Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nekbote
nekbote
Path Finder
Member since:
01-04-2015
09-22-2022
Community Statistics
| Posts | 35 |
| Solutions | 0 |
| Karma Given | 38 |
| Karma Received | 2 |
| Member Since | 01-04-2015 |
Activity Feed
- Posted Re: SAML integration on Search head cluster on Security. 09-22-2022 12:43 AM
- Karma Re: How to Schedule a job to delete 30 days older records from KV Store? for dmarling. 06-05-2020 12:50 AM
- Karma Re: Pass the label of an input to the title of a panel for BorisGrochalski. 06-05-2020 12:49 AM
- Karma Re: Dashboard - Base Search not returning results into panel for kmaron. 06-05-2020 12:49 AM
- Karma Re: How to use mvindex to display second field if present, but show first field if not present? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Find search by the search id for martin_mueller. 06-05-2020 12:48 AM
- Got Karma for Re: Can I update KV store through a search?. 06-05-2020 12:48 AM
- Karma Re: Can I index select events but store all raw events in Splunk? for acharlieh. 06-05-2020 12:47 AM
- Karma How to embed an image in a simple XML dashboard with HTML? for willial. 06-05-2020 12:47 AM
- Karma Re: Why are we getting message "waiting for queued job to start..." and search job takes 5 minutes to run? for andygerber. 06-05-2020 12:47 AM
- Karma How to read data from a CSV file and put into DB Connect’s query? for ritesh21aggarwa. 06-05-2020 12:47 AM
- Karma Re: Zoom and Center Map Visualization for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: How to collect introspection logs from forwarders in a distributed environment managed by a deployment server? for hexx. 06-05-2020 12:47 AM
- Karma Re: Why is cluster master reporting "Cannot fix search count as the bucket hasn't rolled yet.", preventing me from meeting my Search Factor? for rbal_splunk. 06-05-2020 12:47 AM
- Karma Re: Can the Splunk for Excel Export app be used with dashboards/panels built using Splunk out of the box features in Simple XML? for davidpaper. 06-05-2020 12:47 AM
- Karma Transforms.conf - Hide values or make them anonymous for celsohso. 06-05-2020 12:47 AM
- Karma Is there a way to pass the current date into the outputlookup file name? for mic1024. 06-05-2020 12:47 AM
- Karma Re: Is there a way to pass the current date into the outputlookup file name? for martin_mueller. 06-05-2020 12:47 AM
- Karma Is there a resource that explains how the system of awarding Karma points works on Splunk Answers? for _dave_b. 06-05-2020 12:47 AM
- Karma Re: Is there a resource that explains how the system of awarding Karma points works on Splunk Answers? for ppablo. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
09-22-2022
12:43 AM
Question : Did you have a load balancer sitting in front of the Search Héad Cluster? i am assuming end user of splunk hits a user friendly url and load balancer is directing them in a balanced way. If that is the case did you have to configure load balancer configs in SH instances
... View more
01-08-2018
01:44 PM
Hi All,
I have integrated splunk with hadoop using hadoop connect app in my search head instance [non-clustered search head] and the data export to hadoop is working fine. As part of this one of the steps is to copy the hadoop related details in to krb5.conf, which i did in the default file /etc/krb5.conf.
Now looks like my changes overwrote the previous existing contents due to which some of the power broker roles on the machine are no longer working and the splunk admin is no longer able to sudo due to which some of his monitoring scripts are failing as well.
We got to know that power broker login also makes use of the krb5.conf which comes built in with machine @ my organization. On checking with our Hadoop admin we got to know that appending of the Hadoop related configs to default krb5.conf isn't an option [as cross relams are not supported currently] and we need to have 2 separate config files and specify the paths of these 2 files by setting "KRB5_CONFIG" environment variable.
Example value for multiple file specification --> KRB5_CONFIG =/etc/default_krb5.conf:/etc/hadoop_krb5.conf [reference link https://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html ]
Questions
To point Hadoop Connect app to pick up the custom file configuration, can you please help share the list of files and the property name that needs to be changed.
Would be great if you can share some suggestions.
Thanks!
Splunk Version : 6.5.2
Cloudera Enterprise 5.10.1 (hadoop-2.6.0)
Kerberos Secured
Hadoop Connect App : 1.2.5
... View more
07-21-2017
02:17 PM
Also from the shell when i am running the command, I am getting below Error.
./bin/hadoop fs -ls hdfs://QAhost02:8020
WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
WARN security.UserGroupInformation: PriviledgedActionException as:abc (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
WARN security.UserGroupInformation: PriviledgedActionException as:abc (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "mylocalhost"; destination host is: "QAhost02":8020;
Also Our Hadoop admin suggested that we need to have unix local account on the search head with the same name as the Kerberos user. Say our Kerberos user is "abc" , on splunk search head we need to be logged in as "abc" and then run the above command for it to work. We implemented this out but still continue to get this error. My Hadoop adminstrator now suspects my local dev host has to be part of their KDC trusted list as my splunk dev box is outside of hadoop cluster network we are getting this error.
... View more
07-17-2017
08:09 AM
Hi rdagan,
No I haven't yet. I am waiting to validate the below scenario and then raise a ticket or reach out to our splunk support contact.
Right now from the splunk search head CLI , we are not able to connect to hadoop cluster though we have the valid ticket. We ran this command as admin, we are receiving invalid tgt error.
./bin/hadoop fs -ls hdfs://servername:8020
Our Hadoop admin suggested that we need to have unix local account on the search head with the same name as the Kerberos user. Say our Kerberos user is "abc" , on splunk search head we need to be logged in as "abc" and then run the above command for it to work. I am waiting on getting this done and then plan to log the ticket.
Do you know if the user needs to be same as the Kerberos user, I don't think this would matter but thought we should be able to connect from CLI to hadoop then we know there is something missing on the hadoop connect config side.
... View more
06-23-2017
11:36 AM
Hi folks,
were you able to get this resolved? i am running into issues as well and posted question on it.
https://answers.splunk.com/answers/550641/error-configuring-hadoop-connect-app-failed-to-fin-1.html
... View more
06-22-2017
02:32 PM
Hi Team,
I am trying to configure the splunk hadoop connect app to connect to kerberos secured cloudera hadoop and i am running into issues.
My Kerberos hadoop admin created the keytab file and shared it with me. I have copied the keytab file /home/myuser/abc.keytab.
In the splunk hadoop connect app ui i have added the kerberos principal with Principal Name -->abc@xyz.REFINERY.QA and Path as /home/myuser/abc.keytab and it gets saved without error and shows up in kerberos principal section in splunk hadoop connect app ui.
From the shell on the search head am able to run below commands successfully
kinit -k -t /home/myuser/abc.keytab abc@xyz.REFINERY.QA ---runs fine i do not get error nor prompt to enter password
klist command works successfully ....klist command output as below
Ticket cache: FILE:/tmp/krb5cc_30074
Default principal: abc@xyz.REFINERY.QA
Valid starting Expires Service principal
06/22/17 16:11:42 06/23/17 16:11:42 krbtgt/xyz.REFINERY.QA@xyz.REFINERY.QA
renew until 06/29/17 16:11:38
I have configured the krb5.conf file on my search head under /etc/krb5.conf to have below values
krb5.conf
[libdefaults]
default_realm = xyz.REFINERY.QA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5
udp_preference_limit = 1
[realms]
xyz.REFINERY.QA = {
kdc = QAhost01
admin_server = QAhost01
}
Our Hadoop is a clustered and below are the details
Splunk Version : 6.5.2
Cloudera Enterprise 5.10.1 (hadoop-2.6.0)
Kerberos Secured
HDFS site xml value which i am using in the splunk hadoop connect UI
<configuration>
<property>
<name>dfs.nameservices</name>
<value>namsvc10</value>
</property>
<property>
<name>dfs.ha.namenodes.namsvc10</name>
<value>namenode1,namenode2</value>
</property>
<property>
<name>dfs.namenode.rpc-address.namsvc10.namenode1</name>
<value>QAhost01:8020</value>
</property>
<property>
<name>dfs.namenode.rpc-address.namsvc10.namenode2</name>
<value>QAhost02:8020</value>
</property>
<property>
<name>dfs.namenode.http-address.namsvc10.namenode1</name>
<value>QAhost01:50070</value>
</property>
<property>
<name>dfs.namenode.http-address.namsvc10.namenode2</name>
<value>QAhost02:50070</value>
</property>
<property>
<name>dfs.client.failover.proxy.provider.namsvc10</name>
<value>org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider</value>
</property>
</configuration>
am able to generate the ticket from the shell(using kinit and klist) and able to run above commands but when i fill in all the config details in splunk hadoop connect app ui and save i get below error
Unable to connect to Hadoop cluster 'hdfs://namsvc10/' with principal 'abc@xyz.REFINERY.QA': Failed to run Hadoop CLI job command '-ls' with options 'hdfs://namsvc10/': ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "mylocalhost"; destination host is: "QAhost02:8020;
Any idea what am i missing, why does it work from shell and NOT through the splunk hadoop connect app ui.
... View more
04-10-2017
01:47 PM
Hi Leo_y,
What is the final approach which you have taken and how did it perform.
... View more
12-19-2016
10:31 AM
@ sarthakb refer to below thread...you can refer to my answer there to get some tips and also others answers as well
https://answers.splunk.com/answers/5590/could-not-send-data-to-the-output-queue.html#answer-466859
As @chrishartsoc mentioned...your starting point is checking splunkd and metrics log on the forwarder.
... View more
12-15-2016
11:08 PM
with one less eval compared to previous one..
index=_internal sourcetype=splunkd | eval CUST_ID=12345678910 | eval NEW_CUST_ID=trim(CUST_ID." ") | table NEW_CUST_ID
... View more
12-15-2016
10:51 PM
your spl does give exponential error in 6.2.2...
You can try appending space in your evail and then continue to use trim...this will ensure numric value with no space gets a space and your trim continues to work..below SPL works just fine
index=_internal sourcetype=splunkd | eval CUST_ID=1234567 |eval CUST_ID=CUST_ID." "| eval NEW_CUST_ID=trim(CUST_ID) | table NEW_CUST_ID
... View more
12-01-2016
02:47 PM
i see you are using dbconnect 2, did not notice earlier as i was browsing over phone..were you able to connect to this database using any of the thin client like sql developer/toad?, if yes then you may want to check if the right jars copied , connection details are setup correctly
... View more
12-01-2016
09:42 AM
what's the dB connect version? also can you add screen shot of the erorr you see...we use it for jt and Oracle ....make sure you have the required jars copied ...
... View more
11-23-2016
09:30 PM
@TLAZO Did you get a chance to check the splunkd.log and metrics.log on the days when the events were missing? It is quite possible that one of the queues on the forwarder was full and was not able to send the data down, in which case you would see blocked=true messages in metrics.log, by default the Queue sizes are 256kb , if we are noticing issues with the size we may want to bump up the queue size to couple of MB or 1 GB , though we configure it as 1Gb it would use as much as needed and this can be reset to lower value once all the data has been sent out.
... View more
11-23-2016
09:22 PM
1 Karma
If Key field of the KVstore is unique, even though 90% of data is same, hourly search which feds data to KVstore will only add the10% that isn't already in KVStore and would update 90% which are existing if there has been change in any of their field values. Below is sample command to update KVStore using the hourly search
index=xyz |eval key=employeeid."-".employeedept |table employeeid,employeedept,key|outputlookup EmployeKVStore key_field=key append=true
... View more
04-13-2016
02:55 PM
Just tried this in 6.4 ...it works...thanks David and Nick!!
... View more
02-18-2016
11:26 PM
Thanks too David and Nick. We still are using 6.2.2 , dint get chance to try this out and have used some other alternative for my original ask. Will give it a shot when we get there , glad to know praveen was able to use it and it works.
... View more
09-30-2015
10:51 AM
Well we upgraded from DBXv1 to DBXv2 as we were losing records while using dump with DBXv1 ...purpose of upgrading to DBXv2 has failed [atleast for the moment] due to "## Not Supported Type ##".
Isn't there any work around at all with DBXv2? Any idea when will the future release be?
Any response will be appreciated.
... View more
06-19-2015
12:13 PM
Roychen,
How did you get this resolved?
In need of something similar, on certain navigations we want to route the user to customized error page instead of Splunk out of the box 404 page.
Any suggestions?
... View more
06-09-2015
09:35 AM
In need of something similar ...any suggestions out there? Can splunk excel export app be used for panesl built using out of the box traditional xml based dahshboards/panels?
... View more
06-08-2015
04:04 PM
Hi Martin,
thank you for the response, in my case i needed to use case as i have more than 4 conditions to look at and then determine the value. However i was able to get around it using
....| where eval xyz=Case()| table...
thanks!
... View more
05-19-2015
11:45 AM
thanks Nawneel!
... View more
05-11-2015
10:02 AM
Hi All,
Any other pointers as to how this can be achieved. Thanks.
... View more
05-10-2015
08:50 PM
Hi Chimell,
Thanks for the suggestion but it does not work in my case.
Mine is custom time picker which provides 1-14 day time selection [earliest and latest alone does not work]. I want to display the the label corresponding to the time picker value. in your suggestion , i want to display the value 1 day ago as label and not -1d@d.
<form>
<label>Demand Billed Dashboard-DBQuery Clone</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="field1" searchWhenChanged="true">
<label>Select Time Range</label>
<choice value="1">1 day ago</choice>
<choice value="2">2 days ago</choice>
<choice value="3">3 days ago</choice>
<choice value="4">4 days ago</choice>
<choice value="5">5 days ago</choice>
<choice value="6">6 days ago</choice>
<choice value="7">7 days ago</choice>
<choice value="8">8 days ago</choice>
<choice value="9">9 days ago</choice>
<default>1</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Demand Billed - $field1$</title>
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-22-2022
08:18 AM
|
Karma given to
