Activity Feed
- Got Karma for Re: Dedup vs. Stats performance. 09-09-2022 09:54 AM
- Got Karma for Re: After installing Splunk Add-on Builder, why do I receive error "Unable to initialize modular input "validation_mi""?. 01-14-2021 01:26 PM
- Got Karma for Re: Is there a way to identify which search head a user logs into in a search cluster?. 06-17-2020 10:09 PM
- Got Karma for Re: Why is cluster master stuck at "Bundle validation is in progress" indefinitely after configuration-bundle update?. 06-17-2020 05:03 PM
- Karma Re: Upgrade multiple clusters splunk from 7.1.0 to 7.2.7 for sloshburch. 06-05-2020 12:50 AM
- Karma SHC - failed on handle async replicate request for ahartge. 06-05-2020 12:50 AM
- Karma Re: Splunk integration with service now ticketing tool for soumyasaha25. 06-05-2020 12:50 AM
- Karma Re: Splunk integration with service now ticketing tool for treinke. 06-05-2020 12:50 AM
- Karma Re: user is unable to see the results in dashboard for jpolvino. 06-05-2020 12:50 AM
- Karma Re: user is unable to see the results in dashboard for richgalloway. 06-05-2020 12:50 AM
- Karma Re: Trouble for reading logs on Solaris 5.11 for gfreitas. 06-05-2020 12:50 AM
- Karma Major boot-start change with 7.2.3 for satyenshah. 06-05-2020 12:50 AM
- Karma Re: Unable to authenticate with LDAP for mdsnmss. 06-05-2020 12:50 AM
- Karma Re: Does anyone know why /opt/splunk/var/run/splunk/lookup_tmp would fill up to 65GB on a search head? for tkw03. 06-05-2020 12:50 AM
- Karma Re: Feature Request : Add More ACL Between "Global" and "App" for acharlieh. 06-05-2020 12:50 AM
- Karma Re: Search Head Cluster connected to Multiple Single Site Index Clusters for lakshman239. 06-05-2020 12:50 AM
- Karma Re: Upgrade multiple clusters splunk from 7.1.0 to 7.2.7 for Chamrong. 06-05-2020 12:50 AM
- Karma Upgrade multiple clusters splunk from 7.1.0 to 7.2.7 for Chamrong. 06-05-2020 12:50 AM
- Got Karma for Re: Help with stats count between two urls. 06-05-2020 12:50 AM
- Got Karma for Re: What is the purpose of Report "Audit - Index Readiness" under SA-Utils apps ?. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-26-2020
06:58 AM
1 Karma
still works 5.5 years later as well!
... View more
02-20-2020
05:04 AM
I guess no one else is experiencing this? I suspect that a complete destructive resynch of the entire cluster is in order.
... View more
01-14-2020
05:09 AM
6 Karma
Hi All-
Here is what I found in my experience:
The add-on builder 3.0.0 and 3.0.1 will NOT work for anything less than Splunk 8.0.0.
Please note! This is my experience and YMMV
Recommend:
Only use 2.2.0 with Splunk Enterprise <8.0.0 (example, I am successfully using TA-AddOnBuilder with Splunk ENT 7.2.7)
Hope this helps someone,
Mike
... View more
01-08-2020
10:02 AM
Hello-
We need some more info. What version of Splunk, what server type (Searchhead standalone, cluster searchheads, indexer cluster, etc).
If any of this is clustered, and it's the 7.x or 8.x version, you can initiate a SHC rolling restart right from within Splunkweb on any of the SHC members - Settings - Search Head Clustering, then look for the "Begin Rolling Restart" button on the top right.
If it's a peer cluster, you will want to run the rolling restart command from any peer or the ClusterMaster.
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Userollingrestart
This is the easiest and smoothest way to do a Rolling Restart. I would not use any scripts.
Hope this helps,
Mike
... View more
01-08-2020
09:56 AM
Correct.
We then upgraded the ES app after the main Splunk Ent. was at 7.2.x
... View more
01-08-2020
09:30 AM
Forgot to note: Our ES is NOT clustered and runs as an independent searchhead, querying our indexer cluster.
... View more
01-08-2020
09:27 AM
Hi Jaracan-
We were on 6.63 in Enterprise and ES on 5.01. We upgraded our ClusterMaster first (to 7.2.x), then upgraded our SHC and at the same time upgraded ES to 5.3.1. After we confirmed 5.3.1 was happy, we upgraded our indexer cluster (to 7.2.x). Everything went fine after our Searchhead cluster calmed down. We had no issues with ES or our indexer cluster.
Hope this helps,
Mike
... View more
01-08-2020
06:29 AM
1 Karma
Hello agoyal-
Remove the python statement from server.conf. Splunk uses its own internal Python environment, and while it is transitioning/ed over Py3, it still allows for Py2 (at the moment). Changing anything Python manually can damage the application.
Check your logs! 🙂 If there is an issue with splunkweb, it will tell you and you can post it back here.
Linux: {$SPLUNK_HOME}/var/log/splunk/splunkd.log
Win: {$SPLUNK_HOME}\var\log\splunk\splunkd.log
Hope this helps,
Mike
... View more
01-08-2020
06:24 AM
HI tkerr1357-
You will want to use an add-on like the Splunk for Windows Add-On. This allows you to collect and index Windows events from the target server to search against. You would then search for the logon/off Window event.
App:
https://splunkbase.splunk.com/app/742/#/details
Docs:
https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows
And here's a nice front-end companion app to the backend app with dashboards and sample queries:
https://splunkbase.splunk.com/app/1680/
Hope this helps,
Mike
... View more
01-08-2020
06:16 AM
Hi crisp023-
Try checking one of these:
This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html
A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html
Hope this helps,
Mike
... View more
01-08-2020
06:12 AM
This will help inspire you:
https://docs.splunk.com/Documentation/UseCases/usecases/ITOA/Summary#Application_monitoring_and_triage
... View more
01-06-2020
06:43 AM
@gfreitas is correct. Someone needs to login to that box locally, su to the splunk user and try to cd through the folder hierarchy. Splunk user needs "ls" or read permissions on all directories in the tree that lead to the log files.
This is not a well-known thing to everyone, but it's part of working in *nix environments.
hope this helps,
Mike
... View more
01-06-2020
06:40 AM
I may be Captain Obvious here, but where's your index and sourcetype?
index=? sourcetype=?
| stats sum(sessions) AS wsessions by _time,warehouse | timechart avg(wsessions) by warehouse
... View more
01-06-2020
05:40 AM
Yep. You are correct. It's Perms. The plain Splunk user cannot access the indexes endpoint in REST, no matter where one tries it (did not know this!).
Soooo, for the default "Check ssh Port Open" - How does one add in the credentials? I do not see that in the Splunkweb pages in Cliauto. Do I have to add it into a section in one of the .conf files?
Thanks,
Mike
... View more
01-06-2020
05:35 AM
Hi @jeffrey_berry ,
I changed the case to all lowercase and it still fails.
I am running this as local admin on my SHC.
Same error:
2020-01-06 08:05:53,717 Creating cliauto_index...
2020-01-06 08:05:53,717 GET request to https://localhost:8089/services/data/indexes/cliautoidx (body: {})
2020-01-06 08:05:53,754 Error, Creating cliauto_index, err = UrlEncoded('cliautoidx')
I made sure that the indexes are owned by splunk.
Now that I look at the GET request, shouldn't this app be installed on the indexers instead of the searchheads?
Just wondering on that one.
-Mike
... View more
01-03-2020
10:30 AM
Hello Jeffrey-
FYI: I am using a distributed environment (sandbox).
I have created a new index for all cliauto responses called: cliautoIdx (note the capital "I" in the index name).
I created a custom cliauto.conf file in {$SPLUNK_HOME}/etc/shcluster/apps/cliauto/local/ (see bottom for file contents).
I then push the SHC bundle with success and confirm the file made it to the SHC members.
However, when I try to run the first command in the dropdown, Check ssh Port Open, it throws an error in cliauto.log:
2020-01-03 10:07:20,766 Creating cliauto_index...
2020-01-03 10:07:20,766 GET request to https://localhost:8089/services/data/indexes/cliautoIdx (body: {})
2020-01-03 10:07:20,774 Error, Creating cliauto_index, err = UrlEncoded('cliautoIdx')
2020-01-03 10:07:20,774 Error, process_iterations, icount = 1: err = error in cliauto_index constructor function
Contents of the /local/cliauto.conf file:
[main]
# Splunk index to store results
index=cliautoIdx
Is this me, or did I find a bug?
... View more
01-03-2020
09:57 AM
Hey Jeffrey-
That's an odd return response. What type of box are you running that on? I just tried that on a deployment server/SH and did not get the /var/log path, but only the following:
[monitor:///opt/splunk/etc/splunk.version]
[monitor:///opt/splunk/var/log/introspection]
[monitor:///opt/splunk/var/log/splunk]
[monitor:///opt/splunk/var/log/splunk/license_usage_summary.log]
[monitor:///opt/splunk/var/log/watchdog/watchdog.log*]
BTW, your grep of the "[" did not work for me. I got a regex error.
... View more
01-03-2020
09:37 AM
Thank you @jeffrey_berry!
... View more
01-03-2020
06:26 AM
Hello-
I think Cliauto has an incredible potential for automation in our use-case. We want to manually deploy deployment apps from a single deployment server in one network zone to a deployment server in another network zone using your framework.
2 questions:
1. Can we pass variables using your framework if we add in the inputs to accept this in Splunkweb. The variables would then go into a script that is already present on the target deployment server.
Is it possible to post the results to the present dashboard in the cliauto app instead of indexing the results?
... View more
12-12-2019
11:23 AM
Hi Snigdha95-
I am pretty sure your
option name="count"-1-option
is affecting it in some manner.
Check out this Answers Link:
https://answers.splunk.com/answers/188992/how-to-dynamically-change-number-of-rows-displayed.html
... View more
12-12-2019
11:08 AM
1 Karma
HI Danny-
I would definitely go with Minimal install to keep a "tight ship" and then make sure secure Repos are enabled so you can add anything in as needed (which I seriously doubt you will need).
Here's an actual package list comparison with Infra. in bold.
... View more
12-12-2019
11:02 AM
3 Karma
HI faguilar-
According to this page, that is simply not true.
Here's an explanation from that page:
Other commands require all of the events from all of the indexers before
the command can finish. These are referred to as non-streaming commands. Examples of non-streaming commands are stats, sort, dedup, top, and append.
Non-streaming commands can run only when all of the data is available. To process non-streaming commands, all of the search results from the indexers
are sent to the search head. When this happens, all further processing must be performed by the search head, rather than in parallel on the indexers.
-Mike
... View more
12-12-2019
10:54 AM
Hi janglin-
Splunk is in a tough spot right now regarding this. Splunk needs to support both types of system start ups while acknowledging that a good chunk of the industry is slowing moving toward SystemD.
There's some good documentation on it now here (apologies if you already saw this).
Here's another page (older) that enables init.d boot at start time.
I hope this helps.
... View more
12-12-2019
10:45 AM
1 Karma
Hi stephenreece-
I have a dumb question: Did you try and use the SessionID as the pivot point variable for an entire user process?
If you haven't, you might want to try a transaction command.
... View more
12-11-2019
10:15 AM
Hi ProdOps4245 -
Can you put your splunkd.log file in here from the server that had the web server failure? We need to get some idea/details of the errors around it in order to better answer your question.
Thanks!
Mike
... View more
