I do see this document describes configuration of using TLS 1.2 cipher suites that are marked secure by PCI requirements. Just looking to understand the ramifications of connectivity if i do change the web.conf and server.conf with the values listed in this link Would we also have to update our certificates if we use the specific ciphers? https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/Ciphersuites ... View more

Thanks, that will most likely help a bit! planning to run this a few times per day so we can populate results in a .csv lookup table as well ... View more

| makeresults | eval _raw="time=2021-12-29T21:59:49+00:00 time_ms=2021-12-29T21:59:49.211+00:00 requestId=284461955 traceId=284461955 servicePath=\"/nationalnavigation/\" remoteAddr=x.x.x.x clientIp=x.x.x.x clientAppVersion=NOT_AVAILABLE clientDeviceType=NOT_AVAILABLE app_version=- apiKey=x oauth_leg=2-legged authMethod=oauth apiAuth=true apiAuthPath=/ oauth_version=1.0 target_bg=default requestHost=services.timewarnercable.com requestPort=8080 requestMethod=GET requestURL=\"/nationalnavigation/V1/symphoni/event/tmsid/x.com::CCDN4200000005529014?division=BUF&lineup=354&profile=sg_v1&cacheID=439&longAdvisory=false&vodId=BUF&tuneToChannel=false&watchLive=true&watchOnDemand=true&rtReviewsLimit=0&includeAdult=true\" requestSize=825 responseStatus=404 responseSize=418 responseTime=0.173 userAgent=\"Java/1.8.0_232\" mapTEnabled=\"F\" charterClientIp=\"V-1|IP-x.x.x.x|SourcePort-41098|TrafficOriginID-x.x.x.x\" sourcePort=\"x\" appleEgressEnabled=\"F\" oauth_consumer_key=\"x\" x_pi_auth_failure=\"-\" pi_log=\"pi_ngxgw_access\"!2021-12-29 14:59:49,202 ERROR [qtp115457323-2259] [284461955] [c.t.a.n.r.s.r.s.SymphoniRestServiceBroker.handleNnsServiceErrorHeaders:1365] An internal service error occurred: com.twc.atgw.nationalnavigation.SymphoniWebException: Event Not Found" | eval event=split(_raw,"!") | mvexpand event | rename event as _raw | extract ``` The lines above set up data as per example ``` ``` Extract traceId only if match on Exception capturing enf field to signify event not found match ``` | rex "\] \[(?<traceId>.+)\] \[c.t.a.n.r.s.r.s.*nationalnavigation\.SymphoniWebException: (?<enf>Event Not Found)" ``` Gather events by traceId ``` | stats values(*) as * by traceId ``` Eliminate traceIds which don't have Event Not Found ``` | where isnotnull(enf) | eval requestURLLength=len(requestURL) ``` Modified the following rex to use :: - you may need to change this back if your data really does contain %3A ``` | rex field=requestURL "/nationalnavigation/V1/symphoni/event/tmsid/.*::(?<queryString>.+)" | eval endpoint=case(match(requestURL,"/nationalnavigation/V1/symphoni/series/tmsproviderprogramid*"), "/nationalnavigation/V1/symphoni/series/tmsproviderprogramid", match(requestURL,"/nationalnavigation/V1/symphoni/event/tmsid*"), "/nationalnavigation/V1/symphoni/event/tmsid",1=1,requestURL) ``` These two rex extract exactly the same thing so either one is redundant or wrong ``` | rex field=queryString "(?<tmsIds>[^?]*)" | rex field=queryString "(?<tmsProviderProgramIds>[^?]*)" | eval assetIds=coalesce(tmsIds,tmsProviderProgramIds) | eval assetCount=mvcount(split(assetIds,",")) | stats count AS TxnCount by endpoint ... View more

your right PickleRick, i  indexed in a bunch of other data as well. should have paid attention to my actual event test data, assumed the error was something from the api script run, woops! just not familiar with the actual output yet.   ... View more

Doesn't the forwardedindex filter only works for global [tcpout] stanza as per outputs.conf ? How did you manage to make it work for targetgroup specific stanza ? ... View more

Hmm, that might be a last ditch option a bit leery using the cluster master since it was a very minimal VM resource wise. Actually i found a couple of VM's i may just end up using, splunk support replied and said using a indexer as a SH in a cluster is not supported anymore. ... View more

Hey Araitz, I talked to you briefly bout this at Splunk conf...so i started looking through the saved searches in the app which led to a long list of macros i need to gather for the searches i need, there were quite a few. just had not gathered all the ones i need yet. I'll probably start using those but was hoping the community base here might have done the work for me 🙂 perhaps even an app i can provide to users here, it's surprisingly easier to get people to adopt splunk usage when the UI does everything they need. ... View more

Thanks @aaronkorn this is the correct answer. this should be marked as answered. ... View more

I have also had the same problem. Using the information found here, I was able to figure it out 🙂 http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem ... View more

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/HowSplunkstoresindexes#Warm.2Fcold_bucket_naming_convention it is safe to move the buckets (assuming splunk is not running) amongst the directories ... View more

That was it, will be very useful for timecharting other multikv stats, I had to use a limit=0 but got what i needed with your search. Thanks ... View more

Thanks, i'll have to start using the newest Unix app, behind the times a bit in 4.x app and did not see the categories/groups. ... View more

You shouldn't need the coldToFrozenScript. Just make sure that the "Frozen archive path" is set to a real directory. Splunk will automatically strip off everything it can when it puts the compressed data into that directory. In indexes.conf the frozen archive path is set like this: coldToFrozenDir = <path to frozen archive> Note that the path cannot contain a volume reference. ... View more

excellent, got it running on the bonded ip now. Now i need to figure out how to edit the previous cluster ip to the new ip ... View more

Hi Ayn, Originally i was using the same search string using "host" in the OUTPUT host and the lookup table had entries such as: host, device_ip It appeared to be writing all values as "NULL" when piped to timechart instead of actually retrieving the lookup value hostname. and i've manually verified the ip that is returned in splunk results does exist in the lookup table, wierd... ... View more

Its all about your input data path. If all your the data is coming from the heavy and then going to the indexer will mean the data is cooked when it hits the indexer. Cooked data is to the immune to then those particular props and transform write_meta field stanza's and will have no effect on the incoming data for those particular sources. You can force the data back through the parsing queues ( more info here : http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible ) to make it perform those write_meta commands but this has its own issues. In a nutshell, where ever your data is actually being parsed is where those props and transforms need to live. That being said, having those props and transforms on the indexer won't hurt and may catch sources that directly talk to your indexers (ie. other UF's). This can make management of your configuration harder as you will have several places you need to update config on or check when something doesn't work quite right. Also in regards to indexed fields you need to be careful as they can cause rapid bucket rolls (I just recently implemented some index time field extractions to improve performance) which will can also have a negative search performance hit for anything accessing the destination indexes ( http://answers.splunk.com/answers/102682/safe-custom-setting-for-maxmetaentries-in-indexesconf ). ... View more

As an alternative, there is an Splunk app called PyDen that will allow you to download and compile any version of Python you want, create a virtual environment, and install any PyPI packages you need to the environment. Once that's done you can add an simple import statement to the top of the script that needs the package and it will run under the environment instead of the built-in Splunk Python. ... View more

Also another oddity is if i specify [tcp://9997] instead of splunktcp the data comes in indexed but since its still coming in cooked. --splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 etc... So connectivity seems fine just seems like this instance is not handling cooked "spunktcp" data correctly. ... View more

I'd check the state of the distributed search peers. An indexer will consume its own internal logs ($SPLUNK_HOME/var/log/splunk/*) locally, so if it's not showing up there, I'd guess that it can't be reached at all. Forwarding of the _internal logs shouldn't matter in that case. ... View more

I have another request on this answer, what if i want to do the same query but compare the last 5 minutes vs the last 12 / 24 hours? I am messing around with spans and dividing the avg(count) ..Math is hard 🙂 ... View more

I'm new to Splunk, so making the home directory writable helps but my home directory is already writable by the process that Splunk is using to run. Is there something else I'm missing? ... View more

that's a relief, less work to get this installed. Thanks Alex. ... View more