Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About anewell
anewell
Path Finder
Member since:
11-15-2010
07-01-2022
Community Statistics
| Posts | 36 |
| Solutions | 2 |
| Karma Given | 65 |
| Karma Received | 15 |
| Member Since | 11-15-2010 |
Activity Feed
- Karma Re: How to upgrade Mongo in Splunk 9.0.0? for amartin6. 07-01-2022 03:28 PM
- Karma Re: Splunk - Example external scripted lookup for jbabbin. 06-05-2020 12:51 AM
- Karma Re: Splunk Add-On for Microsoft IIS Default Settings for mhessel. 06-05-2020 12:49 AM
- Karma Re: Need help executing a script with powershell v3 Modular Input for DennisFFM. 06-05-2020 12:49 AM
- Karma Re: DBConnect 3.1 query with JOINS, Alias', non-* and Rising Column for tmuth_splunk. 06-05-2020 12:49 AM
- Karma Re: GEOIP - Is there a step by step guide to getting this set up? for skoelpin. 06-05-2020 12:49 AM
- Karma Re: [Splunk 7.0.x + Db connect 3.1.2-] Why are some users encountering this error and unable to run dbxquery or use the dbx app? for sylim_splunk. 06-05-2020 12:49 AM
- Karma Re: Where should the kvstore be deployed in a distributed Splunk environment for jwelch_splunk. 06-05-2020 12:49 AM
- Karma Re: Real-time alert is skipped. for woodcock. 06-05-2020 12:49 AM
- Karma Re: eval,passing a value in eval for harsmarvania57. 06-05-2020 12:49 AM
- Karma Re: Using chained eval or separate eval statements, any performance gains? for efavreau. 06-05-2020 12:49 AM
- Karma Re: How to JOIN the same table? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Alert Action = Always is not available via GUI in 6.6 for rphillips_splk. 06-05-2020 12:48 AM
- Karma Re: Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: universal forwarder ipaddress for somesoni2. 06-05-2020 12:48 AM
- Karma Re: After upgrading to 6.5.0, KV Store will not start for jcrabb_splunk. 06-05-2020 12:48 AM
- Got Karma for Re: How to expand macros in a Splunk search?. 06-05-2020 12:48 AM
- Got Karma for Re: How to fix when Okta SAML authorization succeeds but returns to a Splunk 404 error?. 06-05-2020 12:48 AM
- Got Karma for Re: How to fix when Okta SAML authorization succeeds but returns to a Splunk 404 error?. 06-05-2020 12:48 AM
- Karma Re: How do you escape backslashes in user input and then use that user input in a post process search? for dfoster_splunk. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
02-07-2019
10:30 AM
Are you saying that Enosys has taken responsibility for the existing Add-on? Is there any confirmation of that handover from Splunk Inc.? Or is your effort a fork of the existing package? Or a de-novo parallel implementation?
... View more
01-31-2019
12:21 PM
1 Karma
I downvoted this post because i'm really tired of karma-farming responses that are simply "rtfm" links. it degrades the value of all 'answers' activity if the only help anyone ever gets is a link back to documentation that seeker has already read. we've read the docs, and we're here for further clarification or perspective.
... View more
05-31-2018
03:15 PM
I am configuring LDAP authentication against Windows AD, where the users are in groups with names containing a hash character and an arbitrary string:
CN=\#CS foo,OU=division,DC=fabrikam,DC=com
CN=\#CS bar,...
CN=\#CS baz,...
CN=\#CS qux,...
I have a working Static Group Search filter that uses asterisk wildcards to capture the hash sign, and which requires the full name of the CN. Those upstream names occasionally change, and break authentication. It's also a hassle to maintain the long list of OR clauses, for example (|(*CS foo)(*CS bar)(*CS baz)(*CS qux)) is ugly but it works.
I would like to capture #CS * "Hash-Charlie-Sierra-space-Asterisk", but using common backslash or RFC4515 style escape chars, I am getting errors :
(CN=\#CS *) (CN=\#CS foo) and (CN=\23CS foo) returns "Encountered the following error while trying to update: Failed to retrieve a group with these settings."
Any help on crafting a suitable query filter would be warmly appreciated. Splunk Enterprise 7.0.1 on Linux, Windows AD version unknown, presumed old-ish.
... View more
04-19-2018
11:18 AM
Thanks, good question. Yes, Splunk_TA_nix 5.2.3 installed on Seach Head Cluster as well.
I've tried searching the sourcetype directly on the indexer, or from the main SH, or from a different SH w/ the "Splunk App for Unix and Linux" (https://splunkbase.splunk.com/app/273/) installed. In all cases there is no extraction.
I can write the extraction transform myself, but I dislike making local changes to a splunk-provided mainstream TA. I see there is a version 5.2.4 released; perhaps that will help.
... View more
04-18-2018
02:51 PM
We are collecting sourcetype=hardware via the Splunk_TA_nix app (v5.2.3), but the data returned isn't being extracted. The ./bin/hardware.sh script is clearly written to produce tabular data, but I seem to be missing a transform that extracts it properly. Does that transform ship in a different app? Am I doing something wrong? A search-time extraction via multikv isn't useful, as the $1::$2 field naming doesn't happen.
In search, each event looks like this:
KEY VALUE
CPU_TYPE Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
CPU_CACHE 12288 KB
CPU_COUNT 4
HARD_DRIVES sda (Virtual disk) 200 GB;
NIC_TYPE <notAvailable>
NIC_COUNT 1
MEMORY_REAL 16334412 kB
MEMORY_SWAP 16777208 kB
What I want is MEMORY_REAL="16334412 kB" etc.
Splunk Enterprise 7.0.2, Splunk_ta_nix 5.2.3, mix of CentOS 6.7 & Amazon Linux
... View more
05-15-2017
10:27 AM
If you need a solution for a fleet of hosts, where one file might appear in a number of different known locations across different endpoints, due to inconsistent builds or what have you.. Splunk honors Windows environment variables, but does so with "linuxy" syntax. So I have the build orchestration set a system-wide envvar %APPLOGS% to either "C:\path" or "D:\path" on the host, and then do a [monitor://$APPLOGS\file.log] stanza in my inputs.conf. The key is the two different dialects of environment variable.
... View more
05-03-2017
11:47 AM
Noted for posterity and the search spiders: I have this problem with the XML log files generated by Ipswitch WS_FTP.
The problem presents as a huge number of duplicate events collected, counted against license, and shown in search (millions, in my case) , whereas inspecting the actual log files reveals only only hundreds or thousands of events. Piping the events through "... | dedup " reveals the actual number of unique events.
Confirm the issue by running a search which shows the growing time between the events as-written and the time they were (re)indexed:
... | eval delta=(_time - _indextime) | timechart avg(delta) span=15m
... View more
01-17-2017
01:38 PM
I am tasked with consuming a number of XML config files, which contain many key value pairs, but where the semantically useful KV pairs are obscured by literal KV pairs that are not useful. For example:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="John" value="Guitar"/>
<add key="Paul" value="Bass"/>
<add key="George" value="Guitar"/>
<add key="Ringo" value="Drums"/>
</appSettings>
</configuration>
I would like to extract the data as: John=Guitar, Paul=Bass, George=Guitar, Ringo=Drums ... There are dozens of these keys.
I am attempting index-time extraction because I read that search-time extraction can not concatenate event segments into a field name If there were a search-time method, that would be preferred, of course.
Props.conf
[fab]
BREAK_ONLY_BEFORE = NEVER_BREAK
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
category = Custom
description = Example XML
disabled = false
TRANSFORMS-xml1 = xml1
KV_MODE = none
Transforms.conf
[xml1]
REGEX = [\s+]<add\skey=\"(\w+)\"\svalue=\"(.*)\"\s\/>
FORMAT = $1::$2
WRITE_META = true
REPEAT_MATCH = true
LOOKAHEAD = 4096
Regex101.com validates the regex does capture the groups I want, but I'm not seeing any extracted fields in Spunk Web. What am I missing? I am working in Splunk Enterprise 6.5.1. TIA!
... View more
09-16-2016
10:20 AM
We're facing the same timezone spanning problem, and I had also dreamed up the the 'dummy user' solution. I was looking for evidence of prior art, so thank you for the confirmation, MuS!
... View more
This is resolved. Our Okta admin used the Splunk connector app found in Okta (the one with the big, obvious SPLUNK > logo on it.) That turns out to be a "community supported" app, and does not work with Splunk Enterprise 6.4.3. We created a generic SAML connector in Okta and it worked on the first try, returning the user to the proper Launcher dashboard.
... View more
09-09-2016
02:09 PM
We configured Splunk Enterprise 6.4.2 for SAML authentication following the latest documentation, and while the basic authentication & authorization succeeds, the SSO process then drops the user into a Splunk URI that is a 404 error:
https://splunkserver:8000/en-US/secret/endpoint/postResponse
404 Not Found
Return to Splunk home page
Page not found!
View more information about your request (request ID = [snip]) in Search
This page was linked to from https://[SSO.provider]/app/splunk/[token]/sso/saml.
You are using [splunk]:8000, which is connected to splunkd @[snip] at https://127.0.0.1:8089 on Mon Aug 8 16:17:18 2016.
How do I fix this?
... View more
05-23-2016
12:43 PM
D'oh! ...and it saves wear and tear on my Shift key! Thanks.
... View more
05-20-2016
12:54 PM
Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!
... View more
05-20-2016
12:45 PM
The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB
Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."
Thanks for the rename suggestion.
... View more
05-20-2016
12:19 PM
I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?
Search:
sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024)
_raw (5th field is of interest):
reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198
Inputs.conf
[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0
useEnglishOnly = true
showZeroValue = true
mode = multikv
Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.
... View more
02-05-2016
03:56 PM
4 Karma
We have a long-serving, much-upgraded server too. The trick that did it for me was to regenerate the certs with the following command:
cd /opt/splunk/etc/auth && /opt/splunk/bin/splunk createssl server-cert -d . -n server
... View more
06-24-2015
11:35 AM
My raw data includes a field "source=SoftwareSubsystemFoo" , a name which overlaps the default 'source' field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source' . As an underscored fieldname it was hidden from the UI unless requested directly with the | fields search command. I can't find the details in my notes, and my search-fu is failing.
Does this remapped field name exist? What is it?
An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background.
Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html
... View more
05-21-2015
03:41 PM
Thank you! I've just spent 30 minutes googling unsuccessfully for this particular tidbit of information. I knew the TA had been rolled into the window SUF package, but could not find that mentioned in any release notes.
... View more
11-19-2014
02:48 PM
We have a Deployment server within our Splunk estate. For a variety of political & operational reasons, we have decided to do endpoint configuration management using different tools.
How do I decommission a Deployment Server without removing the Apps it has deployed? I do not want to disturb the existing configuration state for client endpoints. Am I looking at removing deploymentclient.conf from each endpoint individually? It seems that any other approach - Removing server classes, removing apps, etc. will result in client endpoints deleting their local copy of the app.
One approach I was considering - Would it work if I point the DNS record for my existing DS to a new Deployment Server instance, one that is minimally configured. Does that result in the endpoint removing the apps managed by the prior DS?
Thanks for any thoughts or guidance.
... View more
10-23-2014
03:37 PM
2 Karma
Found a workaround, in the form of a scripted input run on the forwarder. (The regex is to select IIS-related counters, which happen to be what I'm after)
The script outputs a table of each IIS process and it's "# Gen 2 Collections" perfmon counter:
#! powershell
$gc2 = get-counter -Counter "\.NET CLR Memory(w3wp*)\# Gen 2 Collections"
[regex]$regex = 'w3wp(\#\d)?'
$arrCounterPath = $gc2.CounterSamples | %{ $regex.match($_.Path) } | %{$_.value}
$output = @{}
for ($i=0; $i -lt $gc2.CounterSamples.count; $i++) {
$output.add($arrCounterPath[$i], $gc2.CounterSamples[$i].CookedValue)
}
# tabular output is fine for splunk; run through "multikv" search command.
write-output $output
... View more
10-13-2014
04:27 PM
The markup for my Reference link isn't rendering properly. Link: http://wutils.com/wmi/root/CIMV2/CIM_StatisticalInformation/Win32_Perf/Win32_PerfFormattedData/Win32_PerfFormattedData_NETFramework_NETCLRMemory.html
... View more
10-13-2014
04:22 PM
I am attempting to collect perfmon counters to track garbage collection in a .NET application. I can create the counter locally in the Windows perfmon GUI, so I believe the data ought to be exposed to the Splunk perfmon modular input. However, the inputs.conf stanza I've created does not work, and returns no errors.
[perfmon://NETGarbageCollection]
counters = NumberGen2Collections
disabled = false
instances = *
interval = 60
object = Win32_PerfFormattedData_NETFramework_NETCLRMemory
index = test
I have also tried running a WMI query directly from the splunk-wmi.exe helper executable (a technique I've used successfully before)
PS C:\Program Files\SplunkUniversalForwarder\bin> & .\splunk-wmi.exe -wql "SELECT * FROM Win32_PerfFormattedData_NETFram
ework_NETCLRMemory"
Clean shutdown completed.
PS C:\Program Files\SplunkUniversalForwarder\bin> & .\splunk-wmi.exe -wql "SELECT NumberGen2Collections FROM Win32_PerfF
ormattedData_NETFramework_NETCLRMemory"
Clean shutdown completed.
My developers are hoping to use the counter information to debug a problem in our production software, and so there is considerable interest in getting this working.
I am collecting perfmon on a Universal Forwarder which is otherwise working as expected. Indexer and forwarder are both running Splunk 6.0.3, OS is Windows server 2012, .NET is 4.5. I've been taking my perfmon counter names and object paths from this reference.
Thanks!
... View more
04-04-2014
12:28 PM
1 Karma
Well, I solved my problem, but I'm still puzzled by the original design, and I've learned an important lesson: Don't deliver "Community Supported" Splunk apps to your executives.
I have an existing S3 bucket where billing data is being delivered (the data is being consumed by other parties, and so cannot be moved). The " get_bill.py " script delivered from Splunkbase tries to create a new bucket, and this was colliding with my existing bucket. The fix is to change the boto call from create to get on line 45 of get_bill.py:
a = conn.create_bucket(s3bucket1)
becomes
a = conn.get_bucket(s3bucket1)
... View more
04-03-2014
04:05 PM
I am trying to get the AWS app working, and I'm finding the "documentation" to be... delphic.
For the billing aspect - When I manually run the get_bill.py script, it returns:
[root@host local]# $SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/SplunkAppforAWS/bin/get_bill.py
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/get_bill.py", line 45, in <module>
a = conn.create_bucket(s3bucket1)
File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/boto/s3/connection.py", line 499, in create_bucket
response.status, response.reason, body)
boto.exception.S3CreateError: S3CreateError: 409 Conflict
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>BucketAlreadyOwnedByYou</Code><Message>Your previous request to create the named bucket succeeded and you already own it.</Message><BucketName>billbucket</BucketName><RequestId>XXXXXXEDFB3E00AB</RequestId><HostId>XXXXXXxXOBGQyAP5Qpj1qIgXXXXXO+kJ0bk6hU7Wo7/F1uZZVvXXXXXXhi5+uHpUYzza9</HostId></Error>
My s3 bucket exists, is named in lowercase, and contains billing csv files that match the regex in the script. (As an aside, it's puzzling that a script which intends to gather and parse CSV files would attempt to create an S3 bucket, but there it is.)
How do I make this work?
Environment: Splunk 6.0.1 (build 189883) on CentOS release 6.5 (Final), and no luck with Windows 2008R2, either.
... View more
- Tags:
- Splunk App for AWS
05-20-2013
10:36 AM
I'm using translatefix too. To set your expectations: In my experience, the translated fields are not subsequently extracted and indexed. For example, I can search "MsgType=Execution" as a string, but I can't search "MsgType!=Heartbeat" because it's not extracted as a key/value pair. I discussed it with a Splunk Sales Engineer, he had a trick to dump the translated fields back into the raw index (?) but I've lost the notes I took that day (arrrgh!).. I've not had the time or talent to revisit the problem, but I would be grateful for anybody who could.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-01-2022
08:28 PM
|
Karma from
