Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About schose
schose
Builder
Member since:
06-28-2012
07-31-2025
Community Statistics
| Posts | 195 |
| Solutions | 24 |
| Karma Given | 20 |
| Karma Received | 88 |
| Member Since | 06-28-2012 |
Activity Feed
- Got Karma for upgrade to kvstore v7 impossible on MacOS?!. 08-15-2025 05:30 AM
- Got Karma for Re: upgrade to kvstore v7 impossible on MacOS?!. 08-15-2025 03:17 AM
- Posted Re: upgrade to kvstore v7 impossible on MacOS?! on Splunk Enterprise. 07-31-2025 01:22 AM
- Posted upgrade to kvstore v7 impossible on MacOS?! on Splunk Enterprise. 07-30-2025 02:52 PM
- Posted what is ExecStartPost in systemd unit itended for? on Deployment Architecture. 07-15-2025 02:58 PM
- Got Karma for Re: Splunk v9.3 not refreshing nav correctly. 06-18-2025 10:34 AM
- Got Karma for Splunk v9.3 not refreshing nav correctly. 06-18-2025 05:47 AM
- Posted test of rolling-restart using rest api on Splunk Enterprise. 04-22-2025 02:29 PM
- Tagged test of rolling-restart using rest api on Splunk Enterprise. 04-22-2025 02:29 PM
- Tagged test of rolling-restart using rest api on Splunk Enterprise. 04-22-2025 02:29 PM
- Got Karma for Re: | rest /services/data/indexes only return event indexes. 01-22-2025 01:56 AM
- Posted Re: Splunk v9.3 not refreshing nav correctly on Dashboards & Visualizations. 09-30-2024 01:25 PM
- Posted Splunk v9.3 not refreshing nav correctly on Dashboards & Visualizations. 09-30-2024 08:59 AM
- Got Karma for Re: TA-WebTools - Syntax question. 08-13-2024 03:32 AM
- Posted Re: TA-WebTools - Syntax question on All Apps and Add-ons. 08-12-2024 03:30 PM
- Posted Re: TA-WebTools - Syntax question on All Apps and Add-ons. 08-10-2024 06:29 AM
- Got Karma for Re: Security issue?! Splunk UF v9.x is re-adding readall capability. 07-09-2024 11:14 AM
- Posted Re: Security issue?! Splunk UF v9.x is re-adding readall capability on Installation. 07-27-2023 08:22 AM
- Got Karma for Security issue?! Splunk UF v9.x is re-adding readall capability. 07-03-2023 07:08 PM
- Posted Security issue?! Splunk UF v9.x is re-adding readall capability on Installation. 07-03-2023 02:51 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-31-2025
01:22 AM
1 Karma
Hi @livehybrid, Well, strange thing is that mongo7 is working for splunk v10 when installing vanilla. I would strongly guess that the update even does not work on intel macs also, because the mongo binaries needed for migration are not the in macos intel tarball. Cheers, Andreas
... View more
07-30-2025
02:52 PM
1 Karma
Hi all, When upgrading from v9.4.1 to a newer version (including 10) on MacOS (arm) i receive the error message: -> Currently configured KVSTore database path="/Users/andreas/splunk/var/lib/splunk/kvstore"
-> Currently used KVSTore version=4.2.22. Expected version=4.2 or version=7.0
CPU Vendor: GenuineIntel
CPU Family: 6
CPU Model: 44
CPU Brand: \x
AVX Support: No
SSE4.2 Support: Yes
AES-NI Support: Yes There seems to be an issue with determine AVX correctly thru rosetta?! - Anyway, i tried to upgrade on v9.4.1using ~/splunk/bin/splunk start-standalone-upgrade kvstore -version 7.0 -dryRun true and receive the error In handler 'kvstoreupgrade': Missing Mongod Binaries :: /Users/andreas/splunk/bin/mongod-7.0; /Users/andreas/splunk/bin/mongod-6.0; /Users/andreas/splunk/bin/mongod-5.0; /Users/andreas/splunk/bin/mongod-4.4; Please make sure they are present under :: /Users/andreas/splunk/bin before proceeding with upgrade.
Upgrade Path = /Users/andreas/splunk/bin/mongod_upgrade not found Please make sure upgrade tool binary exists under /Users/andreas/splunk/bin The error that mongod-4.4, mongod-5.0, mongod-6.0 and mongod-7.0 are missing is correct, the files are not there. There are not in delivered splunk .tgz for macos. The linux tarball includes them.. any hints? best regards, Andreas
... View more
Labels
- Labels:
-
upgrade
07-15-2025
02:58 PM
Hi all, When creating a systemd unit file for and old UF (<9.1) using "splunk enable boot-start -systemd-managed 1 -user .. " a systemd file is created with content: [Service]
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=/bin/bash -c "chown -R splunkfwd:splunkfwd /sys/fs/cgroup/memory/system.slice/%n" This is also documented in here: https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/9.4/working-with-the-universal-forwarder/manage-a-linux-least-privileged-user In "Reference unit file template". Does anyone have an idea why this is done? The paths are using cgroupv1 which only exists on old linux systems, on up-to-date systems this chown fails, but service starts anyway. When creating a systemd config with recent UFs these ExecStartPost Parameters are not set anymore. BUT when installing Splunk Enterprise this line is set in systemd unit ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/system.slice/%n" AFAIK splunk core uses cgroups for Workspace Management, but not on UF. Is the reference unit file template for UF just old&false and the settings never had a sense or is there any good reason? thanks for your help and best regards, Andreas
... View more
Labels
- Labels:
-
universal forwarder
04-22-2025
02:29 PM
Hi all, We want to test if a cluster bundle on cluster manager needs to restart the cluster peers using the REST API. In the first step we run a POST against: https://CLM:8089/services/cluster/manager/control/default/validate_bundle?output_mode=json check-restart=true in body and check for json.entry[0].content.checksum to get the checksum of the new bundle. If there is no checksum, there is no new bundle. Second we check the checksum against GET: https://CLM:8089/services/cluster/manager/info?output_mode=json json.entry[0].content.last_validated_bundle.checksum json.entry[0].content.last_dry_run_bundle.checksum to verify if the bundle check and test of the restart is completed and consider json.entry[0].content.last_check_restart_bundle_result if the restart is nessary or not. Unfurtunatly we see that the value of json.entry[0].content.last_check_restart_bundle_result changes, even if last_dry_run_bundle.checksum and last_dry_run_bundle.checksum are set to the correct values. to make a long story short we see that the red value is changing, while green is not changing. which is unexprected for us. tested against v9.2.5 and v9.4.1. At the moment is looks like a timing issue for me and i want to avoid sleep() code. Is there a more solid way to check if restart is necessary or not? best regards, Andreas
... View more
Labels
- Labels:
-
configuration
09-30-2024
01:25 PM
1 Karma
Hi @marnall , I had set web.conf to [settings]
cacheEntriesLimit = 0
cacheBytesLimit = 0
js_no_cache = 1 .. no difference.
... View more
09-30-2024
08:59 AM
1 Karma
Hi all, Since v9.3 there seem to be a different method for displaying nav menus. When you update the tag <label> tag of a view from external editor, those changes are not updated in navigation until a local storage object is deleted. /debug/refresh or restart splunk doesn't refresh the navigation. I was able to to update navigation when deleting the following object -> chrome -> developer tools -> applications -> "local storage" -> splunk-appnav:MYAPP:admin:en-GB:UUID containing the following datastructure.. {
"nav": [
{
"label": "Search",
"uri": "/en-GB/app/testapp/search",
"viewName": "search",
"isDefault": true
},
{
"label": "testview",
"uri": "/en-GB/app/testapp/testview",
"viewName": "testview"
}
],
"color": null,
"searchView": "search",
"lastModified": 1727698963355
} I'm wondering why content of the nav is now saved on client side. This is a different behaviour than on v9.1 and v9.2. If i need to guess, they tried to improve response time of the webui. But how do i ensure that every user is receiving the latest version of navigation menu in an app? Best regards, Andreas
... View more
Labels
- Labels:
-
Classic dashboard
08-12-2024
03:30 PM
1 Karma
Hi Joe, yes, you can download the app, patch it and upload it as a private app. Cheers, Andreas
... View more
08-10-2024
06:29 AM
Hi Joe,
there is a command documentation in default/searchbnf.conf
[curl-command]
syntax = CURL [choice:URI=<uri> OR URIFIELD=<urifield>] [optional: METHOD=<GET|PATCH|POST|PUT|DELETE> VERIFYSSL=<TRUE|FALSE> DATAFIELD=<field_name> DATA=<data> HEADERFIELD=<json_header_field_name> HEADERS=<json_header> USER=<user> PASS=<password> DEBUG=<true|false> SPLUNKAUTH=<true|false> SPLUNKPASSWDNAME=<username_in_passwordsconf> SPLUNKPASSWDCONTEXT=<appcontext (optional)> TIMEOUT=<float>]
-k = "VERIFYSSL=FALSE"
headers="{\"content-type\":\"application/json\"}"
best regards,
Andreas
... View more
07-27-2023
08:22 AM
1 Karma
Hi all, To ensure that CAP_DAC_READ_SEARCH is not set, systemd overwrite mechanism could be used. create /etc/systemd/system/SplunkForwarder.service.d/override.conf with content: [Service]
NoNewPrivileges=yes
AmbientCapabilities= this ensures, that even if /etc/systemd/system/SplunkForwarder.service is rewritten - which still looks like an issue to me - the AmbientCapabilities are still empty. Best regards, Andreas
... View more
07-03-2023
02:51 PM
1 Karma
Hi all, Splunk UF since 9.x is setting [Service]
NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH in systemd unit file (/etc/systemd/system/SplunkForwarder.service). This enables splunkforwarder to bypass Filesystems permissions and acls and read every file on harddisk - yes, every file: every ssh key, every private key, confidential data.. the opposite of the "least-to-know" principle. As we have correct filesystem permissions in place we decided to remove those settings from systemd unit file. When we now run e.g.: "/opt/splunkforwarder/bin/splunk stop" command the systemd file is rewritten by the splunk command. This will start splunkforwarder with enabled CAP_DAC_READ_SEARCH capability. To make is more visual we uploaded a video to https://asciinema.org/a/FAYFPJYrKaizfL3alzvm3uNGF . Are you able to reproduce the issue? What do you think? For us this looks like a secuity issue, as we would never expect a command like "splunk stop" manipulate systemd files. I'm also not aware which other command might rewrite the systemd unit. I also do not seed any usecase for this. steps to reproduce: install-splunkuf.sh #!/bin/bash
# break if errors
set -e
# add system user
sudo groupadd splunk
sudo useradd splunk --system --home-dir /opt/splunk --create-home -g splunk
wget -O /tmp/splunkuf.tgz https://download.splunk.com/products/universalforwarder/releases/9.1.0/linux/splunkforwarder-9.1.0-1c86ca0bacc3-Linux-x86_64.tgz
#wget -O /tmp/splunkuf.tgz https://download.splunk.com/products/universalforwarder/releases/9.0.5/linux/splunkforwarder-9.0.5-e9494146ae5c-Linux-armv8.tgz
tar zxfv /tmp/splunkuf.tgz -C /opt
echo -e "[user_info]\nUSERNAME=admin\nPASSWORD=Password01" > /opt/splunkforwarder/etc/system/local/user-seed.conf
/opt/splunkforwarder/bin/splunk start --accept-license && /opt/splunkforwarder/bin/splunk stop -f
/opt/splunkforwarder/bin/splunk enable boot-start -user splunk -group splunk -systemd-managed 1
# remove capabilities from systemd service
sed -i '/^NoNewPrivileges\|^AmbientCapabilities/s/^/#/' /etc/systemd/system/SplunkForwarder.service
systemctl daemon-reload
systemctl start SplunkForwarder
systemctl status SplunkForwarder
# systemd file is still fine
echo -n "systemd unit file after starting splunk"
cat /etc/systemd/system/SplunkForwarder.service
pid=$(systemctl show -p MainPID --value SplunkForwarder.service) && getpcaps $pid when you now run /opt/splunkforwarder/bin/splunk stop
cat /etc/systemd/system/SplunkForwarder.service you see that lines NoNewPrivileges=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH are re-added to /etc/systemd/system/SplunkForwarder.service and next time the service is started caps are set. A backup file is also placed /etc/systemd/system/SplunkForwarder.service_TIMESTAMP. when running a strace strace -s 0 -o /tmp/910stop.strace -f /opt/splunkforwarder/bin/splunk stop we clearly see the splunk process manipulating the systemd file. 2120 rename("/etc/systemd/system/SplunkForwarder.service", "/etc/systemd/system/SplunkForwarder.service_2023_07_03_21_47_00") = 0
2120 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7feb05354f10) = 2122
2120 wait4(2122,
2122 set_robust_list(0x7feb05354f20, 24) = 0 This happens on all 9.x versions of UF. best regards, Andreas
... View more
06-16-2023
07:42 AM
Hi Forum, We have an issue with UF 9.0.5. When starting or stopping the filesytem group permissions are changed to the primary group of the technical user running splunk. when splunk is started we always see the message: Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk_tech_user /opt/splunkforwarder" This does not chown the user but also the group to the primary group of the user. Any chance to skip this? version 8.* does not show this issue. best regards, Andreas
... View more
Labels
- Labels:
-
universal forwarder
-
upgrade
05-26-2023
06:24 AM
Hi @rkantamaneni , Well, i can rerun the tests with a 9.x version, but wouldn't expect different results with the same level setting. I would be also interested in behaviour for different sourcetypes, as we see huge differences there. Do you have an idea for good high cardinality logfiles? Best regards, Andreas
... View more
05-08-2023
04:54 AM
Hi @AdrianMa , hope you mean splunk enterprise x86_64 Linux? Here is a way: docker pull splunk/splunk:7.3.6 docker run -ti --entrypoint /bin/bash splunk/splunk:7.3. tar zcfv /tmp/splunk-7.3.6.tar.gz splunk docker ps -> get container id docker cp CONTAINERID:/tmp/splunk-7.3.6.tar.gz . regards, Andreas
... View more
04-24-2023
04:12 AM
Hi @VatsalJagani , updating the app using REST API or GUI doesn't make a difference. We will open a call for this behaviour. as a workaround it's possible to "version" your savedsearches -> putting 0001,2,3 at the end. Not very user friendly, but working. best regards, Andreas
... View more
04-19-2023
12:06 PM
Hi all,
I have an testapp with a savesearch containing:
[testsearch]
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 1 * * * 1
dispatch.earliest_time = -7d@d
dispatch.latest_time = -0d@d
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
search = | makeresults
when i install the app using gui/api or commandline i see the schedule for next monday 1am. When i now change the schedule and settings to:
[testsearch]
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 5 * * * *
dispatch.earliest_time = -16m@m
dispatch.latest_time = -1m@m
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
search = | makeresults
and checking by
| rest /servicesNS/-/testsearch/saved/searches | table title cron_schedule eai:acl.app cron_schedule next_scheduled_time | rename eai:acl.app as app | search title=*testsearch
i see that next_scheduled_time is still next monday. running a /debug/refresh or curl -k -u admin:XXX https://localhost:8089/servicesNS/nobody/testsearch/admin/localapps/_reload does not fix the issue. It seems only restarting the searchhead, wait until next schedule (multiple day in this case) or change using the gui fixes the issue.
In our case non of the above is possible, as we are deploying our apps using a cicd pipeline.
Any hint or workaround?
Best regards,
Andreas
... View more
Labels
- Labels:
-
configuration
-
development
-
upgrade
03-28-2023
10:05 AM
Hi @danielbb , It's EventCode, not EventID. 😉 | tstats count where index=wineventlog* TERM(EventCode=4688) by _time span=1m best regards, Andreas
... View more
12-16-2022
12:39 AM
Hi NIranjan, can you send an ansible-playbook debug while the task is hanging? I'm using .tgz files as, .rpm always seems a blackbox for me - i cannot see from outside what post scripts are running in. there. best regards, Andreas
... View more
12-15-2022
06:31 AM
Hi Niranjan, yes, i simply run - name: accept license
tags:
- install
shell: /opt/splunkforwarder/bin/splunk status --accept-license --answer-yes
become: yes
when:
- splunk_path.stat.exists == false or current_version.rc != 0
ignore_errors: true before.. cheers, Andreas
... View more
12-14-2022
08:16 AM
Hi Niranjan, Mongo is no component started by UFW but only by Splunk Enterprise.. So this is surely a bug.. it also see to make a difference if you use .tgz or .deb. I had the issue using .tgz. My workaround is this task: - name: ensure kvstore is disabled on UFW
ini_file:
dest: /opt/splunkforwarder/etc/system/local/server.conf
section: kvstore
option: disabled
value: true regards, Andreas
... View more
12-14-2022
04:11 AM
Hi, Same here.. for some reason the update script tries to upgrade mongo-db on UFW and get stuck. seems like a bug. disable kvstore in server.conf works for me. https://community.splunk.com/t5/Splunk-Enterprise/Splunk-9-Universal-Forwarder-getting-quot-App-Key-Value-Store/m-p/613838#M13969 regards, Andreas
... View more
12-08-2022
07:20 AM
Hi @ojay , there doesn't seem to be a ready-to-go iLO TA. We ingest data by sending iLO data to syslog and using UFW on syslog to ingest to splunk. best regards, Andreas
... View more
12-08-2022
06:44 AM
Hi @jcourses , right, the iowait check in distributed health reporter is quite aggressive. You can raise the limits by configure health.conf We changed iowait to: [feature:iowait]
display_name = IOWait
indicator:single_cpu__max_perc_last_3m:description = This indicator tracks the IOWait percentage for the single most bottle-necked CPU on the machine running the Splunk Enterprise instance, over the last 3 minute window. By default, this indicator will turn Yellow if the percentage exceeds 5% and Red if it exceeds 10% during this window.
indicator:single_cpu__max_perc_last_3m:red = 20
indicator:single_cpu__max_perc_last_3m:yellow = 10 meaning iowait is yellow for 10% io wait, red for 20% io wait in a 3 min period. best regards, Andreas
... View more
11-01-2022
10:28 AM
Hi @venkatanagendra , If the json you provided is part of an already existing field i would go with eval json functions | makeresults
| eval json = "{\"IsProductValidated\":\"false\",\"ErrorCodes\":[{\"errorCode\":\"PRD-202\",\"errorMessage\":\"Product Validation Service Returned Error :: Reason: Options you have selected are not available at this time. Please change your selections.\"}]}"
| eval errorCode = json_extract(json,"ErrorCodes{}.errorCode"), errorMessage = json_extract(json,"ErrorCodes{}.errorMessage")
| table _time errorCode errorMessage Best Regards, Andreas
... View more
11-01-2022
09:44 AM
Hi @venkatanagendra , You do not need to do regex, as your data is already in structured json format. Ensure your sourcetype is using kv_mode=json or kv_mode=auto and you can address fields ErrorCodes{}.errorCode ErrorCodes{}.errorMessage Best regards, Andreas
... View more
