cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
leticiamartello
New Member
Member since: ‎03-19-2019
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-19-2019
Activity Feed
View All

WARN FileClassifierManager: The file is invalid. R...

by in Getting Data In
‎11-04-2019 09:33 AM
‎11-04-2019 09:33 AM
I have a watched file on a Universal Forwarder (Windows) and the file is send to the Heavy Forwarder (linux), but some file are not indexed, and some are indexed. This is the configuration on inputs.conf (Heavy Forwarder): [monitor://D:\Dados\xxx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O0055xxxxx_xxxxxx_*.CSV] index=index_xxx source=ccc:ccc sourcetype=ccc:ccc disabled = 0 time_before_close = 60 multiline_event_extra_waittime = true initCrcLength = 512 I'm getting these errors: 11/1/19 7:33:12.398 PM11-01-2019 19:33:12.398 -0300 WARN FileClassifierManager - The file 'D:\Dados\xx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O0055xxxx_xxxx_20191101190001.CSV' is invalid. Reason: cannot_open host = xxxx index = _internalsource = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.logsourcetype = splunkd 11/1/19 7:33:12.398 PM 11-01-2019 19:33:12.398 -0300 WARN FileClassifierManager - Unable to open 'D:\Dados\xxx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O00555xxxx_xxxx_20191101190001.CSV'. host = xxxx index = _internalsource = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.logsourcetype = splunkd 11/1/197:33:12.398 PM 11-01-2019 19:33:12.398 -0300 ERROR TailReader - error from read call from 'D:\Dados\xxx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O00555xxxx_xxxx_20191101190001.CSV'. host = SRVCNFS02index = _internalsource = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.logsourcetype = splunkd 11/1/19 7:33:12.398 PM 11-01-2019 19:33:12.398 -0300 WARN FileClassifierManager - The file 'D:\Dados\xxx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O00555xxxx_xxxx_20191101190001.CSV' is invalid. Reason: cannot_open host = xxxx index = _internalsource = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.logsourcetype = splunkd 11/1/19 7:33:12.398 PM 11-01-2019 19:33:12.398 -0300 WARN FileClassifierManager - Unable to open 'D:\Dados\xxx\Compartilhado\TECNOL~1\MONITO~1\TransUnion2Splunk\O00555xxxx_xxxx_20191101190001.CSV'. Does anyone know what is wrong? Thnak you! ... View more

Re: How can I monitor the number of current artifa...

by in Deployment Architecture
‎10-15-2019 10:55 AM
‎10-15-2019 10:55 AM
How can I find the current active artifact objects in the dispatch directory by user? ... View more

Splunk Enterprise Security: How to join with looku...

by in Splunk Enterprise Security
‎07-01-2019 12:00 PM
‎07-01-2019 12:00 PM
I need to cross the information of my lookup with fields from my index, and bring some information on the table, but the fields that are supossed to show information, they're not showing them: | rex field=message_text "address\s(?\w+.\w+.\w+)" | dedup mac | rex field=message_text "FastEthernet0.(?\d{1,2})" | join host Porta [inputlookup salasreuniao.csv | table Sala Andar] | table mac host Porta Sala Andar _time Can anyone help me? | rename mac as "Mac Address" ... View more

Re: Custom Decorations

by in Dashboards & Visualizations
‎03-25-2019 07:24 AM
‎03-25-2019 07:24 AM
Hi @niketnilay! Thaks for your help! I did exactly has you told me to do, but it didan't workout. This is the source that I used: <dashboard> <label>Custom Decorations</label> <description> This example shows decorations using tokens from search results, HTML panels and some custom CSS. The icon are displayed using the Splunk Icon Font. </description> <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> .custom-result-value { font-size: 55px; margin: 35px auto; text-align: center; font-weight: bold; color: rgb(85, 85, 85); } .custom-result-value:before { font-family: "Splunk Icons"; font-style: normal; font-weight: normal; text-decoration: inherit; font-size: 110%; } .severe.custom-result-value:before { content: "\2297"; } .severe.custom-result-value { color: rgb(217, 63, 60); } .high.custom-result-value { color: rgb(245, 143, 57); } .high.custom-result-value:before { content: "\ECD4"; } .elevated.custom-result-value { color: rgb(247, 188, 56); } .elevated.custom-result-value:before { content: "\26A0"; } .low.custom-result-value { color: rgb(101, 166, 55); } .low.custom-result-value:before { content: "\ECD3"; } .guarded.custom-result-value { color: rgb(109, 183, 198); } .guarded.custom-result-value:before { content: "\0049"; } .custom-result-value.icon-only { font-size: 90px; } </style> </html> </panel> </row> <row> <panel> <search> <query>|(index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value1">$result.value$</set> <set token="range1">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range1$"> $value1$ </div> </html> </panel> <panel> <search> <query>| (index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value2">$result.value$</set> <set token="range2">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range2$"> $value2$ </div> </html> </panel> <panel> <search> <query>| (index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value3">$result.value$</set> <set token="range3">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range3$"> $value3$ </div> </html> </panel> <panel> <search> <query>| (index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value4">$result.value$</set> <set token="range4">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range4$"> $value4$ </div> </html> </panel> </row> <row> <panel> <html> <div class="custom-result-value icon-only $range1$"> </div> </html> </panel> <panel> <html> <div class="custom-result-value icon-only $range2$"> </div> </html> </panel> <panel> <html> <div class="custom-result-value icon-only $range3$"> </div> </html> </panel> <panel> <html> <div class="custom-result-value icon-only $range4$"> </div> </html> </panel> </row> </dashboard> When I saved the source this is what appearce: Can you see what I did wrong, please? Thank you, ... View more

Custom Decorations

by in Dashboards & Visualizations
‎03-19-2019 11:58 AM
‎03-19-2019 11:58 AM
Hi! I'm trying to edit my source in a dashboard, to do a custom decorations. This's the query that I'm using: (index="mysource") OR (index="main") OR (index="logical") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none So, after that I edited the source from dashboard to add, the custom decorations. <label>Custom Decorations</label> <description> This example shows decorations using tokens from search results, HTML panels and some custom CSS. The icon are displayed using the Splunk Icon Font. </description> <row> <panel> <search> <query>|(index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value1">$result.value$</set> <set token="range1">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range1$"> $value1$ </div> </html> </panel> <panel> <search> <query>| (index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value2">$result.value$</set> <set token="range2">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range2$"> $value2$ </div> </html> </panel> <panel> <search> <query>| (index="bmb_fortigate") OR (index="bmb_juniper") OR (index="bmb_cisco") mem=* |stats last(mem) as mem by devname|eval value=mem|rangemap field=value low=0-40 high=41-50 elevated=51-100 default=none</query> <progress> <set token="value3">$result.value$</set> <set token="range3">$result.range$</set> </progress> </search> <html> <div class="custom-result-value $range3$"> $value3$ </div> </html> </panel> </row> <row> <panel> <html> <div class="custom-result-value icon-only $range1$"> </div> </html> </panel> <panel> <html> <div class="custom-result-value icon-only $range2$"> </div> </html> </panel> <panel> <html> <div class="custom-result-value icon-only $range3$"> </div> </html> </panel> </row> But, it didan't work out. Please, can anywone help me? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM