Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About patterc
patterc
Explorer
Member since:
06-01-2016
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 06-01-2016 |
Activity Feed
- Karma Re: Searchhead is unable to update the peer information. Error = 'Unable to reach master' for DavidHourani. 06-05-2020 12:50 AM
- Karma Re: Upgrading from Splunk 6.3.2 to 6.3.3 on an Ubuntu server, why am I unable to start Splunk? for lakromani. 06-05-2020 12:47 AM
- Posted Re: What port does the forwarder need opened to the indexers? on Getting Data In. 04-21-2020 09:40 AM
- Posted Re: Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 08:45 AM
- Posted Re: Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 08:23 AM
- Posted Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 06:55 AM
- Tagged Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 06:55 AM
- Tagged Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 06:55 AM
- Tagged Why does the forwarder service try to use a non-9997 port? on Getting Data In. 04-21-2020 06:55 AM
- Posted Re: Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-06-2020 10:52 AM
- Posted Re: Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-05-2020 01:54 PM
- Posted Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-05-2020 07:43 AM
- Tagged Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-05-2020 07:43 AM
- Tagged Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-05-2020 07:43 AM
- Tagged Can I add columns to past events with a dashboard and save? on Dashboards & Visualizations. 03-05-2020 07:43 AM
- Posted Re: Run a Scheduled Report on Demand on Archive. 02-14-2020 11:25 AM
- Posted Re: Why Windows Event Logs show "Splunk could not get the description for this event. Either ..." in message field in Splunk 6.1.2? on Getting Data In. 06-01-2016 08:50 AM
04-21-2020
09:40 AM
I'd like to add that this answer is half correct. The Indexers RECEIVE data on port 9997, but the Universal Forwarder and Heavy Forwarder SEND the data over a random port.
Within the packet structure, the SRC will be the [ForwarderIP]:[random port] and the DSC will be [Indexer IP]:9997
... View more
04-21-2020
08:45 AM
Thanks Pavel for the explanation on an Ephemeral port. I haven't heard that yet. My organization is fairly strict on the firewall rules, but this makes sense. I supposed you can get some backed up connections if you're trying to send data and receive it on the same port.
There is definitely a firewall blocking the packets in this case because the firewall rule is expecting all comms to go over port 9997.
... View more
04-21-2020
08:23 AM
Yes, the Indexers receive data on port 9997. They receive data from other forwarders successfully.
The problem is that when the Forwarder sends the data out, it leaves the box over a non-9997 port. That can be seen in the line ending with (SYN_SENT) where it tried to use port 41464. If I run the lsof -i -P -n command again, the port will be different.
... View more
04-21-2020
06:55 AM
We have a Splunk Enterprise installed in a DMZ with strict firewall rules about how to communicate with our index array. When I set up forwarding on the outputs.conf, I designated our Indexer IPs and port 9997.
[tcpout:default-autolb-group]
disabled = false
server = IP1:9997, IP2:9997, IP3:9997, IP4:9997
Forwarding isn't working, though. When I check the ports with the "lsof -i -P -n" command, I see that the Heavy Forwarder tries to talk to IP1 over random ports
splunkd 31931 root 61u IPv4 570678 0t0 TCP [Heavy Forwarder]:41464->[IP2]:9997 (SYN_SENT)
Can I force the outbound SYN to go over port 9997?
... View more
03-06-2020
10:52 AM
We have come up with a drilldown dashboard for the data that writes the 'comment' field to a lookup CSV. The users can pull up their data that they need to work and then click on a row to add a comment. The dashboard will then do a lookup for that data to see the users comment(s) to why the data showing it's results.
... View more
03-05-2020
01:54 PM
I'm thinking that writing it to a lookup file and appending it over time. But basically, the users have columns A-G of fields they're interested in. They need to do research for each row of data and then leave a comment (which can be chosen from a drop-down list) in column H on what the status is of the row. Each day the rows change to new data. When the users click submit, it could write results to a lookup file and the lookup file could be used for analytics on each comment.
The part I'm having trouble with is getting a drop-down list in column H
... View more
03-05-2020
07:43 AM
I have a use-case with my organization that would require writing additional columns to events. The users want a dashboard that receives data every day and each row of these records needs an additional column added which can have a drop down menu to choose from.
The problem is that they want to "save" the drop down selections "back to the dashboard" which I haven't seen done in Splunk before. I think it would require a |makeresults command whenever a Submit button is clicked at the bottom of the table in question. Has anyone ever seen or done something like this?
... View more
02-14-2020
11:25 AM
i have the same question. it would be really nice to be able to click a button and have a report run from the Reports tab within an app. sometimes the scheduled search returns partial results or doesn't work at all (especially if there was an issue getting data indexed) and then the dashboard that uses a report is wrong. just being able to run the reports ad-hoc instead of rewriting the cron schedule would be much nicer.
... View more
06-01-2016
08:50 AM
Does this error message actually indicate anything BAD on the host or the server? I'm seeing thousands of occurrences of this issue in my environment but I still get my logs and don't seem to have any issues.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
