Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nmohammed
nmohammed
Contributor
Member since:
03-02-2015
06-05-2020
Community Statistics
| Posts | 115 |
| Solutions | 8 |
| Karma Given | 0 |
| Karma Received | 13 |
| Member Since | 03-02-2015 |
Activity Feed
- Got Karma for Re: Split pipe delimited line into named columns. 11-17-2020 09:39 AM
- Got Karma for Re: How to blacklist events for a specific event code and task category?. 08-07-2020 02:16 PM
- Got Karma for Splunk App and Add-on for ServiceNow: Why does the accounts setup page display error "Unexpected error "" from python handler: "HTTP 500 Internal Server Error -- In handler 'snow_account'"?. 06-05-2020 12:48 AM
- Got Karma for Re: How to combine tstats with inputlookup?. 06-05-2020 12:48 AM
- Got Karma for Re: How to combine tstats with inputlookup?. 06-05-2020 12:48 AM
- Got Karma for tstats with stats eval condition not displaying any results. 06-05-2020 12:48 AM
- Got Karma for Re: Split pipe delimited line into named columns. 06-05-2020 12:48 AM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Why am unable to uninstall Splunk universal forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?. 06-05-2020 12:47 AM
- Got Karma for How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?. 06-05-2020 12:47 AM
- Posted Re: How to embed several dashboards using iFrame? on Dashboards & Visualizations. 10-02-2019 01:32 PM
- Posted Re: Does useACK=true in inputs.conf [batch://] stanza ensure that the file will be indexed BEFORE being deleted? on Getting Data In. 08-21-2019 02:19 PM
- Posted Re: Windows 10 / Server 2016 .etl Windows Update Log Format on All Apps and Add-ons. 08-16-2019 12:26 AM
- Posted Re: Windows 10 / Server 2016 .etl Windows Update Log Format on All Apps and Add-ons. 08-15-2019 04:35 PM
- Posted Re: How to correctly deploy DNS analytical and diagnostic logs to capture all FQDN queries on Windows Server 2012 on All Apps and Add-ons. 08-14-2019 05:12 PM
- Posted Re: distsearch.conf is overridden after updating through GUI , upon restarting splunk on Deployment Architecture. 07-30-2019 04:00 PM
- Posted Re: distsearch.conf is overridden after updating through GUI , upon restarting splunk on Deployment Architecture. 07-28-2019 10:54 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-02-2019
01:32 PM
hi @MuS,
This is great. can this app be used on Search Head cluster without causing any issues ?
Thanks
... View more
08-21-2019
02:19 PM
hi @lyndac
I am in exact similar situation ? were you able to identify and make it working successfully with batch input. Just want to make sure, the file is completely indexed before deletion and newer files keep getting created in the directory with application requests, so they need to be monitored, forwarded and deleted.
Thanks
... View more
08-16-2019
12:26 AM
Thanks. does Splunk Stream pull DNS analytics log data ? if so, how can it be done ? do we need to install the Splunk stream on all the DNS servers?
... View more
08-15-2019
04:35 PM
Hi @gjanders
I deployed the app "Windows DNS Analytical and Diagnostic Logs" on the DNS server , where the DNS Analytical logs are enabled and also see the log file grow with events, but however the logs are not being forwarded by the Universal Forwarder running on the DNS server.
Anything different, that's required for the setup ?
Thanks
... View more
08-14-2019
05:12 PM
@gawilliams
Were you able to send these ETL logs using universal Forwarder and Add-on ?
... View more
07-30-2019
04:00 PM
hi @jawaharas
Yes, we're using index clustering. I tried to delete the distsearch.conf again today and restarted splunk on the search heads and found it was re-created on all except one search head in the cluster.
[sslConfig]
sslKeysfilePassword = $1$EDkhKG6tJRyF
sslPassword = $1$EDkhKG6tJRyF
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = $1$EXktLS6/MxP38oI=
serverName = eo1vmsk099.lema
[license]
master_uri = https://eo1vmsk444.lema:8089
[replication_port://8090]
[raft_statemachine]
disabled = false
[shclustering]
conf_deploy_fetch_url = https://eo1vmsk555.lema:8089
disabled = 0
mgmt_uri = https://10.XXX.XX.XXX:8089
id = 013107EC-FC15-4338-A045-75942E648CB7
[clustering]
master_uri = clustermaster:eo1vmsk555.lema:8089
mode = searchhead
[clustermaster:eo1vmsk555.lema:8089]
master_uri = https://eo1vmsk555.lema:8089
multisite = 0
site = default
pass4SymmKey = $1$EXktLS6/MxP38oI=
... View more
07-28-2019
10:54 PM
hi @burwell
We don't have any automation or CM tools monitoring file systems that would restore the file.
And the file is created by user that runs splunk on the server. We tried to delete the file and restart splunk, but it gets restored again.
... View more
07-28-2019
03:53 PM
@burwell - it's 7.1.1
... View more
07-26-2019
11:24 PM
yes. Ran it across all SH members, except for captain , then verified the config file contents on all the members before restart; but still seeing the issue .
... View more
07-26-2019
10:48 PM
just tried the approach .
created a distsearch.conf file with following contents on the captain -
[distributedSearch]
servers =
Ran $SPLUNK_HOME/bin/splunk resync shcluster-replicated-config
Rolling restart of SH members
I checked couple of members where the restart was completed and found the distsearch.conf file got overridden again to old with contents.
[distributedSearch]
servers = https://10.xxx.36.000:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://eo1vmsk011.lema:8089
Update -
Found set of old search heads (including the captain) in the cluster got updated with the old distsearch.conf (overridden); we added 4 new search heads this week and they seem to be okay.
... View more
07-26-2019
10:17 PM
Thanks @jawaharas
I don't see the file on on the captain now . Should I create a file with contents on captain and then run step 2 and 3 ?
... View more
07-26-2019
05:25 PM
We've SH Cluster environment and are seeing the following error ;
"Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all peers instead"
After some re-search and looking through answers site, this could be due to inconsistent distsearch.conf on some of the search heads in the cluster ; so I updated and removed all the values to servers key in distsearch.conf on all the search heads in the cluster and restarted splunk; but immediately following restart the changes made are overridden and restored to old distsearch.conf file. We're not deploying this file with these changes using deployer.
Following was done (multiple times) on each search head in the cluster (IPs hashed for security purposes) -
cat /opt/splunk/etc/system/local/distsearch.conf
[distributedSearch]
servers = https://10.xxx.36.000:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://eo1vmsk011.lema:8089
Changed distsearch.conf to
[distributedSearch]
servers =
Restarted splunk
Checked the distsearch.conf file to find contents restored
We even tried to delete the distsearch.conf file across all the search heads in the cluster , followed by restarting all the members, but the distsearch.conf file gets recreated.
output of btool command on distsearch from one of the affected search heads in the cluster. I have checked for any monitoring/CM tool, but we don't have any to manage splunk process.
[spnksvc@ep3vmnspk199 bin]$ ./splunk cmd btool distsearch list --debug
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerBlacklist]
/opt/splunk/etc/system/default/distsearch.conf [bundleEnforcerWhitelist]
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf [distributedSearch]
/opt/splunk/etc/system/default/distsearch.conf authTokenConnectionTimeout = 5
/opt/splunk/etc/system/default/distsearch.conf authTokenReceiveTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf authTokenSendTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf bestEffortSearch = false
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 10
/opt/splunk/etc/system/default/distsearch.conf defaultUriScheme = https
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf disabled = 0
/opt/splunk/etc/system/default/distsearch.conf receiveTimeout = 600
/opt/splunk/etc/system/default/distsearch.conf sendTimeout = 30
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf serverTimeout = 900
/opt/splunk/etc/system/local/distsearch.conf servers = https://10.xxx.36.000:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://10.xxx.46.00:8089,https://eo1vmsk011.lema:8089
/opt/splunk/etc/system/default/distsearch.conf shareBundles = true
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf statusTimeout = 900
/opt/splunk/etc/system/default/distsearch.conf useSHPBundleReplication = true
/opt/splunk/etc/apps/Splunk_TA_windows/default/distsearch.conf [replicationBlacklist]
/opt/splunk/etc/apps/splunk_app_windows_infrastructure/default/distsearch.conf MSAD_lookups = .../splunk_app_windows_infrastructure/lookups/(tHostInfo|tSessions).csv$
/opt/splunk/etc/system/default/distsearch.conf conf = (system|(apps/))/(default|local)/server.conf
/opt/splunk/etc/system/default/distsearch.conf framework = apps/framework/...
/opt/splunk/etc/system/default/distsearch.conf lookupindexfiles = (system|apps/|users(/reserved)?//)/lookups/.(tmp$|index($|/...))
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf noBinDir = (.../bin/)
/opt/splunk/etc/apps/Splunk_TA_windows/default/distsearch.conf nontsyslogmappings = ...ntsyslog_mappings.csv
/opt/splunk/etc/system/default/distsearch.conf sampleapp = apps/sample_app/...
/opt/splunk/etc/system/default/distsearch.conf user_specific_meta = users(/_reserved)?///metadata/local.meta
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf [replicationSettings]
/opt/splunk/etc/system/default/distsearch.conf allowDeltaUpload = true
/opt/splunk/etc/system/default/distsearch.conf allowSkipEncoding = true
/opt/splunk/etc/system/default/distsearch.conf allowStreamUpload = auto
/opt/splunk/etc/system/default/distsearch.conf concerningReplicatedFileSize = 500
/opt/splunk/etc/system/default/distsearch.conf connectionTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf excludeReplicatedLookupSize = 0
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf maxBundleSize = 14438892420
/opt/splunk/etc/system/default/distsearch.conf maxMemoryBundleSize = 10
/opt/splunk/etc/apps/splunk_dist_conf/default/distsearch.conf replicationThreads = 8
/opt/splunk/etc/system/default/distsearch.conf sanitizeMetaFiles = true
/opt/splunk/etc/system/default/distsearch.conf sendRcvTimeout = 60
/opt/splunk/etc/system/default/distsearch.conf [replicationSettings:refineConf]
/opt/splunk/etc/system/default/distsearch.conf replicate.app = true
/opt/splunk/etc/system/default/distsearch.conf replicate.authorize = true
/opt/splunk/etc/system/default/distsearch.conf replicate.collections = true
/opt/splunk/etc/system/default/distsearch.conf replicate.commands = true
/opt/splunk/etc/system/default/distsearch.conf replicate.eventtypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.fields = true
/opt/splunk/etc/system/default/distsearch.conf replicate.literals = true
/opt/splunk/etc/system/default/distsearch.conf replicate.lookups = true
/opt/splunk/etc/system/default/distsearch.conf replicate.multikv = true
/opt/splunk/etc/system/default/distsearch.conf replicate.props = true
/opt/splunk/etc/system/default/distsearch.conf replicate.segmenters = true
/opt/splunk/etc/system/default/distsearch.conf replicate.tags = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transactiontypes = true
/opt/splunk/etc/system/default/distsearch.conf replicate.transforms = true
/opt/splunk/etc/system/default/distsearch.conf [replicationWhitelist]
/opt/splunk/etc/system/default/distsearch.conf kvstore = kvstore/...
/opt/splunk/etc/system/default/distsearch.conf other = (system|(apps/(?!pdfserver))|users(/_reserved)?//)/(bin|lookups)/...
/opt/splunk/etc/system/default/distsearch.conf refine.conf = (system|(apps/)|users(/_reserved)?//)/(default|local)/.conf
/opt/splunk/etc/system/default/distsearch.conf refine.metadata = (system|(apps/)|users(/_reserved)?//)/metadata/.meta
/opt/splunk/etc/system/default/distsearch.conf searchscripts = searchscripts/...
/opt/splunk/etc/system/default/distsearch.conf [tokenExchKeys]
/opt/splunk/etc/system/default/distsearch.conf certDir = $SPLUNK_HOME/etc/auth/distServerKeys
/opt/splunk/etc/system/default/distsearch.conf genKeyScript = $SPLUNK_HOME/bin/splunk, createssl, audit-keys
/opt/splunk/etc/system/default/distsearch.conf privateKey = private.pem
/opt/splunk/etc/system/default/distsearch.conf publicKey = trusted.pem
... View more
07-23-2019
05:28 PM
@dubeysantosh
were you able to fix it ? I see the same problem , when trying to add new search heads to a existing cluster .
I was able to resolve it, by manually copying the server.pem file in SPLUNK_HOME/etc/auth to SPLUNK_HOME/etc/auth/splunkweb and start Splunk.
... View more
07-03-2019
01:40 PM
Our application logs events to the Windows application events with custom SourceNames. Need help to extract the fields using the props and transforms. I am able to extract the fields search time using the rex command, but the same doesn't work in props.conf .
tried extracting one field -
REGEX working in search - rex field=Message "^[^\]\n]*\]\s+(?P\w+)"
props.conf
[ebs_prod_api]
REPORT-ebs_type = ebs_type_extract
transforms.conf
[ebs_type_extract]
SOURCE_KEY = Message
REGEX = ^[^\]\n]*\]\s+(?P\w+)
Need to extract the following fields -
Log_type - VERBOSE , ThreadId - {117}
CorrelationId, Http status Code, Duration, Execution, Session ID .
Sample data -
07/03/2019 11:33:38 AM
LogName=Application
SourceName=exs_nmon
EventCode=0
EventType=4
Type=Information
ComputerName=ex1nmkilo
TaskCategory=%1
OpCode=Info
RecordNumber=19214030
Keywords=Classic
Message=[07/03/19 11:33:38.9356] **VERBOSE** **{117}** (NewFolder): (**CorrelationId**: IO-78904a2a-f22b-43bc-b39c-1188e9530622) Read Data for file version "Pipeline folder 2030\{1d38cda6-13f7-4353-bd46-8bde2659af97}" from \\nmsxlfs\jkil11638\nuimo1927\encdata\files\Pipeline folder 2030\{1d38cda6-13f7-4353-bd46-8bde2659af97}\Versions\00135_file.mr
07/03/2019 01:26:54 PM
LogName=Application
SourceName=exs_nmon
EventCode=0
EventType=4
Type=Information
ComputerName=ex1nmkilo
TaskCategory=%1
OpCode=Info
RecordNumber=32205553
Keywords=Classic
Message=[07/03/19 13:26:54.8825] RESTAPI {121} (GET-/v1/folder/{fileid}/metadata): Instance ID: xcert123987; User ID: one_lo; **CorrelationId**: io19db84-f68b-4328-93eb-963cf77f0feb; **Execution**: Complete; **Duration**: 260 ms; **Http status Code**: 200; **Session ID**: ui90k2b4-b714-4caa-ab26-7d0ee7df3681; Node: enc169094num; **PODVersion**: 13.1; fileid: 29006663-92a5-4ff9-ad3b-64f387004cf7
Note - Not all events contain all the fields.
Thanks
Naveed
... View more
01-30-2019
11:05 AM
I need help in masking data in the payload emitted in the log. The application writes logs to Windows Event logs -
Message=[2019-01-29 07:00:24,706] {1302} INFO SomeHelper::SendToDestination - {"RefId":"78c2511d-5aa6-4b92-9a50-3622d62ac1a2","Lender":{"Id":"4be018e4-de81-4142-adf0-cfa3dd923c7c","FirstName":"SomeFirstName","LastName":"SomeLastName","Quailification":false,"ID":"4be018e4-de81-4142-adf0-cfa3dd923c7c"}
I have tried the following SEDCMD in props.conf , but it masks all the fields after the "LastName" in payload in the EventLog.
SEDCMD-ananlname = s/("LastName":".*"/"LastName":"*****"/
... View more
09-17-2018
11:19 AM
I was able to get the results. Realized that we were not using the actual field app_type with GROUPBY in the tstats base search .. doing the following returned the expected results and I have validated them to be true.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 GROUBPBY Enc.app_type
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
... View more
09-17-2018
10:55 AM
Thanks jkat54.
adding prestats=true displays blank results with a single column non-sdk
| tstats prestats=true count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
results -
Call sum(count)
non-sdk
index=enc sourcetype=enc type=trace source=123456| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call
Call count
non-sdk 1144197
sdk 513994
... View more
09-14-2018
05:23 PM
hi,
I am trying to combine results into two categories based of an eval statement.
The original query returns the results fine, but is slow because of large amount of results and extended time frame:
index=enc sourcetype=enc type=trace source=*123456*| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call
I tried the following with tstats , but none of them work, meaning displayed 0 results.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| `drop_dm_object_name("Enc")`
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
AND
| tstats count from datamodel=Enc where sourcetype=enc-trace Enc.type=TRACE Enc.cid=1234567
| `drop_dm_object_name("Enc")`
| eval sdk=if(app_type="API",count,0), non-sdk=if(app_type!="API",count,0)
| stats sum(sdk) as SDK, sum(non-sdk) as NON-SDK
appreciate help and ideas from Splunkers.
Thanks
... View more
08-29-2018
01:29 PM
JobName Cron Schedule
JobA 0 02 * * *
JobB 0 2/4 * * *
JobC 0 03 * * *
JobD . 0 0/2 * * *
... View more
08-29-2018
01:27 PM
We have 4 tasks that run on different schedules and log an event in the application logs when the job starts. The task is to alert if the job doesn't run on a prescribed schedule. Can this be done with a single search command ?
JobA 0 02 * * *
JobB 0 2/4 * * *
JobC 0 03 * * *
JobD . 0 0/2 * * *
Event produced in Log -
[2018-08-29 06:00:00,912] {Worker #04283bd8} INFO JobA::Execute - ********************** Job Name : AgedApplicationNotificationJob - started at : 8/29/2018 6:00:00 AM **********************
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
