Activity Feed
- Karma Re: How to get all users searches and lookups synchronized to both search heads? for jkat54. 06-05-2020 12:49 AM
- Karma Re: How to get all users searches and lookups synchronized to both search heads? for jkat54. 06-05-2020 12:49 AM
- Got Karma for How to avoid indexing events twice when applying crcSalt=. 06-05-2020 12:48 AM
- Posted Re: How to avoid separation lines in email inline tables? on Splunk Search. 11-19-2018 11:36 PM
- Posted Re: How to avoid separation lines in email inline tables? on Splunk Search. 11-18-2018 11:29 PM
- Posted How to avoid separation lines in email inline tables? on Splunk Search. 11-14-2018 05:37 AM
- Tagged How to avoid separation lines in email inline tables? on Splunk Search. 11-14-2018 05:37 AM
- Tagged How to avoid separation lines in email inline tables? on Splunk Search. 11-14-2018 05:37 AM
- Tagged How to avoid separation lines in email inline tables? on Splunk Search. 11-14-2018 05:37 AM
- Posted Re: How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-14-2017 12:16 AM
- Posted Re: How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-13-2017 01:44 AM
- Posted Re: How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:24 AM
- Posted How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:09 AM
- Tagged How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:09 AM
- Tagged How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:09 AM
- Tagged How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:09 AM
- Tagged How to avoid indexing events twice when applying crcSalt= on Getting Data In. 03-10-2017 05:09 AM
- Posted Re: After PAM scripted authentication we get admin:1661 - 'str' object has no attribute 'os_startIndex' error on Security. 10-20-2016 05:35 AM
- Posted After PAM scripted authentication we get admin:1661 - 'str' object has no attribute 'os_startIndex' error on Security. 10-20-2016 03:02 AM
- Tagged After PAM scripted authentication we get admin:1661 - 'str' object has no attribute 'os_startIndex' error on Security. 10-20-2016 03:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
11-19-2018
11:36 PM
I am using the send email Trigger Action inside Edit Alert.
When the alert is triggered an email is sent and the data is added as an inline table.
I am not using the sendemail SPL command.
... View more
11-18-2018
11:29 PM
Thanks Laurie for your response.
The search itself ends with the lines below and the results are sent by email. The data are sent as an inline table in the email, as plain text.
....| table host TYPE MID DATX date_mday date_hour COUNT |
sort TYPE date_mday date_hour MID
When I run the search itself directly in Splunk Search App, there are no separation lines displayed and they are not in the raw data.
The separation lines are clearly added by Splunk.
The problem with them is that they look horrible in some mail clients when the lines are very long and the text is wrapped around.
... View more
11-14-2018
05:37 AM
After we upgraded from version 6.3.X to 6.6.11 we see that inline tables in emails appear with a separation line between rows. That did not happen in 6.3.X.
Is there a way to avoid them in email inline tables?
... View more
03-13-2017
01:44 AM
Thanks for your answer, Woodcock.
That's indeed the reason why we want to use crcSalt, some files are not being indexed and the log messages suggest the we use crcSalt to deal with it. And yes, we will use the SOURCE value (with angle brackets).
But I think I did not make my point clear. We come from a situation where we do not use crcSalt. I tried to include crcSalt in our test system for the files in question, and the system started to re-index already indexed files. That makes sense to me, since the crc value has changed. So my question is how do I avoid that the system initially re-indexes files that are within the IgnoreOlderThan time span that are already indexed?
My idea is to set followTail=1 initially and then change it later to zero when IgnoreOlderThan has elapsed.
... View more
03-10-2017
05:24 AM
Sorry, it seems that the rendering of the post was not quite right.
The filestructure is like this /opt/logs/SERVER/YYYY/MM/FILENAME.YYYYMMDD
The new stanza would contain wild cards in place of SERVER, YYYY and MM and just refer to the file names that need to have crcSalt
... View more
03-10-2017
05:09 AM
1 Karma
Hello
We are indexing a file structure like /opt/logs////.
with YYYY=year, MM=month and DD=day.
So far, we have not been using crcSalt but we now have to apply crcSalt= for some of the smaller file types.
We currently have only one monitor stanza for /opt/logs and I do not want to switch on crcSalt= for all files.
My plan is to exclude the file names in question from the /opt/log stanza's whitelist and create a new stanza like /opt/logs////(|) and then add the relevant files to that stanza's whitelist and set crcSalt=.
But how do I avoid that events get indexed twice, when I switch on crcSalt for these files ?
All the files already indexed will not be recognised as indexed as the CRC calculation is changed.
Thanks.
... View more
10-20-2016
05:35 AM
Well, found the answer myself in the end.
It turned out to be a problem in /etc/passwd, where a user had a strange character in the description field.
... View more
10-20-2016
03:02 AM
Hi
We have just switched from native Splunk authentication to PAM scripted authentication.
We are running Splunk 6.3.4 under Linux Suse, sles 11.
After switching to PAM scripted authentication the administrator can no longer see the list of users in the GUI (under Settings/Access Controls/Users).
Instead we get an error page and we can see internal error is related to
"admin:1661 - 'str' object has no attribute 'os_startIndex'"
Traceback (most recent call last): File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py", line 1656, in listEntities pwnrList = en.getEntities("authentication/users", count=250, search="roles=*") File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 131, in getEntities
It seems to indicate a limit of 250 users but we do not have anything like 250 users in the system, which seems to be a (arbitrary) limit set in admin.py. We have tried to increase the count but it did no help.
The PAM authentication is actually working but it is a major problem not to be able to see the list of users or to delete the old native user ids in the GUI.
We tried to switch back to native authentication and there is no problem displaying the old users again.
Thanks for any suggestions to resolve this issue.
... View more
10-27-2015
05:26 AM
Thanks.
I do not have a test system available at the moment to verify the behaviour, so it makes it difficult for me to test it beforehand.
I am just looking at the current 6.1 behaviour, where I get a warning that I need to restart Splunk in order to enable even a simple test APP.
The fact that the splunk restart splunkweb command seems to work does not mean that it actually does anything.
Here is an extract from the 6.3.0 Admin manual
Note: If either the startwebserver attribute is disabled, or the appServerPorts
attribute is set to anything other than 0 in web.conf, then manually starting
splunkweb does not do anything. The splunkweb process will not start in either
case.
... View more
10-27-2015
03:31 AM
Prior to upgrading to 6.3.0 from 6.1 I would like to know if disabling and enabling of APPs require a restart of the splunkd process in 6.3.0?
In version 6.3.0 the splunkweb process does not exist unless SPLUNK is run in legacy mode, and I would like to avoid running in legacy mode, hence it is not possible to only restart splunkweb.
Reason for asking is that I want to disable an APP that tends to generate an alert storm after restarting splunkd and then to enable the APP once SPLUNK has ingested the data backlog after restart. A second restart of splunkd would defeat the purpose of disabling the APP in the first place.
Thanks.
... View more
