Activity Feed
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. a month ago
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 02-05-2021 09:45 AM
- Got Karma for Re: Why am I getting "ERROR: The http port [8000] is already bound." trying to start Splunk after installation on Linux?. 09-26-2020 05:29 AM
- Posted Re: CLI search with FATAL: The search job terminated unexpectedly on Splunk Search. 06-12-2020 06:02 AM
- Posted CLI search with FATAL: The search job terminated unexpectedly on Splunk Search. 06-11-2020 07:42 AM
- Tagged CLI search with FATAL: The search job terminated unexpectedly on Splunk Search. 06-11-2020 07:42 AM
- Tagged CLI search with FATAL: The search job terminated unexpectedly on Splunk Search. 06-11-2020 07:42 AM
- Got Karma for Customer Usage Accounts Search No Result. 06-05-2020 12:50 AM
- Got Karma for Re: How to search for Windows host with UF agent installed and push datetime.xml fix app?. 06-05-2020 12:50 AM
- Got Karma for How to join or search fields from two different indexes with a common field. 06-05-2020 12:50 AM
- Got Karma for Re: How to join or search fields from two different indexes with a common field. 06-05-2020 12:50 AM
- Got Karma for Re: How to join or search fields from two different indexes with a common field. 06-05-2020 12:50 AM
- Posted Re: How to list my Splunk users and their email addresses? on Reporting. 06-03-2020 11:36 AM
- Posted Re: Export raw logs from specific time on Splunk Search. 06-01-2020 05:46 PM
- Posted Re: Forward Data to a third-party system on Getting Data In. 05-18-2020 09:27 AM
- Posted Re: HTTP Input data endpoint server cannot be started. on Dashboards & Visualizations. 04-29-2020 02:36 PM
- Posted Re: HTTP Input data endpoint server cannot be started. on Dashboards & Visualizations. 04-29-2020 02:35 PM
- Posted HTTP Input data endpoint server cannot be started. on Dashboards & Visualizations. 04-29-2020 02:17 PM
- Tagged HTTP Input data endpoint server cannot be started. on Dashboards & Visualizations. 04-29-2020 02:17 PM
- Posted Re: Copy csv file to a shared location on Reporting. 04-22-2020 09:48 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
06-12-2020
06:02 AM
@twesty That's another idea. For small log, I run CLI search directly on the SH: /opt/splunk/bin/splunk search "index=small_log earliest=-14d" -preview 0 -maxout 0 -output rawdata | gzip > small_log_14days.gz I used dump for large logs by running this query on the SH homepage: index=wineventlog | dump basefilename=WinEventLog rollsize=20000 compress=9 format=raw the output file saved at this dir: /opt/splunk/var/run/splunk/dispatch/(sid)/dump/ Best,
... View more
06-11-2020
07:42 AM
Hello, I try to export a large log with CLI search below. It works well with a smaller log return, but giving error on large logs, FATAL: The search job terminated unexpectedly. For instance, this search on Pan_logs terminated: /opt/splunk/bin/splunk search "index=pan_logs earliest=-7d" -preview 0 -maxout 0 -output rawdata | gzip > pan_logs_7days.gz Anyone knows how to resolve this issue? Thanks,
... View more
Labels
- Labels:
-
Other
It'd be helpful if you can give a hint on how to import this code into Splunk SH to create the dashboard. I copied and pasted as source, it said 16 errors and couldn't save it.
Thanks,
... View more
06-01-2020
05:46 PM
This is a good scripting approach to export large search results.
This is another example of scripting: splunk search "index=_internal earliest=09/14/2014:23:59:00 latest=09/16/2014:01:00:00 " -output rawdata -maxout 200000 > c:/test123.dmp
Thanks,
... View more
05-18-2020
09:27 AM
in outputs.conf, don't forget to add [tcpout] on top if it is not already there - like when you create a fresh new file.
Thanks,
... View more
04-29-2020
02:36 PM
Hi - Splunk TS found the issue where port 8088 is being used by the other process. So, don't put port entry 8088 in your inputs.conf file.
... View more
04-29-2020
02:35 PM
Hi - Splunk TS found the issue where port 8088 is being used by the other process. So, don't put port entry 8088 in your inputs.conf file.
... View more
04-29-2020
02:17 PM
Hello,
On one of couple HFs, I received this error message "HTTP Input data endpoint server cannot be started." when creating a new HTTP Event Collector. Even thought, HTTP record created with a pre-assigned token value, but the token doesn't allow the connection where it's used (F5-VPN appliance in this case).
Anyone had resolved this issue?
Thanks,
... View more
04-22-2020
09:48 AM
Hi - I have the same need. Have you figured out how to make it work? Please share.
Thanks,
... View more
04-22-2020
05:40 AM
Thank you all. The issue was that the Linux admin renamed file splunkd.pid and assume this file would be recreated once Splunk restarted, but it didn't. Rename the file back to its original doesn't work, so this file needs to be manually recreated.
Thanks,
... View more
04-21-2020
04:35 PM
Hello, I think there is a permission issue after my Linux system admin changed access to a directory. Now my SH stopped. Either I run splunk status or start, I received the error message: Removing stale pid file... Can't unlink pid file "/opt/splunk/var/run/splunk/splunkd.pid": Permission denied My splunkd.pid file permission set as following: -rwxrwxrwx. 1 splunk splunk 364 Apr 21 10:50 splunkd.pid
Anyone has resolved the same issue?
Thank you,
... View more
Labels
- Labels:
-
permissions
04-16-2020
07:06 PM
Interesting, but it goes back only 48 hours. How to make it 7 days or with a time picker?
My search is:
index=wineventlog earliest=-48h
| eval _time=if(_time>relative_time(now(), "-24h"),now(),relative_time(now(), "-24h"))
| timechart span=24h count by login_status
Thanks,
... View more
04-03-2020
01:58 PM
Hello,
I have DB connect configure to where I can select table and run sql query, simple like: SELECT * FROM db1.table1
I see the fields listed on "Choose Column" for Timestamp, I also increased the Query Timeout. But no data or table shows up below the SQL Editor and hoovered over the running bar, it says 20% and stops there. When I clicked Next, it says: "One or more fields are invalid, please fix them before go next".
What am I doing wrong here?
Thank you in advance.
... View more
04-02-2020
06:37 AM
Hi,
How can I regex <Type> Read Only </Type> to get "Read Only"? I mean only yield text between the tags.
Thanks,
... View more
04-01-2020
11:40 AM
That fixed it. Thank you.
... View more
03-31-2020
11:53 AM
Wow, I see where it causes confusing. The tags were removed from my original post. That makes both current and desired outputs the same.
The current output has smaller and greater signs at beginning and these signs with at the end.
... View more
03-31-2020
11:48 AM
Sorry for the confusing and here is the detail:
Search: index=index1 | table eventdata
Current output:
eventdata
<Type> View </Type>
<Action> Edit </Action>
<Source> Server Name </Source>
Desired output:
eventdata
View
Edit
Server Name
... View more
03-31-2020
09:54 AM
Hi Woodcock,
All I meant is that how I can remove tags .... in a string. For example:
View , I only need my search to return View. The field name is EventData.
Thanks,
... View more
03-30-2020
12:12 PM
Sorry, actually the field name is EventData with values like: View or Edit or Delete
I try to only display the text b/w tags and (View, Edit, or Delete).
Thanks,
... View more
03-30-2020
11:55 AM
Hello,
I have a string field like: View
How can I remove tag and to only display View in the search?
Thanks,
... View more
03-25-2020
03:45 PM
This is the key to resolve the nasty issue - port 1025.
THANK YOU.
... View more
03-25-2020
02:08 PM
Hello,
I took me a great amount of time to get to what you shared here. My inputs.conf reads like below. The question is how you enable/disable this .conf file? Does the keystore_password matter (* or changeme)?
Thank you,
[splunk@splunkserver default]$ cat inputs.conf
[server://default]
config_file = ${SPLUNK_HOME}/etc/apps/splunk_app_db_connect/config/dbx_task_server.yml
interval = 5
keystore_password = changeme
start_by_shell = false
[dbxquery://default]
config_file = ${SPLUNK_HOME}/etc/apps/splunk_app_db_connect/config/dbxquery_server.yml
interval = 5
keystore_password = changeme
start_by_shell = false
... View more
03-06-2020
08:57 AM
Hello,
I am running Splunk Add-on for AWS 4.6.1 and Splunk App for AWS 6.0.0. Majority of app panels populated with data, but I also receive this err message on the dashboard:
Some panels may not be displayed correctly because the following inputs have not been configured: CloudTrail.
Or, the saved search "Addon Metadata - Summarize AWS Inputs" is not enabled on Add-on instance.
I have tried to look for this add on and enable it, but I could not find it. Anyone has the same issue and how you resolved it?
Thank you,
... View more
02-20-2020
11:42 AM
Hi,
I installed and configured UF on a Linux server to send syslog to Splunk HF. I am now trying to send an application log also on the same server, say it's in /opt/application/applog.log, to the HF. What I need to modify on the UF .conf file(s) ?
Thanks.
... View more