Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About esalesapns2
esalesapns2
Path Finder
Member since:
10-31-2018
06-05-2020
Community Statistics
| Posts | 38 |
| Solutions | 2 |
| Karma Given | 20 |
| Karma Received | 14 |
| Member Since | 10-31-2018 |
Activity Feed
- Got Karma for Re: HTTP Event Collector: How to generate token through Splunk CLI ?. 01-30-2023 03:42 AM
- Got Karma for Re: How to get "splunk" user to read "root" user-owned files?. 11-10-2022 05:40 AM
- Got Karma for Re: HTTP Event Collector: How to generate token through Splunk CLI ?. 09-29-2022 11:37 AM
- Got Karma for Can the _introspection index use SmartStore?. 11-08-2021 08:57 PM
- Got Karma for Re: Is there an Audit log that tracks changes to content in Splunk Enterprise Security?. 10-01-2021 03:33 PM
- Karma Upgrade from 7.0.1 to 7.3.x and add-on compatibility for dkleczko. 06-05-2020 12:50 AM
- Karma Re: Splunk AWS inspector errors for FraserC1. 06-05-2020 12:50 AM
- Karma ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/interfaces.sh" cat: /sys/class/net/eth#/speed: Invalid argument for jlstanley. 06-05-2020 12:50 AM
- Karma Re: Search performance impact & How to find user deploying high impact searches for VatsalJagani. 06-05-2020 12:50 AM
- Karma Re: Why does my drilldown with the rex command return an "Unbalanced quotes" error? for MathiasLindblom. 06-05-2020 12:50 AM
- Got Karma for Splunk Add-on for Unix and Linux sshdChecker.sh script error.. 06-05-2020 12:50 AM
- Got Karma for Can Splunk pull *the contents* of a lookup created in a search head cluster via rest command search into a non-cluster search-head?. 06-05-2020 12:50 AM
- Karma Re: Events posted to HEC successfully, not showing up in index for Cuyose. 06-05-2020 12:49 AM
- Karma Re: how can a saved search owner be changed for cumbers. 06-05-2020 12:48 AM
- Karma How to remove the orphan scheduled search from splunk environment ? for Hemnaath. 06-05-2020 12:48 AM
- Karma How to find more detail on error "Received event for unconfigured/disabled/deleted index="? for lennys26. 06-05-2020 12:48 AM
- Karma Re: How to compute _indextime-_time difference average with tstats? for rjthibod. 06-05-2020 12:48 AM
- Karma Unable to apply search head cluster bundle, how to resolve error "Error while deploying apps to first member: Error while fetching apps baseline on target"? for sborys. 06-05-2020 12:48 AM
- Karma Re: When trying to create a self-sign certificate, why am I receiving "unknown option -config" and "can't open config file" errors? for rbreton. 06-05-2020 12:48 AM
- Karma Re: KV Store lookup failing with error about KV store initialization failure for nnmiller. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
02-04-2020
05:19 AM
Me too. Maybe it's trying to find an index that's not defined on the Heavy Forwarder? "idx=_w(s,0).end())"
... View more
12-30-2019
01:49 PM
Apologies, this will create a file named server.pem.pem that you will have to move to server.pem . You can omit the ".pem" from the end of the second command to save having to do this step.
... View more
12-30-2019
01:43 PM
Or (on Splunk 7.3.2) you could run these commands to create a cert with a new expiration date:
$ mv /opt/splunk/etc/auth/server.pem /opt/splunk/etc/auth/server.pem,expired
$ splunk createssl server-cert -d /opt/splunk/etc/auth -n server.pem
... View more
12-30-2019
01:32 PM
I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.
... View more
12-04-2019
09:23 AM
I followed the steps, but my status is still "starting" on the captain, replicationStatus is "Startup" on one member and "Down" on the other, even though it was "ready" when I brought up the captain solo. How long should it take to replicate?
... View more
11-13-2019
01:41 PM
I'm having the same issue in 7.3.2. System is logging in US/Eastern, Splunk is UTC. My props is based on source. Applied it on HF, and Indexer, no change to time setting.
... View more
11-04-2019
08:44 AM
1 Karma
I created a Splunk Health Dashboard for myself on the server that runs my Monitoring Console. The MC server is not part of my search head cluster. My search head cluster updates a lookup every hour that gets service account status that I'd like to add to my custom dashboard on my Monitoring Console. Is there a way to get the contents of the lookup in the search head cluster into a search on my Monitoring Console?
... View more
11-01-2019
09:03 AM
My interface is showing "up", but I'm getting errors for "speed" and "duplex", even if I cat them from the command line; I'm running on a fairly recent Splunk AMI in AWS, One wonders why Splunk hasn't seen/fixed this?
... View more
11-01-2019
07:56 AM
2 Karma
Yes, you can use "uuidgen" (with no arguments) from the linux command line to generate a token like the one the Splunk GUI does when it creates a new HEC input.
... View more
10-30-2019
01:02 PM
2 Karma
I wish that link still worked...
... View more
10-30-2019
07:14 AM
Splunk Enterprise, v7.0.3
I ran the search in https://answers.splunk.com/answers/750097/search-performance-impact-how-to-find-user-deployi.html
I see the exact same alert running 9 times in a 5-minute period that eats 130 to 165 data.pct_cpu each time.
It's an Alert private to a user scheduled to run at 8:00. It ran 9 different times from 9:23 to 9:28 am, according to the search.
Is it a bug in the search due to the way "stats latest(data.pct_cpu) is used that makes the "_time" off?
... View more
- Tags:
- splunk-enterprise
10-28-2019
06:17 AM
As of 7.3.2, Splunk uses systemd on RHEL 7 and sets the splunk startup in /etc/rc.d/rc3.d to S90splunk, avoiding this issue.
... View more
10-28-2019
06:10 AM
I had to remove/re-install the splunk_TA_nix app to get it to stop behaving this way.
... View more
10-10-2019
01:58 PM
I should say I restarted Splunk after I put the app back.
... View more
10-10-2019
01:57 PM
Ok, I stopped Splunk, removed the Splunk_TA_nix app, started splunk put the app back and started splunk, and I'm finally no longer getting lsof events. However, I now need to do the same on all my deployment clients... Good thing I was planning on working late.
... View more
10-10-2019
01:07 PM
This is on Splunk Universal Forwarder 7.0.1.
... View more
10-10-2019
01:06 PM
Yes, I did. I have since stopped Splunk, removed deploymentclient.conf, and the DS2-Splunk_TA_nix-cre directory, and set the indexes for all the Splunk_TA_nix inputs in Splunk_TA_nix/local/inputs.conf, and restarted splunk. I'm still getting a steady stream of lsof events every minute.
... View more
10-10-2019
12:41 PM
stop it altogether. some of my servers have 5M files open at a time...
... View more
10-10-2019
12:10 PM
I can't figure out why lsof.sh is running every minute. Here's the "btool inputs list --debug" output for lsof:
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh]
/opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 1
/opt/splunkforwarder/etc/system/local/inputs.conf host = c20sbap01l01
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf index = cre_linux
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf interval = 600
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf source = lsof
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf sourcetype = lsof
Here's my splund.log output:
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - interval: 60000 ms
I've tried restarting splunk to no effect... Notice that the interval is set to 600 (600 seconds) in the btool output, but 60000 (60 seconds) in the splunkd.log output. I'll try interval = -1 next, and then a single app after that.
... View more
Labels
- Labels:
-
troubleshooting
10-10-2019
10:49 AM
Here's my btool inputs list --debug output for lsof:
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf [script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh]
/opt/splunkforwarder/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf disabled = 1
/opt/splunkforwarder/etc/system/local/inputs.conf host = c20sbap01l01
/opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf index = cre_linux
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf interval = 600
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf source = lsof
/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/inputs.conf sourcetype = lsof
Here's my splund.log output:
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lsof.sh
10-10-2019 16:07:12.898 +0000 INFO ExecProcessor - interval: 60000 ms
I've tried restarting splunk to no effect...
Notice that the interval is set to 600 (600 seconds) in the btool output, but 60000 (60 seconds) in the splunkd.log output.
I'll try interval = -1 next.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
