Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gots
gots
Path Finder
Member since:
02-04-2016
01-10-2021
Community Statistics
| Posts | 25 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 4 |
| Member Since | 02-04-2016 |
Activity Feed
- Got Karma for Re: How to force shcluster member to send config from local dir (e.g. savedsearches.conf) to captain from cli or via rest. 02-04-2021 09:52 AM
- Posted Re: splunk crashing on lookup command on Splunk Search. 01-10-2021 08:10 PM
- Got Karma for Why is splunk crashing on lookup command?. 01-06-2021 06:40 AM
- Karma Re: How to run scripts in Search Head Cluster on an alive node? for richgalloway. 06-05-2020 12:49 AM
- Got Karma for How to force to set certain fields (host and sourcetype) for events from HEC local stanza for each token. 06-05-2020 12:49 AM
- Got Karma for Is it possible to preserve sourcetype, host, and source when using the collect command?. 06-05-2020 12:48 AM
- Karma Re: How to split a transaction? for hexx. 06-05-2020 12:45 AM
- Posted Re: splunk crashing on lookup command on Splunk Search. 02-16-2020 03:29 AM
- Posted Re: splunk crashing on lookup command on Splunk Search. 02-14-2020 12:18 AM
- Posted Re: splunk crashing on lookup command on Splunk Search. 02-14-2020 12:10 AM
- Posted Re: splunk crashing on lookup command on Splunk Search. 02-13-2020 10:44 AM
- Posted Why is splunk crashing on lookup command? on Splunk Search. 02-13-2020 09:32 AM
- Tagged Why is splunk crashing on lookup command? on Splunk Search. 02-13-2020 09:32 AM
- Tagged Why is splunk crashing on lookup command? on Splunk Search. 02-13-2020 09:32 AM
- Tagged Why is splunk crashing on lookup command? on Splunk Search. 02-13-2020 09:32 AM
- Posted Re: Error "The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached" after upgrade to 8.0.1 on Deployment Architecture. 01-08-2020 12:20 AM
- Posted Re: Error "The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached" after upgrade to 8.0.1 on Deployment Architecture. 12-18-2019 08:31 AM
- Posted Re: Error "The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached" after upgrade to 8.0.1 on Deployment Architecture. 12-18-2019 07:33 AM
- Posted Error "The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached" after upgrade to 8.0.1 on Deployment Architecture. 12-18-2019 06:12 AM
- Tagged Error "The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached" after upgrade to 8.0.1 on Deployment Architecture. 12-18-2019 06:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
01-10-2021
08:10 PM
Unfortunately, no. Workaround is to move lookup to kvstore. But it is strange solution for 4 lines csv lookup.
... View more
02-16-2020
03:29 AM
Thank you for your support and advises.
Unfortunately it is not possible to raise case with Splunk.
Ok, we will try to debug ourselves.
... View more
02-14-2020
12:18 AM
I had checked lookup file in hex-editor and there is no strange symbols in the lookup file.
I can see only dos-like 0xD0xA at the end of the each line. Ok i will try to remove them.
But it is strange, that splunk crashing not always but sometimes... so i thing that problem not in file, but in:
1. CIDR function from lookup definition OR
2. Memory management in new splunk version OR
3. Threads management in new splunk version
... View more
02-14-2020
12:10 AM
Upgrade was accomplished in one day by instruction https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/HowtoupgradeSplunk,
so today all instances in cluster upgraded to 8.0.1
... View more
02-13-2020
10:44 AM
Command
| inputlookup networklist_allocs_all
gives me exactly 31 rows like in file (besides headers and new line at the end of file) with identical data.
As i noticed in question - we nothing change in this lookup last some month. All changes recorded on CVS (bitbucket).
Crash*.log files appeared after upgrade from 7x splunk version to 8.0.1.
In last 8.0.2 release we did't find any relevant fixes.
... View more
02-13-2020
09:32 AM
1 Karma
We have simple csv lookup like:
network,descr
192.168.0.0/24,network_name
Lookup description in transforms.conf:
[networklist_allocs_all]
filename = networklist_allocs_all.csv
max_matches = 1
min_matches = 1
default_match = OK
match_type = CIDR(network)
Any search command like: ... | lookup networklist_allocs_all network AS src_ip ... too often crashing splunk on the indexers. It is about 5-10 crashlogs on the each indexers per day. Part of crashlog at the end of question.
How can we resolve this situation? Seems that splunk began to crash after update from 7 to 8 version. We did't any changes in lookup format or definition. Unfortunately we can't open support case for some reason, so ask for community help.
crash-xx.log:
[build 6db836e2fb9e] 2020-02-13 17:00:56
Received fatal signal 11 (Segmentation fault).
Cause:
No memory mapped at address [0x0000000000000058].
Crashing thread: BatchSearch
Registers:
RIP: [0x0000564E2F44470F] _ZN14LookupMatchMap16mergeDestructiveERS_ + 31 (splunkd + 0x223670F)
RDI: [0x00007FC9C01FCA80]
RSI: [0x0000000000000000]
RBP: [0x0000000000000000]
RSP: [0x00007FC9C01FC9A0]
RAX: [0x00007FC9CDB3AE08]
RBX: [0x0000000000000000]
RCX: [0x0000000000000001]
RDX: [0x00007FC9BFB7F608]
R8: [0x00007FC9C01FC9C0]
R9: [0x00007FC9C01FC9BF]
R10: [0x0000000000000010]
R11: [0x0000000000000080]
R12: [0x00007FC9928E33C0]
R13: [0x00007FC9C01FCA80]
R14: [0xAAAAAAAAAAAAAAAB]
R15: [0x00007FC9BFB7F600]
EFL: [0x0000000000010246]
TRAPNO: [0x000000000000000E]
ERR: [0x0000000000000004]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace (PIC build):
[0x0000564E2F44470F] _ZN14LookupMatchMap16mergeDestructiveERS_ + 31 (splunkd + 0x223670F)
[0x0000564E2F444EE8] _ZN14UnpackedResult8finalizeEv + 168 (splunkd + 0x2236EE8)
[0x0000564E2F445E26] _ZN18LookupDataProvider6lookupERSt6vectorIP15SearchResultMemSaIS2_EERK17SearchResultsInfoR16LookupDefinitionPK22LookupProcessorOptions + 2118 (splunkd + 0x2237E26)
[0x0000564E2F451B7F] _ZN12LookupDriver13executeLookupEP29IFieldAwareLookupDataProviderP15SearchResultMemR17SearchResultsInfoPK22LookupProcessorOptions + 367 (splunkd + 0x2243B7F)
[0x0000564E2F451C22] _ZN18SingleLookupDriver7executeER18SearchResultsFilesR17SearchResultsInfoPK22LookupProcessorOptions + 98 (splunkd + 0x2243C22)
[0x0000564E2F43BDFF] _ZN15LookupProcessor7executeER18SearchResultsFilesR17SearchResultsInfo + 79 (splunkd + 0x222DDFF)
[0x0000564E2F08FC7D] _ZN15SearchProcessor16execute_dispatchER18SearchResultsFilesR17SearchResultsInfoRK3Str + 749 (splunkd + 0x1E81C7D)
[0x0000564E2F07F528] _ZN14SearchPipeline7executeER18SearchResultsFilesR17SearchResultsInfo + 344 (splunkd + 0x1E71528)
[0x0000564E2F1931D9] _ZN16MapPhaseExecutor15executePipelineER18SearchResultsFilesb + 153 (splunkd + 0x1F851D9)
[0x0000564E2F193901] _ZN25BatchSearchExecutorThread13executeSearchEv + 385 (splunkd + 0x1F85901)
[0x0000564E2DEDCB8F] _ZN20SearchExecutorThread4mainEv + 47 (splunkd + 0xCCEB8F)
[0x0000564E2EC41AC8] _ZN6Thread8callMainEPv + 120 (splunkd + 0x1A33AC8)
[0x00007FC9CC7B76BA] ? (libpthread.so.0 + 0x76BA)
[0x00007FC9CC4EC41D] clone + 109 (libc.so.6 + 0x10741D)
Linux / c-6.index.splunk / 4.4.0-21-generic / #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 / x86_64
/etc/debian_version: stretch/sid
...
Last errno: 0
Threads running: 13
Runtime: 436566.363455s
argv: [splunkd -p 8089 start]
Process renamed: [splunkd pid=8371] splunkd -p 8089 start [process-runner]
Process renamed: [splunkd pid=8371] search --id=remote_d-0.search.splunk_scheduler__gots_eWFuZGV4LWFsZXJ0cw__RMD5d361bb2fcae608a1_at_1581602460_31361_374F9CE8-43DB-48C4-9F22-7982EC4B6AD5 --maxbuckets=0 --ttl=60 --maxout=0 --maxtime=0 --lookups=1 --streaming --s
idtype=normal --outCsv=true --acceptSrsLevel=1 --user=gots --pro --roles=admin:power:user
Regex JIT enabled
RE2 regex engine enabled
using CLOCK_MONOTONIC
Preforked process=0/59436: process_runtime_msec=54987, search=0/188869, search_runtime_msec=1240, new_user=Y, export_search=Y, args_size=356, completed_searches=3, user_changes=2, cache_rotations=3
Thread: "BatchSearch", did_join=0, ready_to_run=Y, main_thread=N
First 8 bytes of Thread token @0x7fc9c70845e8:
00000000 00 e7 1f c0 c9 7f 00 00 |........|
00000008
SearchExecutor Thread ID: 1
Search Result Work Unit Queue: 0x7fc9b77ff000
Search Result Work Unit Queue Crash Reporting
Type: NON_REDISTRIBUTE
Number of Active Pipelines: 2
Max Count of Results: 0
Current Results Count: 352
Queue Current Size: 0
Queue Max Size: 200, Queue Drain Size: 120
FoundLast=N
Terminate=N
Total Bucket Finished: 1.0012863152522, Total Bucket Count: 16
===============Search Processor Information===============
Search Processor: "lookup"
type="SP_STREAM"
search_string=" networklist_allocs_all network AS dest_ip "
normalized_search_string="networklist_allocs_all network AS dest_ip"
litsearch="networklist_allocs_all network AS dest_ip "
raw_search_string_set=1 raw_search_string=" networklist_allocs_all network AS dest_ip "
args={StringArg: {string="networklist_allocs_all" raw="networklist_allocs_all" quoted=0 parsed=1 isopt=0 optname="" optval=""},StringArg: {string="network" raw="network" quoted=0 parsed=1 isopt=0 optname="" optval=""},StringArg: {string="AS" raw="AS"
quoted=0 parsed=1 isopt=0 optname="" optval=""},StringArg: {string="dest_ip" raw="dest_ip" quoted=0 parsed=1 isopt=0 optname="" optval=""}}
input_count=885
output_count=0
directive_args=
==========================================================
... View more
Labels
- Labels:
-
lookup
01-08-2020
12:20 AM
We found problem - it sourced from our L3 balancer.
Balancer can open first tcp session to search_head_1, but next http packets from another tcp session send to search_head_2.
With version 7.x we didn't have this problem. I don't know why - may be it is connection between balancer and search head web server or some thing else, but error raised with 8.x version.
So, if you getting on the web interface of search head beside balancer error like "The search job terminated unexpectedly.", check your balancer and try to change it from L3 (ip level) to L7 (http level)
... View more
12-18-2019
08:31 AM
Hm, interesting parameter.
I will try it.
Do you know something like "max_concurrent" for adhoc searches?
And may be you know or can suggest what happens with search head cluster, that it trying to run more than one search at time?
... View more
12-18-2019
07:33 AM
With command:
/opt/splunk/bin/splunk show config limits
i trying to check effective values of variables in limits.conf.
But anyway, if i checking permission - everything ok:
$ find /opt/splunk -name limits.conf -exec ls -la {} \;
-rw-r--r-- 1 splunk splunk 35 Dec 18 18:02 /opt/splunk/etc/apps/<application>/default/limits.conf
-r--r--r-- 1 splunk splunk 42 Nov 28 02:31 /opt/splunk/etc/apps/SplunkLightForwarder/default/limits.conf
-r--r--r-- 1 splunk splunk 43109 Nov 28 02:31 /opt/splunk/etc/system/default/limits.conf
-rw-r--r-- 1 splunk splunk 711 Dec 18 13:28 /opt/splunk/etc/system/local/limits.conf
... View more
12-18-2019
06:12 AM
We have search head splunk cluster. After upgrade to 8.0.1 from 7.2.6 we began to get errors like:
"12-18-2019 16:47:00.816 +0300 INFO SavedSplunker - savedsearch_id="nobody;;", search_type="scheduled", user="admin", app="", savedsearch_name="", priority=default, status=skipped, reason="The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached", concurrency_category="historical_scheduled", concurrency_context="saved-search_cluster-wide", concurrency_limit=1, scheduled_time="
Changes in limits.conf did't give results. We can't change concurrency_limit from 1 upward.
Current values of the most relevant parameters (to my opinion):
$ /opt/splunk/bin/splunk show config limits | egrep 'max_rt_search_multiplier|max_searches_per_cpu|shc_role_quota_enforcement|shc_syswide_quota_enforcement|base_max_searches'
shc_role_quota_enforcement=false
shc_syswide_quota_enforcement=false
base_max_searches=6
max_rt_search_multiplier=1
max_searches_per_cpu=8
Seems that SPL-73386 from https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/KnownIssues most relevant for us, but as you can see we set user to admin and this did't help.
May be error is not linked to bug, but changes in some default values?
... View more
08-11-2018
01:50 AM
it is recommended solution, as i remember.
But it will be only one HF versus some searchheads, so if HF will down, my script will not work until HF recovered.
... View more
08-10-2018
01:00 PM
Hi all,
We have some scripts for lookup filling via splunk lookup rest api link text
Also we have search head cluster (SHC).
It would be great to use SHC capability to to run our scripts on the one of alive node.
Best candidate for this procedure - inputs.conf. We can not only run script, but also collect STDOUT and STDERR in to index (docker style), for example:
[script://$SPLUNK_HOME/etc/apps/myapp/bin/lookup_fill.py]
interval = 50 23 * * *
sourcetype = lookup_fill
index = index_for_scripts_output
But, when we use inputs.conf our script start on all SHC nodes.
Can you advise to us way for a single run script from inputs.conf or maybe is the better way to:
1. Run custom script on the on of the SHC nodes (in the best case - less loaded)
2. Collect STDOUT and STDERR from script to index.
Thank you.
... View more
07-17-2018
11:46 PM
I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.
Python script also can help, but it is not ideal solution.
I had little hope that something miss in documentation.
Thank you all.
... View more
07-10-2018
06:45 AM
Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets
For example syslog-ng have this feature.
... View more
- Tags:
- splunk-enterprise
08-14-2017
01:07 PM
you are right about HEC configuration if sourcetype, host and over fields are not defined in event.
But if sender define this fields, he will override valued defined in inputs.conf.
... View more
08-14-2017
12:10 PM
1 Karma
Is it possible to force Splunk to set up specific fields (sourcetype, source, host) from HEC local stanza
but not from event parameters?
For example if i have inputs.conf like:
[http://http_test]
description = test hec input
disabled = 0
connection_host = dns
index = main
source = test_hec_source
sourcetype = test_hec_sourcetype
Client can rewrite index, host, source and sourcetype if post in data json like:
{
"host": fake_host,
"sourcetype": fake_sourcetype,
"index": fake_index,
"source": fake_source
}
But in certain situations i need to deny modifications of this parameters. Of course i can do it with transforms.conf, but it is not convinient.
... View more
05-28-2017
04:48 AM
1 Karma
Thank you.
Splunk shcluster is like wedding - no one says why it's bad, but everyone talk why it is great... and you have no way back.
... View more
05-27-2017
02:39 AM
I already doing it via github for versions control.
... View more
05-26-2017
12:23 PM
🙂 it is long, sad and strange story with some bugs in splunk which was not fixed in current version, but have fixed in some build of previous...
Reload from cli can make my life more comfortable and the hair silky.
... View more
05-26-2017
10:34 AM
Yes, because splunkd nothing know about changed savedsearches.conf.
In standalone searchhead i can go to https://splunk/debug/refresh and splunk will reload configs, but in shcluster i need not only reload configs, but also send to captain information about changed configs so old method is not suitable.
... View more
05-26-2017
09:35 AM
i working directly with savedsearches.conf with vi-editor.
... View more
05-26-2017
05:22 AM
I have reason to change *.conf in local directory of app on the searchhead in shcluster, and i need to tell to this searchhead to send changes to captain for spreading via whole cluster.
How i can do it via cli or REST?
Thank you
... View more
05-14-2017
09:26 AM
We have big file with events in each line of file. Every minute file transfers via rsync to forwarder with new events.
Events format:
timestamp="XXXX" login="YYY" action="ZZZ"
Size of file about 10Mb, with 15000 lines.
Sometimes (1-2 times per minute) forwarder compile one event from multiple (usually 2) lines.
Configs from forwarder:
inputs.conf:
[monitor:///file.log]
disabled = false
followTail = 1
index = f_logs
sourcetype = f_logs
multiline_event_extra_waittime = true
time_before_close = 10
props.conf:
[f_logs]
TIME_PREFIX = timestamp=\"
TIME_FORMAT = %s
SHOULD_LINEMERGE = true
MAX_EVENTS = 1
What i have to do to solve this problem?
... View more
02-07-2017
06:43 AM
I trying to create leases table from log.
For this task i have write python script which prepare data for lookup.
Is it possible to write this data back to splunk for using them in lookup command.
So i need something like outputlookup, but from python script.
Thank you.
... View more
- Tags:
- outputlookup
- python
08-20-2016
08:18 AM
1 Karma
We have an index with access logs from multiple hosts and systems with different sourcetypes.
When I trying to add information from a dynamic lookup to events and save them in a summary index with the collect command, I can't save original information about source, sourcetype, and host because collect command arguments take values as text, but not field values.
For example, search:
index=access sourcetype=*_type_access |
lookup xxx AS yyy |
collect index=enriched_access sourcetype=sourcetype
saves results with sourcetype equal "sourcetype", but not the original sourcetype.
When I try to rename sourcetype, result is the same.
Where a, I going wrong?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-10-2021
11:31 PM
|
