Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About rewritex
rewritex
Contributor
Member since:
01-25-2016
02-18-2026
Community Statistics
| Posts | 98 |
| Solutions | 10 |
| Karma Given | 7 |
| Karma Received | 17 |
| Member Since | 01-25-2016 |
Activity Feed
- Posted Re: How to copy/forward logs weekly to frozen archive? on Splunk Enterprise. 02-23-2022 02:27 PM
- Posted Re: How to copy/forward logs weekly to frozen archive? on Splunk Enterprise. 02-23-2022 01:20 PM
- Posted How to copy/forward logs weekly to frozen archive? on Splunk Enterprise. 02-23-2022 09:45 AM
- Tagged How to copy/forward logs weekly to frozen archive? on Splunk Enterprise. 02-23-2022 09:45 AM
- Posted Re: how do I unquarantine a indexer on Splunk Enterprise. 10-16-2020 10:02 AM
- Posted Re: how do I unquarantine a indexer on Splunk Enterprise. 10-16-2020 10:00 AM
- Posted how do I unquarantine a indexer on Splunk Enterprise. 10-12-2020 03:46 PM
- Posted Unable to send data to a remote on-network server or UNC path on Installation. 10-08-2020 03:21 PM
- Got Karma for Re: Summary indexing. 10-02-2020 04:06 PM
- Karma Re: timestamp and line breaks for s2_splunk. 06-05-2020 12:49 AM
- Got Karma for Re: timestamp and line breaks. 06-05-2020 12:49 AM
- Karma Re: How to restrict access for multiple types of logs and grant permissions for appropriate groups? for Richfez. 06-05-2020 12:48 AM
- Karma Re: How to save an eval urldecode as a field in Splunk 6.3.3? for cramasta. 06-05-2020 12:48 AM
- Karma Re: How to troubleshoot why previously working scheduled reports and new scheduled searches are not running? for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to edit my regular expression to extract a field that comes before \r\n in my sample data? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Is there a way to migrate indexed data from a legacy standalone indexer to a new indexer cluster?. 06-05-2020 12:48 AM
- Got Karma for Do I need frozen storage?. 06-05-2020 12:48 AM
- Got Karma for Do I need frozen storage?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does Splunk (re-)index this rolled file? How to troubleshoot?. 06-05-2020 12:48 AM
- Got Karma for Re: Why does Splunk (re-)index this rolled file? How to troubleshoot?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-23-2022
02:27 PM
Lol, I wasn't searching with the correct words "hot / warm buckets". Thank you for the assistance!
... View more
02-23-2022
01:20 PM
Thank you for the reply. I guess I'm not asking my question correctly..... Policy 1) 90-day - searchable data (HOT/WARM/COLD) 2) 90-day - frozenTimePeriodInSecs = 7776000 (move data or if 3) is used, delete data) 3) ?? 7-days - Weekly Powershell script to back-up/copy logs to remote store My question on for 3) to compensate for some infrastructure issues, I want to back-up the indexed data sooner then waiting for the 2) frozentimeperiodinsecs. This may not be a feasible idea or make logical sense but this is where I'm at, at the moment and trying to think through it. I have setup an index cluster with servers on different network segments to help with single point of failures so I'm hoping I can just depend on the standard 2) frozentimeperiodinsecs policy to move data to frozen remote storage. Thanks again, Sean
... View more
02-23-2022
09:45 AM
Hello,
I'm trying to figure out how to do 3 months of HOT/WARM/COLD indexing but copy/forward logs every week to my frozen archive located in a separate location. I'm trying to compensate for some issues we are having with our infrastructure uptime.
Q: Does this make sense and is this possible? Could anyone provide examples or advice? Q: Is there a difference is storage space used by sending data in weekly vs monthly(or every 90 days)?
Also, Splunk is installed into a Windows Environment.
Thank You, Sean
... View more
Labels
10-16-2020
10:02 AM
Thank you for the reply. This settings area was blank but I ended up having to manually adjust the distsearch.conf file within the master server to remove the server from quarantine.
... View more
10-16-2020
10:00 AM
I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console looks good. [distributedSearch] disabled = 0 disabled_servers = https://<server01>:8089 <---- Removed this quarantined_servers = https://<server01>:8089 <---- Removed this
... View more
10-12-2020
03:46 PM
I've recently had to take an indexer offline while I worked on storage so I ended up putting it into quarantine until things were resolved. Now that things are resolved, I can't seem the indexer is receive data but I still have the below error within the monitoring console: "One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance." My cluster manager now sees both indexers (01 and 02) in this group but the there are still errors suggesting the 02 indexer is still quarantined. The indexer02 was the one quarantined which is now receiving data and shows up in the monitoring console but with the above error Any advice on how to unquarantine this indexer or resolve this message? I've tried to fiddle around with this DOC but I can't seem to find the correct syntax for the indexer https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Quarantineasearchpeer Thanks, Sean
... View more
Labels
10-08-2020
03:21 PM
I want to send indexed data to another server but I'm running into an error of unable to create/find path. Q: Is this a permissions issue? Q: Maybe this is a syntax error? ….. Any advice would be helpful. Thank you! Info: - Windows 2016 environment - I have two servers setup with UNC paths of \\server01\hotwarmstorage and \\server02\coldstorage that use a service account credential (ie svcSplunk) to gain access. - Splunk is installed using the SYSTEM account. - I've tried to use the UNC path and also mapped the storage drives to Y: and Z: on the indexers and master - While on the indexer and in CMD I can do y: to access the network path Errors: 1) Failed to create directory 'Y:\hotwarmstorage\index-test\db' (The system cannot find the path specified.); 2) \\server01\hotwarmstorage\index-test\db' (The specified path is invalid) 3) I've tried a non-credentialed network path \\server03\splunkstorage and I get an error '\\server03\splunkstorage\index-test\db' (Cannot create a file when that file already exists.); Master indexes.conf attempts Attempt 1): [volume:seam_test_hotwarm] path = Y:\hotwarmstorage Attempt 2): [volume:seam_test_hotwarm] path = \\server01\hotwarmstorage Index - indexes.conf: [index-test] repFactor = 0 homePath = volume:seam_test_hotwarm/index-test/db
... View more
04-22-2020
11:19 AM
Thanks for the asking. Yes, I believe I've installed and updated the add-on and configs correctly.
I followed the relevant instructions from https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration. Within the auditd Splunk app, I click into the configure menu and everything is populating in there as expected. I am not ingesting TTY logs.
... View more
04-22-2020
09:58 AM
Hello,
I've installed the Linux Auditd app https://splunkbase.splunk.com/app/2642/ and I'm pulling auditd logs into Splunk. Once a user goes into root "su root", the events are logged by the app but I can't group the events together with the corresponding user. Other questions about the app suggest this should be done out of the box, so I guess there is something I need to change. I am interested in results similar to when we run "ausearch -ui" where the elevated "su -" events are grouped together with sudo and regular events by a/uid. Any advice or links to knowledge are appreciated! Thank you, -Sean
I have run through the configure option within the app and everything seems to be populating correctly.
--------------- sample log -----------------
2020-04-20T14:13:28.243-0700 type=PROCTITLE msg=audit(1587417208.243:33451): proctitle=636861747472002B61002F726F6F742F2E626173685F686973746F72792E616C696D6D2D61
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33451): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33451): item=0 name="/usr/bin/chattr" inode=405135 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=CWD msg=audit(1587417208.243:33451): cwd="/root"
2020-04-20T14:13:28.243-0700 type=EXECVE msg=audit(1587417208.243:33451): argc=3 a0="chattr" a1="+a" a2="/root/.bash_history.ali12"
2020-04-20T14:13:28.243-0700 type=SYSCALL msg=audit(1587417208.243:33451): arch=80000016 syscall=11 success=yes exit=0 a0=1ca3b8d0 a1=1ca4dd20 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55675 pid=55721 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="chattr" exe="/usr/bin/chattr" key=(null)
2020-04-20T14:13:28.243-0700 type=PROCTITLE msg=audit(1587417208.243:33450): proctitle="logname"
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33450): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=PATH msg=audit(1587417208.243:33450): item=0 name="/usr/bin/logname" inode=405524 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:28.243-0700 type=CWD msg=audit(1587417208.243:33450): cwd="/root"
2020-04-20T14:13:28.243-0700 type=EXECVE msg=audit(1587417208.243:33450): argc=1 a0="logname"
2020-04-20T14:13:28.243-0700 type=SYSCALL msg=audit(1587417208.243:33450): arch=80000016 syscall=11 success=yes exit=0 a0=1ca38c60 a1=1c912b90 a2=1ca4a0b0 a3=3ffa0d79710 items=2 ppid=55719 pid=55720 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="logname" exe="/usr/bin/logname" key=(null)
2020-04-20T14:13:39.293-0700 type=PROCTITLE msg=audit(1587417219.293:33452): proctitle=617564697463746C002D6C
2020-04-20T14:13:39.293-0700 type=PATH msg=audit(1587417219.293:33452): item=1 name="/lib/ld64.so.1" inode=155 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:39.293-0700 type=PATH msg=audit(1587417219.293:33452): item=0 name="/sbin/auditctl" inode=420444 dev=fe:00 mode=0100750 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
2020-04-20T14:13:39.293-0700 type=CWD msg=audit(1587417219.293:33452): cwd="/root"
2020-04-20T14:13:39.293-0700 type=EXECVE msg=audit(1587417219.293:33452): argc=2 a0="auditctl" a1="-l"
2020-04-20T14:13:39.293-0700 type=SYSCALL msg=audit(1587417219.293:33452): arch=80000016 syscall=11 success=yes exit=0 a0=1ca5f0b0 a1=1ca5e8f0 a2=1ca778a0 a3=3ffa0d79710 items=2 ppid=55675 pid=55727 auid=1503413 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=602 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
... View more
04-08-2020
05:16 PM
So it turns out this old blog post fixed my issue. https://www.splunk.com/en_us/blog/tips-and-tricks/cannot-search-based-on-an-extracted-field.html entitled "Cannot search based on an extracted field" There seems to be an issue when I try to create the extraction for MF3 and MF4 ...
I created a fields.conf file within the app folder on the search head ... (ie ...\apps\MF-Servers\local\fields.conf ... and added the stanza for the fields giving issues and it worked
========== The fields.conf file: ========
[mf3]
INDEXED_VALUE = False
[mf4]
INDEXED_VALUE = False
I also found some specific field lengths so I expanded on my rex - "(^(?P<mf01>\d+\s\d+).{6}(?P<mf02>.{5}).(?P<mf02a>.{8}).(?P<mf3>.{9})(?<mf4>.).(?<mf5>.+)(?P<mf6>[0-2][0-9]:[0-9][0-9]:[0-9][0-9])$)"
... View more
04-07-2020
06:32 PM
Thanks for the input, i'll try the props.conf suggestion
| search mf_status=W OR mf_status=I ... this should read | search mf4=W OR mf4=I
I've updated the original post.
... View more
04-07-2020
03:34 PM
Basically, when I try to search for mf4 values on their own, index="sean-testing" mf4=w, the data found is zero or blank but if I use the full search with rex as seen below then click the mf4 value from the table view, the full event data will come up. I use regex101.com to drop the rex into the expression line and the data sample, one at a time, into the test sample box to test things out.
*Q: I'm thinking that I need to place this field extraction in a promps as a report or extract on the indexers? *
Any advice, examples or links to a better understanding would be great! Thank you. -Sean
full Search with rex
index="sean-testing" sourcetype="mfsource1"
| rex "\s{2}(?P<mf1>\d+)\s(?P<mf2>.{8})\s(?P<mf3>\S{10}){1}(?P<mf4>\S+)\s(?P<mf5>.+)[0-2][0-9]:[0-9][0-9]:[0-9][0-9]$"
| search mf4=W OR mf4=I
| table _time mf1 mf2 mf3 mf4 mf5
Event Data Sample 1
200401 07595444 17476 CARDS5 EXSFJM1083I EJM1: Using LWASP provider module "LWASP32.DLL", from API version 2009 07:59:54
Event Data Sample 2
200331 18250270 1764 CARDS1 CASHO00200I AB2P XA interface loaded. Name(AB2 for WINDOWS), Registration Mode(Dynamic) 18:25:02
Event Data Sample 3
200331 18250131 6508 CARDS3 CASZS50110W Failed to open port 21661 for TCPIPSERVICE ZTGIPP1 18:25:01
sourcetype
Basic stuff - break at everyline, no regex added
... View more
03-09-2020
03:14 PM
I am looking for guidance and advise for setting up limits and/or ulimits like settings for a Windows server 2016 installation. I've modified ulimits in a Linux installation(just set unlimited) but i'm not quite clear if this is a thing in a Windows install. The plan is to pull in a 2-3 eventID from the security WinEvent logs for phase 1 while pushing down .conf files and the Windows_TA app. Future phases will be to increased the WinEvents data-in logs.
Q: Do I need to worry about "ulimits" or the similar setting in the Windows environment? For Splunk core and Forwarders?
Q: Do I need to modify the ulimits like feature in all of the windows components and forwarders or just the indexers?
Q: I'm assuming I will be able to push the limits.conf down to the forwarders if I need to set those limits?
Q: I've modified the phone_home to 5 minutes. Should I expect a huge bandwidth spike in phase 1 or phase 2
Q: Any other configurations I should review to make this deployment smoother and/or not crash the gibson?
Current Environment:
1xSH(WIN)
2xIndexer(WIN) (distrubuted, load balanced by time, not clustered),
1xMaster(WIN)
1xDeployment(Linux)
1xHeavyForwarder(Linux)
I am deploying in two phases.
1st phase is 400-500 Windows forwarders - pulling 2-3 eventIDs
2nd phase is 4000 Windows forwarders - pulling 2-3 eventIDs
Thank You,
Sean
... View more
12-11-2019
04:49 PM
After running the splunk list monitor command from a s390x sles12 machine, it runs the command fine but displays 8 rows of entries in the post status lines saying ""request for members failed failed!" ... Does anyone know what that means?
ServerHostName:/opt/splunkforwarder/bin #./splunk list monitor
Splunk username: admin
Password:
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Request for members failed failed!
Monitored Directories:
[No directories monitored.]
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/audit/audit.log
... View more
12-11-2019
04:41 PM
Hello,
We have utilized the user-seed.conf correctly and it worked fine a couple months ago but we just noticed that the user-seed.conf file has disappeared. In reading the documentation it states "Use this file to create an initial login." so we are guessing its a sort of one-time use file and is removed. We want to have the file stay around longer so we can integrate it into scripts so the plan is to just put the contents into another file that will not disappear.
Q: Is or does the user-seed.conf disappear after use?
Thanks,
Sean
... View more
05-30-2018
09:36 AM
I would like advice on how to unset my dashboard token whenever a new search timeframe is selected using the timepicker.
Thank you
<form>
<label>Dashboard Example</label>
<fieldset submitButton="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
... View more
02-12-2018
04:48 PM
I ended up scrapping the lookup-table portion of the project and just uploaded the .csv into a new index. During the add-data wizard it found the expiration field and automatically mapped it. I corrected the timestamp pattern and now the timepicker is working for future and past timeframes.
The project was to track expiring ICA certificates
I exported a years worth of Internal Certificate Authority (ICA) expiring certificates and imported them into Splunk.
certutil -view -restrict "notAfter>=1/01/2018,notAfter<=2/01/2018" -out "Issued Common Name,Issued Organization,Certificate Expiration Date,Issued Email Address" >> 2018_jan
certutil -view -restrict "notAfter>=2/01/2018,notAfter<=3/01/2018" -out "Issued Common Name,Issued Organization,Certificate Expiration Date,Issued Email Address" >> 2018_feb
etc
... View more
02-07-2018
02:11 PM
Thank you for the response. I've went ahead just tested a few different variations of the settings...
max=10/min=0, max=0/min=10,max/min=5, etc and adjusted the timepicker to a specific date and time with +/- 1 second ... still no luck. I still see all table results.
I search for the 01/06/2017 5:13 line item with a timepicker between 01/06/2017 5:12 and 01/06/2017 5:14 while updating the transforms.conf for different min/max settings. I also tried ... | extract reload=T and a reboot.
... View more
02-06-2018
12:07 PM
I'm trying to configure a time-based lookup (temporal lookup) but it doesn't seem to be working as expected. Any advice would be great. Thanks! I'm using the Expiration field to configure time-based lookups.
1) I've tried with and without the _offset parameters .
2) Table and definitions Permissions are set to App.
3) The definitions fields are: Expiration,Common_Name,Organization,Organization_Unit,Serial_Number,Email Address
4) The transforms.conf is on the SH
transforms.conf
[ICA_Definitions]
batch_index_query = 0
case_sensitive_match = 1
filename = 2018_ICA_Certs.csv
time_field = **Expiration**
time_format = %m/%d/%Y %H:%M
max_offset_secs = 10
min_offset_secs = 0
... View more
09-21-2017
05:54 PM
1 Karma
I had to modify the props.conf on the cluster/indexers and that seemed to get it working. I was in the SH mucking around with the props.conf
Thanks for the reminder.
$SPLUNK_HOME$/etc/master-apps/_cluster/local/props.conf
BREAK_ONLY_BEFORE=DATATYPE::
SHOULD_LINEMERGE = false
TIME_FORMAT = %s
TIME_PREFIX = TIMET::
... View more
09-21-2017
04:34 PM
The timestamp and linebreaking doesn't seem to be working as expected. They are nagios/pnp4nagios logs.
I get a burst of events similar to the below data every few seconds/minutes and it seems the first line of each data burst is being recognized for the TIMET timestamp but all other events within that data burst aren't being handled correctly.
TIMET::1506034709 = timestamp in epoch time
DATATYPE:: = start/end of event
Data is sent in this format: DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\t
Here's the data:
DATATYPE::HOSTPERFDATA TIMET::1506034709 HOSTNAME::host1 HOSTPERFDATA::time=0.000342s;;;0.000000;20.000000 HOSTCHECKCOMMAND::check_tcp!255.255.25.25!443 HOSTSTATE::UP HOSTSTATETYPE::HARD HOSTOUTPUT::TCP OK - 0.000 second response time on 255.255.25.25 port 443
DATATYPE::HOSTPERFDATA TIMET::1506034713 HOSTNAME::host2 HOSTPERFDATA::time=0.000368s;;;0.000000;20.000000 HOSTCHECKCOMMAND::check_tcp!255.255.25.256!443 HOSTSTATE::UP HOSTSTATETYPE::HARD HOSTOUTPUT::TCP OK - 0.000 second response time on 255.255.25.256 port 443
Here's the sourcetype config: - timestamp/linebreak
[nagios:core:perfdata]
event_breaks: (I've tried auto and every line)
BREAK_ONLY_BEFORE = ([\r\n]+)DATATYPE
SHOULD_LINEMERGE = true
TIME_FORMAT = %s
TIME_PREFIX = TIMET::
lookahead 128
... View more
08-03-2017
10:16 AM
Thanks for the response cuesllo. I put the full explanation in the previous comment. I whitelist the rolled files to help with data loss or network downtime. Sourcetype=index1 is fake, I changed it just for this post.
... View more
08-03-2017
10:15 AM
Thanks. You seem to respond and answer the majority of my questions on the board.
The original idea was to monitor the directory to help fight data loss between the Host and the indexer cluster. If the connection between the the host and cluster went down, I wanted Splunk to automatically pick backup where it left off when service was resolved and scan the rotated logs to pull in the data it needed to fill in the blanks from the downtime.
I researched the forums and Splunk docs information to setup the inputs.conf to monitor the logfile and rolling log files to manage the above scenario. I was under the impression the rotated log would not be read because the CRC check would match and handle it in such a way for it not to be read again.
... View more
08-01-2017
03:24 PM
Logs land in the logfile on the syslog server and logrotate/timestamp.script runs to roll the logs.
The problem I am having is duplicate data is coming into the Splunk index. Splunk seems to be reading rolled .bz2 file as new data while also reading the logfile as new data. Below are my configurations. Any ideas? Thanks.
inputs.conf is below:
[monitor:///logs/f5-host1/]
_TCP_ROUTING = group1
disabled = false
host = host1
index = index1
sourcetype = index1
whitelist = \.bz2$|/logfile$
ignoreOlderThan = 20d
The log folder is below:
-rw------- 1 Logz Logz 97138 Aug 1 13:04 f5-host1.2017-08-01-12.bz2
-rw------- 1 Logz Logz 105819 Aug 1 14:05 f5-host1.2017-08-01-13.bz2
-rw------- 1 Logz Logz 95384 Aug 1 15:05 f5-host1.2017-08-01-14.bz2
-rw------- 1 Logz Logz 342285 Aug 1 15:16 logfile
... View more
08-01-2017
03:11 PM
1 Karma
Hello Jon... Any luck with an answer or resolution on this issue?
... View more
