×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- About brdr
brdr
Contributor
Member since:
03-18-2016
03-27-2024
Community Statistics
| Posts | 168 |
| Solutions | 3 |
| Karma Given | 5 |
| Karma Received | 23 |
| Member Since | 03-18-2016 |
Activity Feed
- Posted Re: SSL Certification Verified Fail - Self signed certificate in certificate chain on Security. 12-13-2023 04:39 AM
- Posted Re: Extracting key and value from substring on Getting Data In. 11-15-2023 03:35 PM
- Karma Re: Extracting key and value from substring for ITWhisperer. 11-15-2023 03:34 PM
- Karma Re: Extracting key and value from substring for bowesmana. 11-15-2023 03:34 PM
- Posted Extracting key and value from substring on Getting Data In. 11-14-2023 09:46 AM
- Posted Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 10-10-2023 04:15 AM
- Posted Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 10-10-2023 02:47 AM
- Posted Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 08-24-2023 04:09 AM
- Posted Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 08-22-2023 12:11 PM
- Karma Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? for jp_at_hb. 08-22-2023 12:06 PM
- Posted Re: Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 08-22-2023 11:06 AM
- Got Karma for Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9?. 05-22-2023 05:15 AM
- Posted Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? on All Apps and Add-ons. 02-14-2023 10:43 AM
- Got Karma for Re: Splunk UF installation issue in rhel6 and amazon2018. 12-07-2022 10:02 AM
- Posted Re: Splunk UF installation issue in rhel6 and amazon2018 on Installation. 12-07-2022 10:00 AM
- Posted How to stop labels being truncated on different charts? on Dashboards & Visualizations. 12-06-2022 09:24 AM
- Got Karma for Re: search not returning after map command. 08-12-2022 06:19 AM
- Posted Openstack & cloud metrics collection possible? on Getting Data In. 06-15-2022 01:47 PM
- Posted SSL Certification Verified Fail - Self signed certificate in certificate chain on Security. 01-13-2022 08:43 AM
- Posted Re: ServiceNow Inputs.conf Filter Data by field value on Getting Data In. 01-06-2022 07:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-13-2023
04:39 AM
The solution is to add your trusted cert to splunk's system cert in $SPLUNK_HOME/etc/auth file.
... View more
11-14-2023
09:46 AM
I'm trying to corral a string into new field and value and having trouble. I've used eval / split / mvexpand.... The string looks like this. Its actually a field in an event: field_id=/key1/value1/key2/value2/key3/value3/key4/value4 The end goal is to have new fields. Like: field_key1=value1 filed_key2=value2 So i can now search, for example, if field_key1='the value of something"
... View more
Labels
- Labels:
-
data
-
field extraction
10-10-2023
04:15 AM
The section of the troubleshooting guide your refer to is wrong in fixing this app's issue with respect to the certificates. That section refers to splunk server side authentication not the app.
... View more
10-10-2023
02:47 AM
The app is using: /{splunk_home}/splunk/lib/python3.7/site-packages/certifi/cacert.pem which is the issue. The app is not using /{splunk_home}/etc/auth/cacert.pem rather than any certifi library cacert.pem
... View more
08-24-2023
04:09 AM
NOTE: When you add a tenant through o365 TA gui, the cert (cacert.pem) that it references is in lib/certifi directory.
... View more
08-22-2023
12:11 PM
Thank you for posting the solution!! When we upgraded from v8.2.5 to v9.0.1 of the enterprise this was the only app that didn't work post upgrade. We have half dozen other apps that didn't require this work around with using a different cacert.pem.
... View more
08-22-2023
11:06 AM
Where in the inputs will you find (or set) the path to the cert?
... View more
- Tags:
- ho
02-14-2023
10:43 AM
1 Karma
We upgraded our Splunk Enterprise from v8.2.5 to v9.0.1. When we did, it broke the Add-on for Microsoft 365. Every time a connection is made to microsoft we see this SSL error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
Has anyone run into this before?
... View more
- Tags:
- add-on
Labels
- Labels:
-
configuration
12-07-2022
10:00 AM
1 Karma
We have noticed the UF upgrades took a long time as well. If you look at the UF upgrade log it complains about kvstore which is something totally new in v9. We noticed when we disabled the kvstore and performed an upgrade that the upgrade was wicked' quick. The kvstore message is confusing and very likely cause our customers to question it.
... View more
12-06-2022
09:24 AM
Working within Dashboard Studio, how can I stop my labels being truncated on different charts? Even if I set the truncation option in a bar chart to Off, it's still truncating my labels. I tried working around it with a column chart and rotating the labels but there appears to be no such option. Sankey seems to lack these options as well.
Thank you
... View more
Labels
- Labels:
-
chart
06-15-2022
01:47 PM
There has been some interest at our organization re: setting up the Splunk forwarders on Openstack nodes, is Splunk able to ingest the cloud metrics from the Openstack hypervisors?
We have had good luck in setting open telemetry for Kubernetes but wondering if there is something similar for Openstack.
Thanks
... View more
Labels
- Labels:
-
universal forwarder
01-13-2022
08:43 AM
We are adding zscaler proxy to be used by Splunk TA o365. Our security group is providing a Root CA 4 pem file for us to use. Our Splunk environment runs on RHEL and our enterprise is Splunk v8.2.1. The splunk user (configured .bashrc) has http and https proxy environment variables set to the correct entries. In addition, we have this variable defined: export REQUESTS_CA_BUNDLE=$SPLUNK_HOME/etc/auth/our_pem.pem When splunk starts up we see this error and it fails to retrieve any events from the remote site. Error is: requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /url-path-made-up/oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
2022-01-13 15:36:41,891 level=INFO pid=25373 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."
Talking to our security team they are wondering where the o365 TA is looking for certificates. Any help to get us past this error? Also, reading some older Answers it appear SSL Verification is turned off by default. This is very important to us because we have more Splunk TAs that will need to talk to zscaler proxy. Thank you
... View more
Labels
- Labels:
-
SSL
01-06-2022
07:33 AM
Thank you Johnhua for the note about inclusion vs. exclusion. Although i think SEDCMD might work we have decided to go with dropping the event into null queue using props and transforms. Thanks again.
... View more
01-05-2022
03:45 PM
We use the Splunk ServiceNow TA - both on collecting data from ServiceNow and creating incidents via the Splunk alert action. We have use case on the collection side. Within the inputs.conf there is attribute available call filter_data. This allows you to filter on the data you wish/not wish to collect from ServiceNow. The specific use case is where we do NOT want to collect events from sys_audit table if sys_created_by=user. System. The basic stanza attributes in inputs.conf within the Snow TA is this: [snow://sys_audit] filter_data = sys_created_by!=user.system table = sys_audit This approach does not filter sys_created_by, that is, we still see user.system as sys_created_by in our events. Is there anything I'm doing wrong? Thx.
... View more
Labels
- Labels:
-
inputs.conf
07-30-2020
08:38 AM
We are using v8.0.4 of Splunk Enterpise. In our authorize.conf I see roles are disabled. Examples: [role_sec_power_user] disabled = true [role_sec_admin_user] disabled = true [role_idx_data_user] disabled = true I've looked through the spec file for authorize.conf and no where do I see the option to disable a role. Further, I don't see an option in the GUI to disable roles. Question: Is it possible to disable a role using this syntax above? Thanks
... View more
Labels
- Labels:
-
authentication
07-21-2020
07:17 AM
Hi, I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below. I got the records from the associated servicenow table. Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group: 2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sysparm_limit=4000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-07-20+15:13:56^ORDERBYsys_updated_on I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data? Inputs.conf [snow://sys_user_group] since_when = 2000-01-01 00:00:00 disabled = 0 duration = 300 id_field = sys_id index = servicenow_test timefield = sys_updated_on Thx, brdr
... View more
- Tags:
- inputs
- servicenow
Labels
- Labels:
-
configuration
03-27-2020
01:24 PM
Hi Splunk,
I'm getting an error after installing splunk sdk for python. The error is:
Traceback (most recent call last):
File "./shelltest.py", line 4, in
import splunk.Intersplunk
ImportError: No module named splunk.Intersplunk
I can see the splunk.Intersplunk module in dir:
/apps/splunk/lib/python2.7/site-packages/splunk
The program is basic:
!/usr/bin/env python
import sys
import subprocess
import splunk.Intersplunk
cmdargs = str(sys.argv)
program_name = "/lm_tmp/yourscript.sh"
subprocess.call([program_name, cmdargs])
PYTHONPATH variable in .bash_profile is:
PYTHONPATH=/apps/splunk/etc/apps/splunk-sdk-python
NOTE, if i replace import splunk.Intersplunk with import splunklib the program runs without any issue.
Is there something wrong with python path? Anyone, been at it for awhile and currently stumped.
Thx
... View more
02-17-2020
06:29 AM
it is visible via btool as soon as i add an index to our indexes.conf
... View more
02-14-2020
01:05 PM
So, i guess the question is, what indexes.conf is the reload looking at, as it is clearly not looking at our local indexes.conf which is in a separate custom app etc/apps/prod_indexes/local/indexes.conf.
... View more
02-14-2020
12:50 PM
No dice. The commands work fine, i can see entries in the splunkd.log that the commands are hitting the endpoint but, when i go into the GUI -> Settings -> Indexes the new index is NOT there.
... View more
02-14-2020
12:49 PM
Thanks for feedback. That reload command was one of the things i tried. it doesn't work. i get this in the log: It just doesn't see the new index in indexes.conf.
2-14-2020 20:43:15.256 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing indexes took usec=3 reloading=true indexes_initialized=0
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.257 +0000 INFO IndexProcessor - reloading index config: end
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing indexes took usec=2 reloading=true indexes_initialized=0
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: end
... View more
02-14-2020
09:38 AM
We need the ability , from CLI (Linux) to reload indexes.conf. I run the command below and it succeeds.
curl -X POST -k -u admin:pwd https://localhost:8089/servicesNS/-/-/admin/indexes/_reload
We push changes (like adding a new index) to indexes.conf of the splunk instance. I do not want to restart splunk to see the new index showing up in the GUI. After the above is executed, i log back into Splunk, go to Settings-Indexes and do NOT see the new index.
Any idea why i do not see it? If i restart splunk i wil see it in the GUI.
Thx
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-27-2024
01:40 PM
|
Karma from
Karma given to
