Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ww9rivers
ww9rivers
Communicator
Member since:
07-27-2011
2 weeks ago
Community Statistics
| Posts | 90 |
| Solutions | 5 |
| Karma Given | 21 |
| Karma Received | 20 |
| Member Since | 07-27-2011 |
Activity Feed
- Posted TA-asngen for Splunk Cloud? on All Apps and Add-ons. 2 weeks ago
- Posted Does Splunk have a problem with token authentication and SAML? on Security. 08-30-2023 10:06 PM
- Got Karma for Re: Creating a search job using the REST API. 08-20-2023 11:28 PM
- Posted Re: Creating a search job using the REST API on Other Usage. 08-20-2023 08:04 PM
- Posted Re: Creating a search job using the REST API on Other Usage. 08-10-2023 09:32 AM
- Posted Re: Creating a search job using the REST API on Other Usage. 07-21-2023 07:06 AM
- Posted How can I create a search job using the REST API? on Other Usage. 07-20-2023 08:46 PM
- Posted Error installing acs-cli using linuxbrew on Splunk Cloud Platform. 11-29-2022 09:30 PM
- Posted Re: Unable to delete dashboards in an app on Dashboards & Visualizations. 11-27-2022 10:04 AM
- Posted Re: Unable to delete dashboards in an app on Dashboards & Visualizations. 11-24-2022 03:29 PM
- Tagged Unable to delete dashboards in an app on Dashboards & Visualizations. 11-24-2022 09:14 AM
- Posted Unable to delete dashboards in an app on Dashboards & Visualizations. 11-24-2022 09:09 AM
- Got Karma for Re: 7.3.4 to 9.0.1 upgrade - WARNING: web interface does not seem to be available- How do I resolve this issue?. 09-14-2022 09:28 PM
- Got Karma for Re: 7.3.4 to 9.0.1 upgrade - WARNING: web interface does not seem to be available- How do I resolve this issue?. 09-13-2022 04:17 AM
- Got Karma for Re: 7.3.4 to 9.0.1 upgrade - WARNING: web interface does not seem to be available- How do I resolve this issue?. 08-31-2022 03:02 PM
- Posted Re: 7.3.4 to 9.0.1 upgrade - WARNING: web interface does not seem to be available- How do I resolve this issue? on Installation. 08-31-2022 02:33 PM
- Posted Re: How to extract a field from raw json? on Splunk Search. 08-31-2022 01:47 PM
- Posted [SOLVED] 7.3.4 to 9.0.1 upgrade - WARNING: web interface does not seem to be available- How do I resolve this issue? on Installation. 08-30-2022 11:10 AM
- Posted Re: Unable to access online documentation on Security. 01-06-2022 09:01 AM
- Got Karma for Bug in Splunk_SA_Scientific_Python_linux_x86_64 3.0.1. 01-05-2022 10:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Our networking team needs to get ASN from public IP addresses. We found the TA-asngen add-on. I put it through splunk-inspect and fixed the failures, added a MaxMind license key in the default/asngen.conf, installed it in our Splunk Cloud instance. When I try to run the `asngen` command, it gives out this error message: Exception at "/opt/splunk/etc/apps/TA-asngen/bin/asngen.py", line 55 : maxmind license_key is required Just wonder if anyone has tried the TA in the cloud. Any thoughts would be much appreciated.
... View more
Labels
- Labels:
-
troubleshooting
08-30-2023
10:06 PM
Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results. The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid. The problem is shown in the internal log: 07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status.
07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status. The theory on the failure is: The token authentication works with (within) Splunk; But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication; However, when there is no valid, live SAML session, the AQR fails. (AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles. I wonder if anyone has been able to get token authentication to work for a SAML account? [Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?
... View more
Labels
- Labels:
-
access control
-
authentication
-
other
-
SAML
08-20-2023
08:04 PM
1 Karma
Got this figured out! The JS version sent the `body` part wrong: It is not supposed to be JSON encoded but HTTP query string encoded. The working version is here in GitHub: https://gist.github.com/ww9rivers/dc3fd9ba8d2817b9fc986aa9457a2b61
... View more
08-10-2023
09:32 AM
There is something missing in my NodeJS code, it seems. This simple Python3 test works (in creating a search job and returning an sid): import os
import requests
# Set up the session with our adapter
SEARCH_ENDPOINT = "https://"+os.environ['SPLUNK_HOST']+":8089/services/search/jobs"
headers = {
'Authorization': 'Bearer '+os.environ['SPLUNK_TOKEN'],
"Accept": "application/json"
}
params = {
"search": "inputcsv search-output.csv",
"output_mode": "json"
}
response = requests.post(SEARCH_ENDPOINT, data=params, headers=headers, verify=True)
print(response.text) But this NodeJS code does not: const SEARCH_ENDPOINT = `https://${process.env.SPLUNK_HOST}:8089/services/search/jobs`;
const data = {
search: "inputcsv search-output.csv",
output_mode: "json"
};
const options = {
method: "POST",
mode: "cors",
cache: "no-cache",
credentials: "same-origin",
headers: {
Authorization: `Bearer ${process.env.SPLUNK_TOKEN}`,
Accept: "application/json"
},
redirect: "follow",
referrerPolicy: "no-referrer",
body: JSON.stringify(data),
};
let response = await fetch(SEARCH_ENDPOINT, options);
console.log(response.status);
console.log(response.body);
console.log(await response.json()); With the same SPLUNK_HOST and SPLUNK_TOKEN values, the Python code produces an output like this: {"sid":"1691684765.268000"} But the NodeJS example returns an XML document. Any thoughts are much appreciated!
... View more
- Tags:
- tests
07-21-2023
07:06 AM
No. Actually, in the answer that you linked, you clearly used "/services/search/jobs/" to create the search: curl -ku <user:pass> https://localhost:8089/services/search/jobs/ -d search=. . . In my case, I am trying to use the same API endpoint to create a search. My search command is not necessarily a "|rest" , rather, it is something like "| inputcsv <some-results>.csv" for most my use cases. Thank you for the thoughts.
... View more
07-20-2023
08:46 PM
Following the documentation here: https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#Create_a_search_job
I expect that a successful REST API call to endpoint "/services/search/jobs" would return a single job ID as the document shows.
However, in my testing, when the call returns with a status of 200 (success), the response data contains an object, which contains 6 keys: Object.keys(jobId) = (6) ['links', 'origin', 'updated', 'generator', 'entry', 'paging']
where, jobId.entry is an array of hundreds of search jobs -- basically the call to create a search job returned a list of all the jobs in the search head.
The code (JavaScript) is in this public repository: https://github.com/ww9rivers/splunk-rest-search
Am I missing anything? Thank you for your insights!
... View more
Labels
- Labels:
-
saved search
-
scheduled search
11-29-2022
09:30 PM
Got these errors while installing acs-cli in WSL/Ubuntu: ==> Installing acs from splunk/tap
==> Installing dependencies for splunk/tap/acs: linux-headers@5.15, glibc, gmp, isl, mpfr, libmpc, lz4, xz, zlib, zstd, binutils and gcc
==> Installing splunk/tap/acs dependency: linux-headers@5.15
==> Pouring linux-headers@5.15--5.15.57.x86_64_linux.bottle.1.tar.gz
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists
Error: Failure while executing; `cp -pR /tmp/d20221130-6079-1ef476r/linux-headers@5.15/. /home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15` exited with 1. Here's the output:
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_connmark.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_dscp.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_mark.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_rateest.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter/xt_tcpmss.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ecn.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv4/ipt_ttl.h': File exists
cp: cannot create regular file '/home/linuxbrew/.linuxbrew/Cellar/linux-headers@5.15/5.15.57/include/linux/netfilter_ipv6/ip6t_hl.h': File exists This happened after the "brew install acs" command has gone through 13 downloads of libraries etc. Any help would be much appreciated.
... View more
- Tags:
- acs-cli
Labels
- Labels:
-
administration
-
configuration
11-27-2022
10:04 AM
In my case, all the 6 dashboards currently in the local/ folder all exist in the deployer, so they have been deployed at some point. Why only two of them have the "Move" and "Delete" options? I guess my ultimate question is: What makes the search head cluster nodes decide which dashboards can be deleted and not the others?
... View more
11-24-2022
03:29 PM
I did not check that. I just checked now. All the six dashboards are found on the deployer, also in the local/ folder (I guess it is desired for this app to always be editable by the security team.) -- Furthermore, there are more dashboards on the deployer. The team is cleaning up the app. It seems that they have been able to delete most of what they want to delete. By the way, I have also checked and double checked the permissions on all the dashboards. They all have "write" permission granted to the admin role.
... View more
11-24-2022
09:09 AM
This seems to be a bit strange: We are running Enterprise version 8.1.5 in a search head cluster. A custom app is created for our security team to manage their dashboards, etc. The strange thing is, some of the dashboards cannot be deleted -- there is just no delete (or move) option: I've checked on all the individual nodes in the cluster, they are all in the local/ folder in the app. This is on-prem Splunk Enterprise, so I can manually delete them from all the nodes as an admin. But I would like to understand what I am missing here. I did search for answers here and found this one post. But that is in the Splunk Cloud. So I am not sure if my issue is a bug like that in the posting or not. Thanks for any thoughts / discussions. Happy holidays!
... View more
Labels
- Labels:
-
dashboard
08-31-2022
02:33 PM
3 Karma
Thank you @burwell and @isoutamo for your responses. I believe you are right about the upgrade path. We spend a bit more time on this. There is actually some logging in web_service.log file that provided hints about the problem. The error is in the TA-SMTP-Reputation add-on in our particular case. The TA is probably not compatible with Python 3. After removing the TA from the apps folder, the server starts OK now.
... View more
08-31-2022
01:47 PM
Try this: index=test1 sourcetype=abc
| table detail.trackInformation.correlationId Obviously, you can rename that field if you want to.
... View more
08-30-2022
11:10 AM
I just upgraded a dev instance from 7.3.4 to 9.0.1, and splunkd would start but the web UI stopped working. Found these in splunkd.log: 08-30-2022 12:43:16.300 -0400 ERROR UiPythonFallback [22665 WebuiStartup] - Couldn't start appserver process on port 8065: Appserver at http://127.0.0.1:8065 never started up. Set `appServerProcessLogStderr` to "true" under [settings] in web.conf. Restart, try the operation again, and review splunkd.log for any messages that contain "UiAppServer - From appserver"
08-30-2022 12:43:16.300 -0400 ERROR UiPythonFallback [22665 WebuiStartup] - Couldn't start any appserver processes, UI will probably not function correctly!
08-30-2022 12:43:16.300 -0400 ERROR UiHttpListener [22665 WebuiStartup] - No app server is running, stop initializing http server However, after adding the "appServerProcessLogStderr = true" setting to web.conf, I only see this one line in splunkd.log: 08-30-2022 12:48:53.628 -0400 INFO UiAppServer [28199 appserver-stderr] - Starting stderr collecting thread No message with "UiAppServer" after that. Any thoughts / help would be much appreciated!
... View more
01-06-2022
09:01 AM
I am having the same issue with version 8.1.5. We upgraded from 7.3.4 a few months ago but I don't know if this has happened before. The error message is the same: "Unable to access online documentation. Please ensure docsCheckerBaseURL in web.conf is correct." I get that with any inline help or Help >> Tutorials. So the URL is: https://localhost:8000/en-US/help?location=search_app.tutorial I looked in web.conf using Splunk btool, which is the default setting: app/splunk/etc/system/default/web.conf docsCheckerBaseURL = https://quickdraw.splunk.com/help When I manually put that URL in the browser, I get a complete blank response with status 200. I checked the Chrome browser console in the developer tool. There is no error about client blocking the request. The error messages is in the HTML response. What else can I check? Thanks!
... View more
12-08-2021
07:07 AM
1) As I stated in my first post, I reported that as a bug to Splunk Support. But the support engineer insists that it is not a bug, but a documentation error. I have not been able to convince him/her in any way. 2) The documentation is NOT incorrect as far as reflecting what the Splunk core recognizes as a correct keyword -- note that this stanza works for all other apps as well, not just this app.
... View more
