About patterc

patterc · ‎08-12-2022

I've enabled Access Logging on an S3 bucket so I can have a record of when files are POSTed to the bucket. In addition to this, I've told the Splunk Add-On for AWS to look for new access log records every 60 seconds in the bucket as well. The problem is that I don't see these access logs in Splunk until hours (up to 3 or 4) after the files exist in the log on S3. If this is checking every minute, why am I not getting any results? I don't think it's a timezone issue, because if I am reading the configuration details correctly, it should just check for new records and not worry about timezones.

patterc · ‎01-26-2021

how'd it work out?

patterc · ‎12-02-2020

happy 9th bday! seriously though... c'mon splunk

patterc · ‎04-21-2020

I'd like to add that this answer is half correct. The Indexers RECEIVE data on port 9997, but the Universal Forwarder and Heavy Forwarder SEND the data over a random port. Within the packet structure, the SRC will be the [ForwarderIP]:[random port] and the DSC will be [Indexer IP]:9997

patterc · ‎04-21-2020

Thanks Pavel for the explanation on an Ephemeral port. I haven't heard that yet. My organization is fairly strict on the firewall rules, but this makes sense. I supposed you can get some backed up connections if you're trying to send data and receive it on the same port. There is definitely a firewall blocking the packets in this case because the firewall rule is expecting all comms to go over port 9997.

patterc · ‎04-21-2020

Yes, the Indexers receive data on port 9997. They receive data from other forwarders successfully. The problem is that when the Forwarder sends the data out, it leaves the box over a non-9997 port. That can be seen in the line ending with (SYN_SENT) where it tried to use port 41464. If I run the lsof -i -P -n command again, the port will be different.

patterc · ‎04-21-2020

We have a Splunk Enterprise installed in a DMZ with strict firewall rules about how to communicate with our index array. When I set up forwarding on the outputs.conf, I designated our Indexer IPs and port 9997. [tcpout:default-autolb-group] disabled = false server = IP1:9997, IP2:9997, IP3:9997, IP4:9997 Forwarding isn't working, though. When I check the ports with the "lsof -i -P -n" command, I see that the Heavy Forwarder tries to talk to IP1 over random ports splunkd 31931 root 61u IPv4 570678 0t0 TCP [Heavy Forwarder]:41464->[IP2]:9997 (SYN_SENT) Can I force the outbound SYN to go over port 9997?

patterc · ‎03-06-2020

We have come up with a drilldown dashboard for the data that writes the 'comment' field to a lookup CSV. The users can pull up their data that they need to work and then click on a row to add a comment. The dashboard will then do a lookup for that data to see the users comment(s) to why the data showing it's results.

patterc · ‎03-05-2020

I'm thinking that writing it to a lookup file and appending it over time. But basically, the users have columns A-G of fields they're interested in. They need to do research for each row of data and then leave a comment (which can be chosen from a drop-down list) in column H on what the status is of the row. Each day the rows change to new data. When the users click submit, it could write results to a lookup file and the lookup file could be used for analytics on each comment. The part I'm having trouble with is getting a drop-down list in column H

patterc · ‎03-05-2020

I have a use-case with my organization that would require writing additional columns to events. The users want a dashboard that receives data every day and each row of these records needs an additional column added which can have a drop down menu to choose from. The problem is that they want to "save" the drop down selections "back to the dashboard" which I haven't seen done in Splunk before. I think it would require a |makeresults command whenever a Submit button is clicked at the bottom of the table in question. Has anyone ever seen or done something like this?

patterc · ‎02-14-2020

i have the same question. it would be really nice to be able to click a button and have a report run from the Reports tab within an app. sometimes the scheduled search returns partial results or doesn't work at all (especially if there was an issue getting data indexed) and then the dashboard that uses a report is wrong. just being able to run the reports ad-hoc instead of rewriting the cron schedule would be much nicer.

patterc · ‎06-01-2016

Does this error message actually indicate anything BAD on the host or the server? I'm seeing thousands of occurrences of this issue in my environment but I still get my logs and don't seem to have any issues.

Posts	12
Solutions	0
Karma Given	3
Karma Received	7
Member Since	‎06-01-2016

Online Status	Offline
Date Last Visited	‎08-12-2022 01:49 PM

Delay in Access Logs from S3

Why does the forwarder service try to use a non-99...

Can I add columns to past events with a dashboard ...

Delay in Access Logs from S3

Re: monitoring windows services

Re: Is there a yum/rpm repo for Splunk?

Re: What port does the forwarder need opened to th...

Re: Why does the forwarder service try to use a no...

Re: Why does the forwarder service try to use a no...

Why does the forwarder service try to use a non-99...

Re: Can I add columns to past events with a dashbo...

Re: Can I add columns to past events with a dashbo...

Can I add columns to past events with a dashboard ...

Re: Run a Scheduled Report on Demand

Re: Why Windows Event Logs show "Splunk could not ...