Activity Feed
- Posted Re: Extract-Display the Details Tab from windows event logs on Getting Data In. 03-10-2021 03:34 PM
- Karma Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? for harsmarvania57. 06-05-2020 12:49 AM
- Karma Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? for harsmarvania57. 06-05-2020 12:49 AM
- Got Karma for Why is my PowerShell scripted input failing intermittently?. 06-05-2020 12:49 AM
- Got Karma for Re: Simple example of inputs.conf to monitor a logfile on a remote share. 06-05-2020 12:46 AM
- Posted Re: Splunk Universal Forwarder missing events on Getting Data In. 09-25-2018 06:58 PM
- Posted Why is my PowerShell scripted input failing intermittently? on Getting Data In. 09-19-2018 02:27 PM
- Tagged Why is my PowerShell scripted input failing intermittently? on Getting Data In. 09-19-2018 02:27 PM
- Tagged Why is my PowerShell scripted input failing intermittently? on Getting Data In. 09-19-2018 02:27 PM
- Tagged Why is my PowerShell scripted input failing intermittently? on Getting Data In. 09-19-2018 02:27 PM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-18-2018 07:08 PM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-17-2018 01:56 PM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-16-2018 04:38 PM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-14-2018 05:23 PM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-14-2018 05:58 AM
- Posted Re: Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-13-2018 07:09 PM
- Posted Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-13-2018 02:57 PM
- Tagged Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-13-2018 02:57 PM
- Tagged Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-13-2018 02:57 PM
- Tagged Why am I getting a "File in use" error when trying to upgrade our forwarder to version 6.6.6? on Getting Data In. 09-13-2018 02:57 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-10-2021
03:34 PM
Just came across this as i'm trying to achieve the same thing, did you had any luck with this?
... View more
09-25-2018
06:58 PM
@oscarminassian Did 7.0.1 UF upgrade help with the missing events issue in your case. My org is using 6.5.2 and we started realizing the same issue. Would be helpful if you could confirm that the issue is resolved with 7.0.1
... View more
09-19-2018
02:27 PM
1 Karma
I have a PowerShell scripted input which is set to run at the start of the service. Since the servers reboot daily, this input runs once daily after the reboot. For the past few days, this input has been failing from a set of servers, but I couldn't find a related error in the splunkd or splunk-powershell logs. Also if we restart the service manually, it works, so it is just an intermittent failure.
I need help to troubleshoot this issue.
... View more
09-18-2018
07:08 PM
@harsmarvania57, i'm good with the upgrade and wanted to mark this as answered.Thanks again!
... View more
09-17-2018
01:56 PM
yes, I totally overlooked it. Thank you so much for your help on this!
... View more
09-16-2018
04:38 PM
@harsmarvania57, I'm still testing it and thinks its an issue with the wrapper script that I use. Wondering if the service started automatically after the upgrade, when you tried.
... View more
09-14-2018
05:23 PM
@harsmarvania57 , Thanks for testing that for me. So may be something to do with the servers that I'm testing? Let me try few other servers.
Also I tried Run as Administrator option as well.
... View more
09-14-2018
05:58 AM
I'm upgrading from 6.5.2
... View more
09-13-2018
07:09 PM
After manually stopping the service, msi installs correctly. After the installation , service should be manually started. But i remember, msi taking care of this previously. Did this change?
... View more
09-13-2018
02:57 PM
I'm trying to upgrade our forwarder version to splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi, but it is failing with a "File in use " error.
This is the command i used:
msiexec.exe /i splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi /log C:\Windows\Install\Install_SplunkForwarder_6.6.6_MSI.log /quiet /norestart LAUNCHSPLUNK=0 AGREETOLICENSE=Yes
Looks like it fails because the Splunk service is running. But, the MSI usually takes care of it.
Any idea whats going on?
... View more
07-14-2016
06:46 PM
You can set the default value of the variable which populates single value using eval.
eval res=0| and then your custom conditions
... View more
07-14-2016
08:58 AM
Never mind..There was a small mistake..Corrected it and got it working. Thanks much.
... View more
07-13-2016
09:39 PM
Thanks for the quick reply gpradeepkumarreddy & hardikJsheth.
So I'm now retrying like this
1. KEpt the script under Scripts/bin/scripts folder.
2. Added input.conf file under Scripts/local folder.
Splunk log in the client machine shows this error.
07-14-2016 00:36:47.562 -0400 ERROR FrameworkUtils - Incorrect path to script: C:\Program Files\SplunkUniversalForwarder\Scripted_Inputs\bin\scripts\Invoke_ErrorDCN.bat. Script must be located inside $SPLUNK_HOME\bin\scripts.
07-14-2016 00:36:47.562 -0400 ERROR ExecProcessor - Ignoring: ""C:\Program Files\SplunkUniversalForwarder\Scripted_Inputs\bin\scripts\Invoke_ErrorDCN.bat""
... View more
07-13-2016
08:50 PM
Hi Splunkers,
Need help with a deployment server concept. Referred splunk docs and few similiar answers, still i'm missing something.
Scenario : I have few scripted inputs and the related input.conf which need to be distributed to a set of UFs in the environment.
Using deployment server, I created an app and then kept the script and input.conf so as to be send down to the clients.
App got distributed and is placed in etc/apps/ folder.
But for the scripted input to work, Splunk expects it to be in $SPLUNK_HOME\bin\scripts folder.
How will I handle this?
... View more
- Tags:
- splunk-cloud
06-27-2016
11:51 AM
I got it working by adding config to HF. Thank You
... View more
06-23-2016
01:26 PM
ok..Wanted to confirm..I'll check that..Thanks for the reply!!
... View more
06-23-2016
01:15 PM
Hi woodcock,
Have a qn about the command that you have suggested here.
I'm trying to monitor a certain kind of extn like .processing in a directory(in Windows) and wanted to know how I can use the above command?
... View more
06-23-2016
12:27 PM
1) I was trying to update an existing sourcetype.
2)Also This sourcetype is configured in just one corporate server and not used by any other apps too.
Let me try with a different sourcetype
One qn i wanted to ask is that i do have a Heavy Forwarder, but havent applied the props there..Just did it on cloud. Would that a prob?
... View more
06-23-2016
08:52 AM
Hi aladda,
Wanted to make sure what i'm trying is correct.
I'm trying to use this configuration in indexer and not in forwarder.
since its a cloud env, i got this added through support team and then did a splunk restart.
But the new events are still showing up as earlier and not with the new config!!
... View more
06-22-2016
07:35 PM
Hi ryanoconnor,
Those are not empty lines. I meant to say there are a set of lines starting with "Trace: m_username: CAR_CoBrand_eReceipt_API".
Each line will have a sequence of timestamps in the order it occurs.
I want to start a new event "Trace: m_username: CAR_CoBrand_eReceipt_API".
Let me know if this clarify.
... View more
06-22-2016
02:42 PM
Wanted to do custom line breaking for a sourcetype.
Logs looks like below. Currently every line is identified as an event, whereas I would need to split it based on m_username row
ie, Line 1-5 as one event and Line 6-10 as sec event and so on..
Tried adding the props.conf as
BREAK_ONLY_BEFORE = Trace: m_username: CAR_CoBrand_eReceipt_API
SHOULD_LINEMERGE = True
Also tried with
BREAK_ONLY_BEFORE = Trace: m_username: CAR_CoBrand_eReceipt_API
SHOULD_LINEMERGE = false
Both didnt help. Could you please help me understand what's going wrong?
Logs:
6/16/2016 2:28:19 PM Trace: m_username: CAR_CoBrand_eReceipt_API
6/16/2016 2:28:19 PM Trace: Line2
6/16/2016 2:28:19 PM Trace: Line3
----
----
6/16/2016 3:00:39 PM Trace: m_username: CAR_CoBrand_eReceipt_API
6/16/2016 2:28:19 PM Trace: Line2
6/16/2016 2:28:19 PM Trace: Line3
----
----
... View more
06-14-2016
02:33 PM
Do we need to install Python to run the script? Or UF comes with Python interpreter?
... View more
06-07-2016
07:42 AM
1 Karma
This discussion greatly helped me with forwarding remote logs. Thanks guys.
... View more
06-06-2016
11:00 AM
I've created a couple of field extractions and given read/write permissions to everyone and to appear in all apps.
But the dashboard referring these fields are not displaying these fields for other users. It can be viewed only by me as I created the field.
... View more
05-24-2016
11:58 AM
Hi Venkat_16,
I'm trying to use your code to hide lat/long values and display some other values which are part of geostats.
hiding lat/long works well. but didnt understand correctly how to add a value. Do we need to provide the field value with content: " "
... View more
