Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About splunkreal
splunkreal
Motivator
Member since:
05-26-2016
Tuesday
Community Statistics
| Posts | 430 |
| Solutions | 18 |
| Karma Given | 590 |
| Karma Received | 34 |
| Member Since | 05-26-2016 |
Activity Feed
- Got Karma for Is it possible to restrict or secure the license network flow from license slave to license master?. 5 hours ago
- Karma Re: Renamed serverclass, but not updated in data inputs? for isoutamo. Tuesday
- Posted Re: Renamed serverclass, but not updated in data inputs? on Getting Data In. Monday
- Posted Re: Renamed serverclass, but not updated in data inputs? on Getting Data In. Monday
- Karma Re: Metrics definition errors in the add-on - is fix available in future version? for lakshman239. Monday
- Karma Re: Two serverclass.conf files - now what? for a212830. Friday
- Karma Two serverclass.conf files - now what? for a212830. Friday
- Posted Renamed serverclass, but not updated in data inputs? on Getting Data In. a week ago
- Karma Re: How to make a multiple condition IF statement work? for somesoni2. 2 weeks ago
- Posted Re: [solution] After upgrading to Splunk 9 dashboards colors are different on Getting Data In. 2 weeks ago
- Posted [solution] After upgrading to Splunk 9 dashboards colors are different on Getting Data In. 2 weeks ago
- Posted Re: Are there Different Dashboard Colors since Update to 9.0.2? on Dashboards & Visualizations. 2 weeks ago
- Karma Re: Are there Different Dashboard Colors since Update to 9.0.2? for blablabla. 2 weeks ago
- Karma Re: Are there Different Dashboard Colors since Update to 9.0.2? for blablabla. 2 weeks ago
- Karma Re: Are there Different Dashboard Colors since Update to 9.0.2? for SplunkingKnight. 2 weeks ago
- Karma Re: Is it possible to disable an app/add-on on one search head? for richgalloway. 05-03-2023 10:01 AM
- Karma Re: Elastic Search Data Integrator - Malformed URL using special characters ? for welo78. 04-25-2023 05:33 AM
- Posted Re: Elastic Search Integrator App not Working on All Apps and Add-ons. 04-25-2023 05:32 AM
- Posted Re: After frozen data restore, thawed data not working correctly or missing. on Getting Data In. 04-24-2023 01:54 PM
- Karma Re: After frozen data restore, thawed data not working correctly or missing. for jkat54. 04-24-2023 01:49 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Monday
Yes, N/A is not correct if this is correctly setup in Forwarder management IMO.
... View more
Monday
Hello @isoutamo this is regarding renaming serverclass and looking at "Data inputs" / "forwarded management", change not reflecting. Thanks.
... View more
a week ago
Hello,
upgraded to 9.0.4.1 from V8.2.2, in Forwarder management we renamed Server class but when going to Data inputs / Files & directories then the Server Class is not updated.
serverclass.conf is updated, problem is just in GUI even after restart / reload ...
Thanks for your help.
... View more
Labels
- Labels:
-
universal forwarder
2 weeks ago
Solution for charts : add this line : <option name="charting.seriesColors">[0x06D9C,0x4FA484,0xF59E63,0xB4595C,0x62B3B2,0x284B6A]</option>
... View more
2 weeks ago
Solution for charts : add this line : <option name="charting.seriesColors">[0x06D9C,0x4FA484,0xF59E63,0xB4595C,0x62B3B2,0x284B6A]</option>
... View more
Labels
- Labels:
-
XML
04-25-2023
05:32 AM
Hello, has this been solved? Thanks.
... View more
04-24-2023
01:54 PM
Hello, you are right, if you put files in thawed it does return to frozen, you have to delete manually.
... View more
04-19-2023
03:32 AM
Hello, same issue in 8.2.2 after upgrading some apps like Splunk_TA_nix or Splunk_TA_oracle, had to do this : ps -ef | grep -i python siem 11808 1 0 Apr18 ? 00:03:52 /OPT/siem/splunk/bin/python3.7 -O /OPT/siem/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000 siem 34758 30871 0 12:26 pts/0 00:00:00 grep --color=auto -i python [siem@s201lbasplsh2 ~]$ kill 11808
... View more
04-16-2023
12:31 PM
Hello,
Does upgrading Splunk 8 to Splunk 9 ships with new root CA or renews default Root CA like cacert.pem?
Testing on fresh 9.0.4.1 getting error after deleting cacert.pem and server.pem :
"The CA file specified (/opt/siem/splunk/etc/auth/cacert.pem) does not exist. Cannot continue. SSL certificate generation failed."
Thanks.
... View more
Labels
- Labels:
-
encryption
-
other
-
SSL
04-16-2023
12:07 PM
Hello, Thanks for these information. Does upgrading Splunk 8 to Splunk 9 renews default Root CA like cacert.pem or should we use your procedure and delete them before upgrading? I think we can do this even after. Kvstore could use Splunk default certificates (on instances not using third party certificates) Best regards.
... View more
04-04-2023
07:14 AM
@gcusello BTW would you recommend using UF to forward high volume of data from rsyslog to Splunk indexers?
... View more
04-04-2023
06:39 AM
So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?
... View more
04-04-2023
05:32 AM
So I understand sc4s does not store incoming data on disk but directly forwards data to indexers so it consumes license?
... View more
04-04-2023
05:14 AM
Hello Rich, supports says "SC4S is free to use but if you store incoming data like rsyslog (log collector function) it will consume license."
... View more
03-31-2023
05:58 AM
Hello,
does getting all initial data from fw, network appliances, servers... in sc4s log collector is free as open-source rsyslog or it's counting as Splunk Enterprise license usage?
Can we use it to also forward data to Elastic/Logstash (ELK) ?
Thanks!
... View more
03-31-2023
01:24 AM
Solution provided above 😊
... View more
03-31-2023
01:21 AM
Hello, you could schedule task to check status and restart with script : https://community.splunk.com/t5/Splunk-Search/Good-unix-way-check-if-splunkd-and-splunkweb-are-running/m-p/17935
... View more
03-31-2023
01:19 AM
1 Karma
Hello,
sharing my experience for beginners, especially new Splunk customers 😊
Connected UF / forwarders :
index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | rename connectionType as connectType | eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder") | eval version=if(isnull(version),"pre 4.2",version) | rename version as Ver | fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver | eval Indexer= splunk_server | eval Hour=relative_time(_time,"@h") | stats avg(tcp_KBps) as average_kbps sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver | dedup sourceHost | sort - avg(tcp_KBps) | search connectType="univ fwder"
| stats dc(sourceHost) as nb_hosts
Current license usage:
index=_internal source=*license_usage.log type=Usage | fields h, b | rename h as host_name | timechart span=1h sum(eval(round(b/1024,2))) AS Total_KB | streamstats sum(Total_KB) as Cumul | fields - Total_KB | tail 1 | eval etatlic=round(Cumul/1024,0) | table etatlic
Chart over last days:
index=_internal source=*license_usage.log type=Usage earliest=-0d@d latest=now | timechart span=15m sum(eval(round(b/1024/1024,2))) AS Total_MB | eval ReportKey="today" | streamstats sum(Total_MB) as cumul
| append [search index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-0d@d | timechart span=15m sum(eval(round(b/1024/1024,2))) AS Total_MB | eval ReportKey="yesterday" | streamstats sum(Total_MB) as cumul| eval _time=_time+86400 ]
| append [search index=_internal source=*license_usage.log type=Usage earliest=-2d@d latest=-1d@d | timechart span=15m sum(eval(round(b/1024/1024,2))) AS Total_MB | eval ReportKey="2 days ago" | streamstats sum(Total_MB) as cumul| eval _time=_time+172800]
| append [search index=_internal source=*license_usage.log type=Usage earliest=-3d@d latest=-2d@d | timechart span=15m sum(eval(round(b/1024/1024,2))) AS Total_MB | eval ReportKey="3 days ago" | streamstats sum(Total_MB) as cumul| eval _time=_time+259200]
| timechart span=15m avg(cumul) by ReportKey
Predictive license usage for today:
index=_internal source=*license_usage.log type=Usage
| eval MB = round(b/1024,2) | timechart span=1h sum(MB) as totalkb | eval hour = strftime(_time,"%H") |streamstats sum(totalkb) as totalCumulativeMB reset_before="("hour==0")"
| eval htilmnight=24-hour | predict totalCumulativeMB future_timespan=24
| where _time=relative_time(now(),"+1d@d")
| rename prediction(totalCumulativeMB) as midprediction
| eval midprediction=round((midprediction/1024),0)
| table midprediction
Most consuming sources today:
index=_* source=*license* | eval h = lower(replace(h,"myFQDN","")) | eval h = lower(replace(h,".myotherFQDN.fr",""))
| eval mb=round((b/1024),2)
| stats sum(mb) as totalkb by s,h,idx
| sort - totalkb
| search s!=""
| eval totalkb=round(totalkb/1024)
| rename totalkb as totalmb
| search totalmb>100
Yesterday:
index=_* source=*license* | eval h = lower(replace(h,"myFQDN","")) | eval h = lower(replace(h,".myotherFQDN.fr",""))
| eval mb=round((b/1024),2)
| stats sum(mb) as totalkb by s,h,idx
| sort - totalkb
| search s!=""
| eval totalkb=round(totalkb/1024)
| rename totalkb as totalmb
| search totalmb>100
Diff license per host:
index=_internal source=*license_usage.log type=Usage earliest=@d latest=@h | stats sum(eval(round(b/1024,2))) AS Total_KB by h,s | join h,s [search index=_internal source=*license_usage.log type=Usage earliest=-1d@d latest=-1d@h | rename b as b_y | stats sum(eval(round(b_y/1024))) AS Total_KB_y by h,s] | eval diff_Total_KB=Total_KB-Total_KB_y | fields - Total_KB* | where (diff_Total_KB<-1000 OR diff_Total_KB>1000) | sort - diff_Total_KB
| eval diff_Total_KB=round(diff_Total_KB/1024)
| rename diff_Total_KB as diff_Total_MB
| eval h = lower(replace(h,"myFQDN","")) | eval h = lower(replace(h,".myotherFQDN.fr",""))
| search s!=""
Missing sources :
index=_* source="*license_usage.log" earliest=-1d@d latest=@d
| eval h = lower(replace(h,".myFQDN.fr","")) | eval h = lower(replace(h,".myotherFQDN.fr",""))
| eval indexname=idx
| eval hostname=h
| eval sourcename=s
| stats sum(b) as sumByesterday by indexname hostname sourcename
| eval sumByesterday=round(sumByesterday/1024,0)
| search sumByesterday>0
| join indexname hostname sourcename type=left
[search index=_* source="*license_usage.log" earliest=@d latest=now
| eval h = lower(replace(h,".myFQDN.fr","")) | eval h = lower(replace(h,".myotherFQDN.fr",""))
| eval indexname=idx
| eval hostname=h
| eval sourcename=s
| stats sum(b) as sumBtoday by indexname hostname sourcename
| eval sumBtoday=round(sumBtoday/1024,0)]
| search sumBtoday=0
| sort indexname
More may come later or don't hesitate to reply.
Have a nice day 🙂
... View more
- Tags:
- solution
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
