minute.
The splunkd_access.log shows below message and tells that the each KVStore post is taking close to 3-5 secs.
splunkd_access.log output as below.
127.0.0.1 - user [06/Jan/2020:13:56:55.591 +1100] "POST /servicesNS/nobody/test_app/storage/collections/data/TestCollection HTTP/1.1" 201 13 - - - 5889ms
There is nothing suspicious message in mongo logs which tells why the insert is taking lot of time.
Here is the sample script I am using for inserting records into KVStore. I can use the outputlookup command to update records into KVStore but this is to investigate the issue which we are facing in overall slowness of KVStore.
import json
import requests
headers = {
'Content-Type': 'application/json',
}
with open('test.json') as json_file:
data = json.load(json_file)
for p in data['definitions']:
print p;
response = requests.post('https://localhost:8089/servicesNS/nobody/test_app/storage/collections/data/TestCollection', headers=headers, verify=False, auth=('user', 'password'),data=json.dumps(p))
I am raising with splunk support in parallel posting here and would like to check if anyone have had these kind of issues in their environment and what steps were taken to figure out what is causing this issue.
Storage IO wait on the mount point is close to 20 ms where SPLUNK is installed.
... View more
Labels
- Labels:
-
kvstore
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-22-2024
04:55 AM
|
Karma from
