Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About msenebald
msenebald
Explorer
Member since:
06-28-2012
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 06-28-2012 |
Activity Feed
- Got Karma for Re: How to search for the most common word used?. 06-05-2020 12:47 AM
- Got Karma for Problem fetching logs from AWS S3 Buckets. 06-05-2020 12:47 AM
- Karma How do you use multi value tags in eval? for Marinus. 06-05-2020 12:45 AM
- Posted Re: Problem fetching logs from AWS S3 Buckets on All Apps and Add-ons. 01-08-2015 03:08 PM
- Posted Problem fetching logs from AWS S3 Buckets on All Apps and Add-ons. 01-08-2015 12:46 PM
- Tagged Problem fetching logs from AWS S3 Buckets on All Apps and Add-ons. 01-08-2015 12:46 PM
- Posted Why Splunk Add-on for AWS 1.1.0 Beta does not list EU-Central-1 region? on All Apps and Add-ons. 12-23-2014 04:27 AM
- Tagged Why Splunk Add-on for AWS 1.1.0 Beta does not list EU-Central-1 region? on All Apps and Add-ons. 12-23-2014 04:27 AM
- Posted Re: Can you Monitor Active Directory with Splunk Enterprise running on Linux? on All Apps and Add-ons. 12-02-2014 08:26 AM
- Posted Re: How to search for the most common word used? on Splunk Search. 08-03-2014 11:10 AM
- Posted Re: How do you use multi value tags in eval? on Splunk Search. 06-19-2013 02:52 AM
Topics I've Started
01-08-2015
03:08 PM
Hi,
thanks for that answer. Will this be in the beta of 1.1.0 ?
I tried to get one input at a time to work. So it can't be things trying to request the same queue or same bucket.
At the moment nothing is fetching anything. My focus is s3 at the moment.
Two things come to my mind.
it is indeed a policy problem, then my question would be how would i find this out? I already tried using an root/admin accesskey that is allowed to do everything and that has created the bucket (so all rights for the owner) no progress, same failures. Something not related to S3 directly? Account Setting?
It is a problem with the aws api/sdk i found some problems/similar errors on the net related to boto und s3. Also for the sqs/sns service i try so setup most things against eu-central-1 which is quite new and in a different situation a newer sdk version solved problems there. (not sure if this applies for S3 anyway.. since it is not tied to a region)
Is there a way for me to create a hook in the python scripts that can give me a more verbose output? to see what actually fails? and to determine if it is a permission or script problem.
Thanks
... View more
01-08-2015
12:46 PM
1 Karma
Hi,
i try to setup Splunk Add-on for Amazon Web Services (v.1.0.1 on 6.2.0) with little success.
it seems that my connection setup access key + secret key are working.
From my understanding of the documentation http://docs.splunk.com/Documentation/AddOns/latest/AWS/ConfigureAWS
all access rights are setup properly. Still i get a lot of errors in splunk.
S3
this seem to be a major thing, when i try to setup S3 input. I can select aws account, select bucket and i get this :
In handler 'splunk_ta_aws_s3key': Unexpected error "<class 'boto.exception.S3ResponseError'>" from python handler: "S3ResponseError: 400 Bad Request ". See splunkd.log for more details.
splunkd.log throws:
01-08-2015 20:21:04.055 +0100 ERROR AdminManagerExternal - Unexpected error "<class 'boto.exception.S3ResponseError'>" from python handler: "S3ResponseError: 400 Bad Request\n". See splunkd.log for more details.
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/splunkd.log sourcetype = splunkd
08.01.15 20:21:04,055
01-08-2015 20:21:04.055 +0100 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/lib/python2.7/site-packages/splunk/admin.py", line 70, in init\n hand.execute(info)\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/lib/python2.7/site-packages/splunk/admin.py", line 527, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws_s3key_handler.py", line 28, in wrapper\n result = func(*args, **kwargs)\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws_s3key_handler.py", line 53, in handleList\n bucket = connection.get_bucket(self.callerArgs['bucket_name'][0])\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/etc/apps/Splunk_TA_aws/bin/boto/s3/connection.py", line 502, in get_bucket\n return self.head_bucket(bucket_name, headers=headers)\n File "/opt/splunk/splunk-6.2.1-245427-Linux-x86_64/etc/apps/Splunk_TA_aws/bin/boto/s3/connection.py", line 549, in head_bucket\n response.status, response.reason, body)\nS3ResponseError: S3ResponseError: 400 Bad Request\n\n
Cloudtrail
I can setup everything, select aws account, region, select the sqs queue and so forth. but don't get any data in.
in aws_cloudtrail.log i see:
08.01.15 21:19:27,955
2015-01-08 21:19:27,955 INFO pid=27777 tid=MainThread file=aws_cloudtrail.py:<module>:419 | EXITED: 1
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/aws_cloudtrail.log sourcetype = aws_cloudwatch-2
08.01.15 21:19:27,954
2015-01-08 21:19:27,954 CRITICAL pid=27777 tid=MainThread file=aws_cloudtrail.py:stream_events:286 | Outer catchall: ParseError: no element found: line 1, column 0
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/aws_cloudtrail.log sourcetype = aws_cloudwatch-2
08.01.15 21:19:27,491
2015-01-08 21:19:27,491 DEBUG pid=27777 tid=MainThread file=aws_cloudtrail.py:stream_events:210 | Connect to S3 & Sqs sucessfully
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/aws_cloudtrail.log sourcetype = aws_cloudwatch-2
08.01.15 21:19:27,448
2015-01-08 21:19:27,448 INFO pid=27777 tid=MainThread file=aws_cloudtrail.py:get_access_key_pwd_real:109 | get account name: test
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/aws_cloudtrail.log sourcetype = aws_cloudwatch-2
08.01.15 21:19:27,448
2015-01-08 21:19:27,448 DEBUG pid=27777 tid=MainThread file=aws_cloudtrail.py:stream_events:196 | blacklist regex for eventNames is ^(?:Describe|List|Get)
host = splunkvm03 index = _internal source = /opt/splunk/splunk-6.2.1-245427-Linux-x86_64/var/log/splunk/aws_cloudtrail.log sourcetype = aws_cloudwatch-2
08.01.15 21:19:27,448
2015-01-08 21:19:27,448 DEBUG pid=27777 tid=MainThread file=aws_cloudtrail.py:stream_events:178 | Start streaming.
Billing
Here i can select aws account, bucket and when i try to save i get the following error thrown.
In handler 'aws_billing': Failed AWS Validation: S3ResponseError: 400 Bad Request (None):
To me it looks like the s3 does not really work, but i have no idea why. trying to setup up everything manually via inputs.conf didn't bring any success, the errors in splunkd.log seems to be the same.
Does some have an idea? did i miss something curial? The Python Errors and AWS Validation messages doesn't make any sense to me.
Thanks in advance
... View more
12-23-2014
04:27 AM
Hi,
just a short question did someone manage to use the Splunk Add-on for AWS to connect to EU-Central-1 ?
It is not listed and produces at other points some errors.
I used the 1.1.0 Beta since i hoped there is the most recent api for AWS included. I had a similar problem in a another area using AWS Python SDK and not using the most recent version. The SDK couldn't return with the EU-Central-1 Region.
Does someone has the same experience? Or a quick fix. I realize this is a beta but still.
Thanks for any feedback.
BR
... View more
12-02-2014
08:26 AM
Hi,
running Splunk on Linux as an Indexer is no problem for this setup. Problems might occur within the Dashboard part of the App. Not sure if it relies on Windows Specific Informations/Connectivity.
2 Points come to my mind.
1. Forwarder should be a HeavyForwarder (Splunk Server not Universal Forwarder (gives all the functionality the Support Add might need)
2. Maybe a Windows Searchhead gives the missing Connectivity for the Dashboard part.
So it could look like this:
Windows DC (Heavy Forwarder) -> Splunk Indexer (Linux) -> Splunk Searchhead (Windows)
BR Martin
... View more
08-03-2014
11:10 AM
1 Karma
Hi,
depends a bit how your events look like.
I guess the easiest way is make every word a new event and use top.
Or use just shell script on nix
cat file.txt | sed -r 's/[[:space:]]+/\n/g' | sed '/^$/d' | sort | uniq -c | sort -n | tail -n10
Good luck
... View more
06-19-2013
02:52 AM
Hi I have a similar problem.
the thing is even with
* | eval nr_tags=mvcount("tag::host")
you will always get 1 in nr_tags. it takes this as a string.
I would like to do something like this:
| eval iscool=if("tag::host" == "cool", "yes" , "no")
where host=fridge with tags: cool, fridge, ..
So actually i want to have a field in case a certain tag is applied to this event.
But i strugle to identify this in the tag::host field. mvcount and so always sees "tag::host" as a string, not as the field
Any Ideas?
... View more
