Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About brdr
brdr
Contributor
Member since:
03-18-2016
02-15-2023
Community Statistics
| Posts | 160 |
| Solutions | 3 |
| Karma Given | 2 |
| Karma Received | 22 |
| Member Since | 03-18-2016 |
Activity Feed
- Got Karma for Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9?. 3 weeks ago
- Posted Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 02-14-2023 10:43 AM
- Got Karma for Re: Splunk UF installation issue in rhel6 and amazon2018. 12-07-2022 10:02 AM
- Posted Re: Splunk UF installation issue in rhel6 and amazon2018 on Installation. 12-07-2022 10:00 AM
- Posted How to stop labels being truncated on different charts? on Dashboards & Visualizations. 12-06-2022 09:24 AM
- Got Karma for Re: search not returning after map command. 08-12-2022 06:19 AM
- Posted Openstack & cloud metrics collection possible? on Getting Data In. 06-15-2022 01:47 PM
- Posted SSL Certification Verified Fail - Self signed certificate in certificate chain on Security. 01-13-2022 08:43 AM
- Posted Re: ServiceNow Inputs.conf Filter Data by field value on Getting Data In. 01-06-2022 07:33 AM
- Posted ServiceNow Inputs.conf Filter Data by field value on Getting Data In. 01-05-2022 03:45 PM
- Got Karma for eventcount - spanning over time. 09-01-2020 04:46 PM
- Posted Re: Splunk Role Management - Disabling Roles in authorize.conf on Security. 08-06-2020 11:30 AM
- Karma Re: Splunk Role Management - Disabling Roles in authorize.conf for shivanshu1593. 08-06-2020 11:28 AM
- Posted Splunk Role Management - Disabling Roles in authorize.conf on Security. 07-30-2020 08:38 AM
- Posted ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group on All Apps and Add-ons. 07-21-2020 07:17 AM
- Tagged ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group on All Apps and Add-ons. 07-21-2020 07:17 AM
- Got Karma for adhoc searches : canceled remotely or expired. 06-05-2020 12:50 AM
- Got Karma for ServiceNow Add-on Managing Events. 06-05-2020 12:50 AM
- Got Karma for Search that shows scheduled time of saved searches. 06-05-2020 12:50 AM
- Got Karma for Alert report - columns not ordered by table command. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-14-2023
10:43 AM
1 Karma
We upgraded our Splunk Enterprise from v8.2.5 to v9.0.1. When we did, it broke the Add-on for Microsoft 365. Every time a connection is made to microsoft we see this SSL error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
Has anyone run into this before?
... View more
- Tags:
- add-on
Labels
- Labels:
-
configuration
12-07-2022
10:00 AM
1 Karma
We have noticed the UF upgrades took a long time as well. If you look at the UF upgrade log it complains about kvstore which is something totally new in v9. We noticed when we disabled the kvstore and performed an upgrade that the upgrade was wicked' quick. The kvstore message is confusing and very likely cause our customers to question it.
... View more
12-06-2022
09:24 AM
Working within Dashboard Studio, how can I stop my labels being truncated on different charts? Even if I set the truncation option in a bar chart to Off, it's still truncating my labels. I tried working around it with a column chart and rotating the labels but there appears to be no such option. Sankey seems to lack these options as well.
Thank you
... View more
Labels
- Labels:
-
chart
06-15-2022
01:47 PM
There has been some interest at our organization re: setting up the Splunk forwarders on Openstack nodes, is Splunk able to ingest the cloud metrics from the Openstack hypervisors?
We have had good luck in setting open telemetry for Kubernetes but wondering if there is something similar for Openstack.
Thanks
... View more
Labels
- Labels:
-
universal forwarder
01-13-2022
08:43 AM
We are adding zscaler proxy to be used by Splunk TA o365. Our security group is providing a Root CA 4 pem file for us to use. Our Splunk environment runs on RHEL and our enterprise is Splunk v8.2.1. The splunk user (configured .bashrc) has http and https proxy environment variables set to the correct entries. In addition, we have this variable defined: export REQUESTS_CA_BUNDLE=$SPLUNK_HOME/etc/auth/our_pem.pem When splunk starts up we see this error and it fails to retrieve any events from the remote site. Error is: requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /url-path-made-up/oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
2022-01-13 15:36:41,891 level=INFO pid=25373 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."
Talking to our security team they are wondering where the o365 TA is looking for certificates. Any help to get us past this error? Also, reading some older Answers it appear SSL Verification is turned off by default. This is very important to us because we have more Splunk TAs that will need to talk to zscaler proxy. Thank you
... View more
Labels
- Labels:
-
SSL
01-06-2022
07:33 AM
Thank you Johnhua for the note about inclusion vs. exclusion. Although i think SEDCMD might work we have decided to go with dropping the event into null queue using props and transforms. Thanks again.
... View more
01-05-2022
03:45 PM
We use the Splunk ServiceNow TA - both on collecting data from ServiceNow and creating incidents via the Splunk alert action. We have use case on the collection side. Within the inputs.conf there is attribute available call filter_data. This allows you to filter on the data you wish/not wish to collect from ServiceNow. The specific use case is where we do NOT want to collect events from sys_audit table if sys_created_by=user. System. The basic stanza attributes in inputs.conf within the Snow TA is this: [snow://sys_audit] filter_data = sys_created_by!=user.system table = sys_audit This approach does not filter sys_created_by, that is, we still see user.system as sys_created_by in our events. Is there anything I'm doing wrong? Thx.
... View more
Labels
- Labels:
-
inputs.conf
07-30-2020
08:38 AM
We are using v8.0.4 of Splunk Enterpise. In our authorize.conf I see roles are disabled. Examples: [role_sec_power_user] disabled = true [role_sec_admin_user] disabled = true [role_idx_data_user] disabled = true I've looked through the spec file for authorize.conf and no where do I see the option to disable a role. Further, I don't see an option in the GUI to disable roles. Question: Is it possible to disable a role using this syntax above? Thanks
... View more
Labels
- Labels:
-
authentication
07-21-2020
07:17 AM
Hi, I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below. I got the records from the associated servicenow table. Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group: 2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sysparm_limit=4000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-07-20+15:13:56^ORDERBYsys_updated_on I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data? Inputs.conf [snow://sys_user_group] since_when = 2000-01-01 00:00:00 disabled = 0 duration = 300 id_field = sys_id index = servicenow_test timefield = sys_updated_on Thx, brdr
... View more
- Tags:
- inputs
- servicenow
Labels
- Labels:
-
configuration
03-27-2020
01:24 PM
Hi Splunk,
I'm getting an error after installing splunk sdk for python. The error is:
Traceback (most recent call last):
File "./shelltest.py", line 4, in
import splunk.Intersplunk
ImportError: No module named splunk.Intersplunk
I can see the splunk.Intersplunk module in dir:
/apps/splunk/lib/python2.7/site-packages/splunk
The program is basic:
!/usr/bin/env python
import sys
import subprocess
import splunk.Intersplunk
cmdargs = str(sys.argv)
program_name = "/lm_tmp/yourscript.sh"
subprocess.call([program_name, cmdargs])
PYTHONPATH variable in .bash_profile is:
PYTHONPATH=/apps/splunk/etc/apps/splunk-sdk-python
NOTE, if i replace import splunk.Intersplunk with import splunklib the program runs without any issue.
Is there something wrong with python path? Anyone, been at it for awhile and currently stumped.
Thx
... View more
02-17-2020
06:29 AM
it is visible via btool as soon as i add an index to our indexes.conf
... View more
02-14-2020
01:05 PM
So, i guess the question is, what indexes.conf is the reload looking at, as it is clearly not looking at our local indexes.conf which is in a separate custom app etc/apps/prod_indexes/local/indexes.conf.
... View more
02-14-2020
12:50 PM
No dice. The commands work fine, i can see entries in the splunkd.log that the commands are hitting the endpoint but, when i go into the GUI -> Settings -> Indexes the new index is NOT there.
... View more
02-14-2020
12:49 PM
Thanks for feedback. That reload command was one of the things i tried. it doesn't work. i get this in the log: It just doesn't see the new index in indexes.conf.
2-14-2020 20:43:15.256 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing indexes took usec=3 reloading=true indexes_initialized=0
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.257 +0000 INFO IndexProcessor - reloading index config: end
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing indexes took usec=2 reloading=true indexes_initialized=0
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: end
... View more
02-14-2020
09:38 AM
We need the ability , from CLI (Linux) to reload indexes.conf. I run the command below and it succeeds.
curl -X POST -k -u admin:pwd https://localhost:8089/servicesNS/-/-/admin/indexes/_reload
We push changes (like adding a new index) to indexes.conf of the splunk instance. I do not want to restart splunk to see the new index showing up in the GUI. After the above is executed, i log back into Splunk, go to Settings-Indexes and do NOT see the new index.
Any idea why i do not see it? If i restart splunk i wil see it in the GUI.
Thx
... View more
10-01-2019
08:11 AM
We see a warning message consistently after cloning an alert. When the alert is cloned we consistently get this message:
" Alert has been cloned.
This scheduled search will not run after the Splunk Enterprise Trial License expires. "
This is happening in our production environment where it is all distributed. We have NO Trial License in our production license stack.
Can we please somehow make this warning message go away, as we have hundreds of users and get this brought to our attention frequently. Thank you.
... View more
Labels
- Labels:
-
license
08-06-2019
05:34 AM
I familiar with the feature 'Reassign Knowledge Objects'. We use this feature when we want to reassign objects to a user. However, is there a feature anywhere to move knowledge objects (reports, alerts, etc...) from one app to another? Presently, there is a large number of knowledge objects in Search and Reporting App. My goal is reassign the alot of the S&R objects to a new custom app i just created. Is this possible?
Thx
... View more
- Tags:
- knowledge-objects
07-16-2019
07:23 AM
I've read some Answers on this issue and understand how to solve by adjusting server.conf. The question i have is how exactly to trace back this error to the object (search, report, alerts, etc...) that causing this issue. We have couple thousand of these objects and multiple search clusters and 20 indexes in the cluster. It would be great to have steps to isolate the offending object.
Thanks, brdr
... View more
Labels
- Labels:
-
resource usage
-
search performance
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-15-2023
02:19 AM
|
Karma from
