About simony

simony · ‎01-28-2021

Any news on this?

simony · ‎06-18-2018

I would also be very interested in if there is a possibility to use the Slack app via a web proxy.

simony · ‎01-22-2018

Hi all I wanted to ask if Splunk's Resilient add-on is also compatible with a search head cluster? I currently have the problem that the exact same app and configuration works on a standalone search head, but not on a SHC. I receive the following error messages: 01-22-2018 14: 03: 22.531 +0100 WARN sendmodalert - action = resilient - Alert action script returned error code = 1 The connection of the app to the Resilient server works perfectly. that's why it shows me the fields in the alert_action. Could someone help me here? Where can I find more log information, that I can find out what the problem is? Best Regards, Yanick

simony · ‎01-17-2018

Hello everybody Sorry for the late answer. I created the app for my own purposes. To share it with you and give you an example of an App for Puppet I put this on Splunkbase. I did not think that this would be used actively. I will try to create a new version for splunk 7.0. Unfortunately I can not say how long I will need. Best Regards, Yanick

simony · ‎03-28-2017

Splunk Version 6.5.2 solves the Problem.

simony · ‎03-28-2017

Hi Thompson Thank you for your quick reply. In our windows environment we have cluster-based applications (consisting of up to 3 systems), which write all their logs on the NFS share (same logfile). The application runs on one of these systems and can be switched at any time automatically depending on the utilization of the systems. Now we ask ourselves how we monitor such a setup with our Splunk Heavy Forwarders. If we configured a Splunk Heavy Forwarder on each of these systems, which would monitor the same application log files, we would have duplicate data in the Splunk because each server sees the log files on the NFS share. To configure the logfiles only on one of these Heavy Forwarders is also unsightly, because then we have unconsistent configurations over the same application. So it would be nice if there was the possibility that the Heavy Forwarder on all systems monitors the same log files on the NFS share, but the events only occur once in the Splunk. So they somehow share the pointer(fishbucket) for these log files. I hope I could explain it understandly. Now we want to know what methods there are? To your remaining questions. Yes we are using a clustered configuration with Search and Index Cluster. Best Regards, Yanick

simony · ‎03-28-2017

Hi all, I have a question regarding log indexing on an NFS share. The problem we have is, that this NFS share is connected to several systems. Each from these systems writes in the same log which is on the NFS share (clustered application). Because I have not yet found out how 2 or more forwarder shared a logfile pointer, there is the risk of double events in the splunk (Each System indexes the same events). Are there some best practices from splunk side? Is it at all possible to implement such a thing? Or ist the only solution, that the logfiles indexed only by one system in the cluster? I thank you for your help. Best Regards, Yanick

simony · ‎08-25-2016

We have configured the default value (10) for percent_peers_to_restart in server.conf.

simony · ‎08-25-2016

Hi all, We have in our productive splunk architecture a very unpleasant problem. The rolling-restart behaves not as he should. Be it creating an index or otherwise. In a rolling-restart, every indexer in the index cluster started new without waiting until an indexer again is up. This means that our index cluster each time is completely down! Why splunk not wait and restarts one indexer after another? What is the time splunk waits until he restarts another indexer? After a restart every indexer have about one hour till he is index ready and searchable. This why every indexer has one hour to work off his buckets. For this reason we are each time a whole hour offline. Details about our environment: 8 node index cluster (2 sites) replication factor is 3 search factor is 2 indexes 143 all configuration is held on the master and pushed to the peers search head cluster consisting of 7 members I'm grateful for any help. Regards, Yanick

simony · ‎03-07-2016

Yes the stanza is enabled in the local/inputs.conf: [jmx://midw] config_file = config.xml polling_frequency = 60 sourcetype = jmx index = jmxitd disabled = 0

simony · ‎02-25-2016

Yes, my stanza name for JMX Input is unique in the whole /opt/splunk Directory: ./etc/apps/SPLUNK4JMX/local/inputs.conf:[jmx://midw] Meanwhile i could solve the problem with the following command: /opt/splunk/bin/splunk enable app SPLUNK4JMX Why this works, i d'ont know. In my default/app.conf the state is enabled: [install] state = enabled is_configured = true The enable command writes only an app.conf in the local directory with state = enabled. Strange.. Regards, Yanick

simony · ‎02-25-2016

Hi Splunkers I have a problem with a Modular Input in Splunk. I'm using the Monitoring of Java Virtual Machines with JMX app to push JMX data into Splunk. This works with a new Installation from a heavy forwarder very well. After a time, the Java process exits with the following message: ERROR ModularInput - Can't connect to Splunk REST API with the token [Splunk bgmFr7ozce8o6MsM_XSjtBctMT62B4QslXNLWRCLZUGHB_Dz9RjKGP8brkqFcpwdO97hb_0nqVFau7PVyBBGeQDzSmlFnKga98o6lutJODEz5d0ttl0knxtq0nF], either the token is invalid or SplunkD has exited : HTTP 401 -- <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> INFO Mapping - Loading mapping descriptors from jar:file:/opt/splunk/etc/apps/SPLUNK4JMX/bin/lib/jmxmodinput.jar!/mapping.XML ERROR ModularInput - It has been determined via the REST API that all inputs have been disabled Does someone have an idea why this problem occurs? I changed nothing on the heavy forwarder. I can solve the Problem with a complete reinstallation of the heavy forwarder, but that cannot be the solution. I am glad of any help. Best regards, Yanick

simony · ‎09-28-2015

Hi vsingla1, I can currently not answer this question, because I have not tested. Once I tested it you get communication from me. Anyway, in the near future I have to develop a new version from this app. Best regards, Yanick

simony · ‎06-12-2015

Take the DB Connect 1.1.7 app and java7 and you'll see it works. That was my step because i had the same problem with the MSSQL databases if i upgrade to 1.2 and java8. Another problem is the encryption on the MSSQL database. Disable that on the database and the connection works. I hope this helps.

simony · ‎03-11-2014

Hi, We have the problem that we cannot adding Indexes to a role on our new Splunk 6 Searchhead, because we cannot see any Index that is configured on our Splunk Indexer. On our Splunk 5 Searchhead we see them all. Is this a bug? Thanks for your help. Regards, Yanick

simony · ‎11-20-2013

Hi The problem was on the MSSQL database. Because the encryption was configured on the database the JDBC had problems with the connection. It is known that the JDBC has problems with this setting. A solution to the problem I have not found it yet. We have simply taken this configuration out on the database. Now it works. Cheers, Yanick

simony · ‎11-19-2013

Hi I'm having an another question about the problem that I have. The database is a MSSQL 2008 R2. Is this database supported by the splunk db connector? Any help would be greatly appreciated. Cheers, Yanick

simony · ‎11-14-2013

Hi I'm having the problem that I can not connect a mssql database with the splunk db connect app. If I want to connect the database via the GUI splunk gives me the following message each time: Encountered the following error while trying to save: Splunkd daemon is not responding: ('The read operation timed out',) There is no firewall between the db and the splunk server from which I would connect. I've tested this with telnet. I also fill in all required disclosures, such as the port (1436), the hostname (example.bla.ch), the database (someinstance/northwind), the user, the database-type (Microsoft SQL Server) and the password. The user can log directly into the db, this I've also tested. The user has read permissions. In the dbx.log on the system I find no log entries which indicate an error. Any help would be greatly appreciated. Cheers, Yanick

simony · ‎07-23-2013

Hi Stéphane You need the sideview utils with the version 2.2.2. Sorry for the bad documentation I will note this still. Regards, yanick

simony · ‎07-23-2013

Hi Steph Oh this is a fault of mine. I thought that I have taken out all those times limitations. In wich view do you found it? Reports? I will remove it in a new version. Yes our setup with puppet is that it runs every day 8-10 clock. Remove the date_hour and then it takes the wohle day. yanick

simony · ‎07-11-2013

Your input was certainly a little help. Nevertheless I had to open a case with splunk. They have then created my app package new. The reason why i can't upload the package first they did not tell me. But at the end I could upload the package.

simony · ‎07-01-2013

Oh, you have right. Thanks for your input.

simony · ‎06-28-2013

Hello together I've been trying for hours to upload a new Splunk App on Splunkbase. Unfortunately this does not work because every time I get the following message: Application must contain an app.conf in /default What am I doing wrong? The app.conf in the default directory exist and is as follows: [ui] is_visible = 1 label = Splunk for Puppet [install] state = enabled [launcher] version = 1.0 description = The Splunk App Splunk for Puppet allows you to monitor and manage the whole puppet environment. With various reports and representations you can filter out errors, see what is runn in the puppet environment and can view various reports over several days. author = Yanick Simon, PostFinance AG [package] id = puppet check_for_updates = 0 Is something wrong with this config? Thanks for your quick help. Regards, Yanick

simony · ‎01-12-2011

Thank you for your interest. The serverlist_umgebung.cvs created by myself and looks like: label,alias All,"*" Developmentserver,"e*" Integrationsserver,"i*" Productionserver,"p*" Testserver,"t*" The auto_serverlist.csv is created automatically. We are working on a generic lookup file that will works automatically for everyone, who downloads this app. The next release is coming.

Posts	24
Solutions	4
Karma Given	0
Karma Received	2
Member Since	‎01-12-2011

Online Status	Offline
Date Last Visited	‎01-28-2021 09:48 AM

Resilient-add-on and Search Head Cluster

Splunk Heavy Forwarder with NFS shares

Index Cluster rolling-restart problem!

ModularInput Can't connect to Splunk REST API toke...

Indexes are not visible for adding them to a role ...

Splunk DB Connect MSSQL Problem

Problem with Splunk App upload

Re: Is the Getwatchlist Add-on being supported?

Re: Slack Alerts via Web Proxy

Resilient-add-on and Search Head Cluster

Re: Puppet status for Splunk v6+

Re: Index Cluster rolling-restart problem!

Re: Splunk Heavy Forwarder with NFS shares

Splunk Heavy Forwarder with NFS shares

Re: Index Cluster rolling-restart problem!

Index Cluster rolling-restart problem!

Re: ModularInput Can't connect to Splunk REST API ...

Re: ModularInput Can't connect to Splunk REST API ...

ModularInput Can't connect to Splunk REST API toke...

Re: Compatibility with Splunk 6.2.3

Re: DB Connect 1.2 / Java 8 / MSSQL Integrated Aut...

Indexes are not visible for adding them to a role ...

Re: Splunk DB Connect MSSQL Problem

Re: Splunk DB Connect MSSQL Problem

Splunk DB Connect MSSQL Problem

Re: Problem with sideview and splunk app for puppe...

Re: Splunk app for puppet, all searches are limite...

Re: Problem with Splunk App upload

Re: Problem with Splunk App upload

Problem with Splunk App upload

Re: [puppet app] Missing scheduled query for looku...