Notwithstanding any issues with your sample and config, ensure the following 2 basic setup tasks have been done:
Enable the eventgen modular input. I'm using version 6.5.2 where is it disabled by default.
Set your app to global permissions. This is where I got stuck and having skim read the manual couple times, failed to read the final paragraph where it is mentioned.
... View more
We have a clustered 6.5.3 deployment and following this doc to re-assign a new sourcetype to squid access logs but to no success.
The squid log is in the default log format as per https://wiki.squid-cache.org/Features/LogFormat
The sourcetype is currently access-too_small.
I don't have control of the UFs to update its inputs.conf so taking this approach for now.
Re-assigning all events so regex is .* . I have seen . as well .* . Which is the correct syntax to match all events?
Here are the props and transforms on the indexers:
/opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True
/opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True
/opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE =
/opt/splunk/etc/slave-apps/Splunk_TA_squid/local/transforms.conf DEST_KEY = MetaData:Sourcetype
/opt/splunk/etc/slave-apps/Splunk_TA_squid/local/transforms.conf FORMAT = sourcetype::squid
/opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False
/opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096
/opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/transforms.conf MV_ADD = False
/opt/splunk/etc/slave-apps/Splunk_TA_squid/local/transforms.conf REGEX = .*
/opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw
/opt/splunk/etc/system/default/transforms.conf WRITE_META = False
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/slave-apps/Splunk_TA_squid/local/props.conf TRANSFORMS-sourcetype = squid_override_sourcetype
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/system/default/props.conf sourcetype =
I have also tried using the [host::redacted_hostname] and [access-too_small] stanzas in props but to no avail.
Cluster automatically did a rolling restart on initial app push, but subsequent updates to props/transforms didn't. Did a rolling restart just in case as well.
Having read a lot of related posts here I see people having success so I know its an oversight on my side so any pointers would be much appreciated.
The settings shown above are on the first indexers receiving the events from the UF where logs are collected.
The instance collecting the logs is a true UF, not a full splunk enterprise install
... View more
my understanding is that a dbxoutput needs to specify an output. How does the SH know about the output delcared on the HF?
In my environment, I have created an output (with and without scheduling enabled) on the SHC and this works but is it supported?
Also as a test, I see in the SH log that the output gets scheduled but it appears that it never really gets executed. Is this the expected behaviour or should the UI present an error when saving a scheduled output (i noticed the yellow warning about some functions won't work)?
... View more
My datasets are much larger but these represent the crux of my hurdle
fields: sid, user
fields: sid, amount
Where: sale_made.sid = sale_by.sid
I have this search that works:
sourcetype=sale_by | join sid [ search sourcetype=sale_made ] | stats sum(amount) by user
Can this be done more efficiently with stats?
... View more
test driving this app now and noticed the default helloworld jmx input is disabled out of the box. maybe why OP is not seeing these details.
i enabled it, restarted splunk and on my way with the default settings
... View more
As per http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Handlemasternodefailure
I'm using ELB to front the master.
The issue that I'm hitting is that the master will see the peers coming from the ELBs interface. That is the master is associating the ELBs interface address with the peer and not looking for peers actual IP address. I have the ELB listener setup to https so ELB is setting the x-forwarded-for header which should contain the peer's actual address as per AWS docs.
The problem occurs when index peers hit the same the ELB node and the master sees both using the same IP address and rejects the second peers with a message like...
Search peer A.B.C.D has the following message: Failed to add peer 'guid=46410D7B-5283-4A25-9BC6-993D67E1E21F server name=A.B.C.D ip=W.X.Y.Z:8089' to the master. Error=Peer with hostport=W.X.Y.Z:8089 is already registered and UP.
A.B.C.D is the peers address
W.X.Y.Z is the ELB interface
My understanding is that peers talk to master over HTTPS but I'm guessing the master doesn't support the x-forwarded-for header
Is there any way to set 'hostport' or is that derived from the source address field of the TCP session?
Has anyone gotten this sort of setup to work?
... View more