About eholz1

eholz1 · ‎06-12-2024

Hello deepakc, Thank you very much for this information. This forum is great. Kudos to you for helping me understanding the "internals" of Splunk, eholz1

eholz1 · ‎06-11-2024

Hello All, Perhaps I have the 64K $ question. I am trying to understand (better) the IOWAIT warnings and errors. The yellow and red icons, etc. I know that IOWAIT can be an issue, and only on Linux based servers. I will guess that running Splunk Enterprise on a virtual linux machine makes things harder. I have revised the Health Report Managaer settings per a Splunk forum posting, and the issue is resolved for the most part. I can run an "unreasonable" search and get the warining icon, and then as the search progresses, the red error icon. I have run some linux commands like iostat, and iotop while the search is running but do not see any useful data. I am just curious how Splunk determines the IOWAIT values as part of the health monitoring. I was also wondering if I reset the healh repoting values back to the default, how I might go about reducing the "IOWAIT" characteristic on the Splunk server. Thanks for any hints or tips ewholz

eholz1 · ‎06-10-2024

How can I use this app? I have it installed, but configuration I do not understand how to set this up Thanks, ewholz

eholz1 · ‎06-10-2024

Hello and Thanks, It looks like this app, desires to store data in some sort of "cloud" based storage. Is this correct? The data I have cannot be anywhere but on a private LAN. I am not sure how to use this app, is there a posting or source of instructions on how to use this SplukBase app? Thanks for the reply, ewholz

eholz1 · ‎06-06-2024

OK, thanks so much, I will review the information you provided. Since our Splunk Enterprise instance is running on a virtual machine - the info you provided could be the issue. Splunk internals are tricky, I will check things over. Thanks Again, EWHOLZ

eholz1 · ‎06-06-2024

thanks, will check

eholz1 · ‎06-05-2024

Hello All, The question is is IOWAIT mean anything? I am in the process of upgrading Splunk 8.2.12 to 9.1.2, and then 9.2.1. I have not yet upgraded to 9.1.2. The Health Report is set at default settings i.e. 3, etc.I have tried the suggestion of doubling threshold vales, but eventually get a Warning yellow, or sometimes red, etc. I am running Splunk Enterprise 8.2.12 on an Oracle Linux (ver 7.9) with 12 cpu and 64GB memory. Do these settings have any benefit for the IOWAIT thresholds? I see where I can disable IOWAIT - or does it make any sense to try to generate some sort if Diag, which has a link when opeing the "Health Report Manager" Any info here? Am I missing something? Thanks as always for a very helpful Splunk community. EWHOLZ I

eholz1 · ‎06-04-2024

Thanks again for the info and clarification ewholz

eholz1 · ‎06-03-2024

This has not worked for me, any ideas? here is my SSLconfig line in server.conf [sslConfig] sslPassword = $7$IVRDJa9zz5Rmt3ZehltRkIK2vnYpOPiMSSAZMNAUqdQ7hQAGf2GNXg No other lines in the file. I am open to suggestions, and get this as well: WARNING: Server Certificate Hostname Validation is disabled., see server.conf, etc Thanks, EWHolzx

eholz1 · ‎06-03-2024

Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed. Splunk was re-started after each upgrade. I am not familiar with the acronym of "SHC" -Thanks for the info. ewholz

eholz1 · ‎05-31-2024

Hello All, I have searched high and low to try to discover why the kvstore process will not start. This system was upgraded from Splunk 8.0, to 8.2, and finally 9.2.1. I have looked in mongod.log and splunkd.log, but do not really see any thing that helps resolve the issue. Is ssl required for this? the - is there a way to set a correct ssl config, or disable it in the server.conf file? Would the failure of the KVstore process affect IOWAIT? I am running on Oracle Linux, ver 7.9 - I am open to any suggestions. Thanks ewholz

eholz1 · ‎05-16-2024

Hello, Thanks for the reply. It works, sort of... The "dark" theme truns everything dark. It was my hope to have just the Apps panel be dark. I will guess the new version of Splunk over-writes a css file for the web interface. I have an older version of Splunk running, I will see if I can find the css file. Thanks again for the reply. Eric W.

eholz1 · ‎05-15-2024

Hello All, I have just upgraded Splunk ver 9.0.1 to 9.2.1. I have one question: the "Apps" panel on the left side of the window has a "white" background. Version 9.0.1 and older had a "dark" or "black" backgrould (my preferred view). Is there a way to set the background for the Apps panel to dark or black? Thanks, Eric W.

eholz1 · ‎01-16-2024

Hello There, I have installed Splunk DB Connect and all its requirements on ver 9.0 This works pretty well for queries either in Search or in SQL Exploereer. I want to use a stored procedure to return data using DB Connect. The procedure works fine in SQL Exploereer, and from the MySQL commang line. If I try to call the procedure from Splunk Search - I get no results I am using this format: dbxquery connection=myconn procedure="{call my_nice_proc(@val);}" this should return a text string, or a table of results if the query/procedure retuns 1 or more rows.. Any ideas on what I am missing? thanks, eholz1

eholz1 · ‎12-20-2023

dtbur;rows3 Wow, fast reply. Thanks. The ID gets set when the csv file is written. I have a python program that queries a MySQL database, and writes a "0" as ID if no results are returned from the query. If there is data returned, the ID is taken from query results (i.e ID=34, etc). The csv file is on a remote server. I use the Splunk Universal Forwarder to send the file to splunk. Is there a way to get this file set as an "input lookup" or does the "input lookupo" required the file to be local to the Splunk server? Thanks for quick help. EWHolz

eholz1 · ‎12-20-2023

Hello All, I have a search question. I have a csv file that returnds data. the ID field if there is no data - I want to have a table which shows 4 columns: NAME,STATUS,DATE,ACTION. These come from the csv file header line. If the ID >0 I want to show these columns: DATE-Changed,ID,NAME,DATE_DOWN,ACTION. I have not yet seen how I might do this. What I need, in a sense, it two searches, one when ID=0, and one when ID>0. Any suggestions? Thanks, EWHOLZ

eholz1 · ‎12-20-2023

Hello Members and richgallowy, Thanks for the tip. It has been a while since I have needed to apply my limited "Splunk" skills, I appreciate this suggestion, and will try it out;. Regards, EWHolz

eholz1 · ‎12-19-2023

Hello, I need some help. Icreate a csv file on remote server from a mysql quert. I forward the csv file from the remote server to splunk. I can read the data. The csv file is over written each day, it have have only 1 line of data, or multiple lines of data - it is a list of device that have gon down. If no devices are down, the the file only has the hearder, and data that says: :No Devices Down:" I only want to see data from the file on the day the file is writtern. The challenge I have is to read only the data in the file for that day. The issue is that splunk indexes the data, so splunk retains the data over time, like I want only 1 day info from the file, but splunk has all the data indexed How can I return only the data for the day, not for all data in splunk indes? thanks, EWHolz

eholz1 · ‎12-05-2023

Hello Members, I would like to import/show data in a splunk dashboard. This data is results from a mysql query run by php to create an html page with the results in an html table. Most likely the easiest way to do this would be to write the data to a csv file, and use splunk forwarder to send the data to splunk. The data needs to be checked once a day. I was wondering if there is a way to build a dashboard from the data via the splunk REST api, or import/forward the html page that get created from the mysql query. The query is run on a remote server. I looked at the splunk-sdk-python but its implementation is not user friendly - it requires docker, which I cannot get running for some reason. I am open to any and all suggestions. thanks eholz

eholz1 · ‎09-06-2023

Hello All, I am using maps+ with some success. I have one question, is there a way to zoom back to a set zoom point (like 3 or 4) after a default zoom in on a cluster? I am using maps+ to show up or down network devices. The cluster shows, say 2 devices at a given lat/log, zooms in quite a lot. I am using a map of the US, more or less centered in the window., but after the zoom-in, I have to backout using the "-" icon. It would be nice if maps+ had the zoom bck feature of the legacy map using geostats, etc. Thanks eholz1

eholz1 · ‎08-31-2023

Hello All, I am hoping for some guidance here. I am using Maps+. It seems to be a decent application. There are two things I want to do, ans so far no joy. 1. I want to be able to change the color of the cluster circle. 2. I want to be able to "un-zoom" back to initial state after clicking on a cluster circle. My map show routers and switches, by lat/long that are UP or DOWN. I have no issues with markerType or color or icon style. I would like to change the cluster circle color for devices that are "down". Can I do this? or do I have to use a legacy map type. thanks so much, eholz

eholz1 · ‎08-28-2023

Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?" I would like to run a search instead of setting a variable on a panel. Is this possible? The javascript writes the value to a $toke$ variable on a second panel. I would like to run a search - the filler gauge does not have an option for a drilldown. Yes - the easy way is to just click the search magnify glass. Thanks, eholz1

eholz1 · ‎08-10-2023

Hello All, I have created a filler gauge for a count of events. I would like to not see the scale on the right side of the gauge, or change the major units to show just 100s. Is this possible - see image below: I have searched to see if I can change this, but have not yet found the answer, thanks as always, eholz1

eholz1 · ‎08-04-2023

Hello richgalloway, Thanks for the reply. At least I know my "logic" is correct! Thanks for the reply, and even answers to my previous posts. I will try your suggested search. The community is a valuable resource. eholz1

eholz1 · ‎08-03-2023

Hello All, I would like some suggestions. I am trying to search the Cisco ASA sourcetype in Splunk for the current users that are logged in to an ASA. I am trying to use "last 24 hours" as the start time range. I am trying to count login message (113004) and compare with logout message (722023). There are other message ids for logout:716002, 113019. It seems that I need the "latest" login. The user can log in and log out - I can get pairs by user for a login/logout. If there is a pair like that I can assume the user is not logged in. The challenge comes with the fact the user can have logged in and out multiple times. My theory is that if a user has more logins that logouts (assuming there is a login later than a log out). this should be a user that is logged on. The trick seems to be finding the latest log in per user, and counting values in the "message_id" field. Any suggestions here? I can check users on the ASA using the "show vpn-session summary" command, but that number almost never matches my searches. I can use any suggestion. Thanks eholz1

Posts	152
Solutions	2
Karma Given	54
Karma Received	5
Member Since	‎03-25-2019

Online Status	Offline
Date Last Visited	‎06-12-2024 07:34 AM

Splunk Enterprise - how does it detect IOWAIT warn...

Configure and Use Enterprise Security Configuratio...

IOWAIT Mystery - What is it? Is it important?

KVStore process will not start

Apps panel, left side of window - Splunk ver 9.2.1

Stored procedure fails to run Splunk DB connect

Change table columns based on field value

Challenge with splunk forwarder and csv file

Suggestions Please: REST Api, csv,html

Zoom back or out using maps+

Re: Splunk Enterprise - how does it detect IOWAIT ...

Splunk Enterprise - how does it detect IOWAIT warn...

Configure and Use Enterprise Security Configuratio...

Re: IOWAIT Mystery - What is it? Is it important?

Re: IOWAIT Mystery - What is it? Is it important?

Re: IOWAIT Mystery - What is it? Is it important?

IOWAIT Mystery - What is it? Is it important?

Re: KVStore process will not start

Re: kvstore certificate renewal is not working...

Re: KVStore process will not start

KVStore process will not start

Re: Apps panel, left side of window - Splunk ver 9...

Apps panel, left side of window - Splunk ver 9.2.1

Stored procedure fails to run Splunk DB connect

Re: Change table columns based on field value

Change table columns based on field value

Re: Challenge with splunk forwarder and csv file

Challenge with splunk forwarder and csv file

Suggestions Please: REST Api, csv,html

Zoom back or out using maps+

Using Splunkbase Maps+

How to run a search from a filler gauge on-click e...

How to hide or change scale values on right side o...

Re: Searching Cisco ASA sourcetype in Splunk

Searching Cisco ASA sourcetype in Splunk