Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About schose
schose
Builder
Member since:
06-28-2012
3 weeks ago
Community Statistics
| Posts | 150 |
| Solutions | 18 |
| Karma Given | 19 |
| Karma Received | 66 |
| Member Since | 06-28-2012 |
Activity Feed
- Got Karma for Re: How to Autocreate an index in a docker container?. 4 weeks ago
- Posted Re: How to Autocreate an index in a docker container? on Installation. 4 weeks ago
- Posted Re: How to Autocreate an index in a docker container? on Installation. 4 weeks ago
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. 03-16-2022 04:17 AM
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. 03-16-2022 04:06 AM
- Posted Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? on Splunk Enterprise. 03-16-2022 03:33 AM
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. 03-16-2022 03:29 AM
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. 03-16-2022 01:35 AM
- Posted Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? on Splunk Enterprise. 03-15-2022 05:06 AM
- Posted Re: How to create custom alert script to initiate tcpdump on Alerting. 03-11-2022 08:19 AM
- Got Karma for Re: Nagios Monitoring of Splunk ideas vs Splunk self monitoring. 01-20-2022 07:04 AM
- Got Karma for Re: how do you programmatically bump a search head?. 12-11-2021 07:40 PM
- Got Karma for Re: How to Update Splunk after JavaScript Changes without Restarting Splunk. 12-11-2021 06:34 PM
- Posted Re: restore user token on Splunk Enterprise. 11-18-2021 06:30 AM
- Posted Re: Nagios Monitoring of Splunk ideas vs Splunk self monitoring on Monitoring Splunk. 11-17-2021 02:57 AM
- Posted restore user token on Splunk Enterprise. 11-16-2021 02:44 PM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 10-20-2021 06:23 AM
- Posted Re: index clustering does not distribute primary buckets well for indexes on Splunk Enterprise. 07-19-2021 11:31 AM
- Posted Re: index clustering does not distribute primary buckets well for indexes on Splunk Enterprise. 07-19-2021 09:49 AM
- Got Karma for Re: Why am I getting "Missing enough suitable candidates to create a replicated copy" building a multisite indexer cluster staging environment?. 07-19-2021 09:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
4 weeks ago
btw. here is an example for docker-compose using direct filesystem mapping version: '3'
services:
single:
image: splunk/splunk:8.1.5
ports:
- "8111:8000"
volumes:
- single-etc:/opt/splunk/etc
- single-var:/opt/splunk/var
- /my/path/to/indexapp/indexapp:/opt/splunk/etc/apps/indexapp
hostname: idx1
environment:
- SPLUNK_HOME=/opt/splunk/
# - DEFAULTS_URL=http://splunk-defaults/default.yml
- SPLUNK_START_ARGS="--accept-license"
- SPLUNK_PASSWORD=EnterYourCreditCardNumber
- SPLUNK_ROLE=splunk_standalone
- SPLUNK_DEBUG="true"
volumes:
single-etc:
single-var:
networks:
default:
external:
name: splunk regards, Andreas
... View more
4 weeks ago
1 Karma
Hi, The docker container is started using splunk-ansible. You can configure some behavoirs of your container using environment variables, others using default.yml https://github.com/splunk/splunk-ansible/blob/develop/docs/advanced/default.yml.spec.md use parameter apps_location to install apps automatically at container startup. https://github.com/splunk/splunk-ansible/blob/37149df811538d589ab4740284d3a7264314d41f/docs/advanced/default.yml.spec.md?plain=1#L113 you can download them or present them on persistent storage. i would create an app with indexes.conf containing your index configuration and configure it there. regards, Andreas
... View more
03-16-2022
03:33 AM
1 Karma
Hi @isoutamo , that's exactly what i planned for my next article. But i can share the first numbers: After ingest 800MB raw routeros logs into event indexes the rawdata is: gzip: 74.2MB lz4: 136.0MB zstd: 56.4 MB I'll need some more time for a performance review, but will post updates. regards, Andreas
... View more
03-15-2022
05:06 AM
3 Karma
Hi, i recently wrote a small blog article regarding this setting: How tsidxWritingLevel affects storage size and performance - https://www.batchworks.de/tsidx-storage-performance/ hope it helps, Andreas
... View more
03-11-2022
08:19 AM
Hi, The alert action script receives the configuration and results from the stdin in json format.. example: { "app" : "search" , "owner" : "admin" , "results_file" : "heregoesthecreditcardnumber" , "results_link" : "heregoesthecreditcardnumber" , "search_uri" : "/servicesNS/nobody/search/saved/searches/testalert" , "server_host" : "art-mb-2.local" , "server_uri" : "heregoesthecreditcardnumber" , "session_key" : "heregoesthecreditcardnumber" , "sid" : "scheduler__admin__search__testalert_at_1569508320_128" , "search_name" : "testalert" , "configuration" : { "email" : "andreas at batchworks.de" , "company" : "batchworks" , "severity" : "WARNING" }, "result" : { "sourcetype" : "splunkd" , "count" : "80" } } in "result" there are your search results.. read this in python like: result = sys.stdin.read() settings = json.loads(result)regards, Andreas
... View more
11-18-2021
06:30 AM
answer: double- and triplecheck that splunk.secret is set to the correct value. 😉
... View more
11-17-2021
02:57 AM
1 Karma
Hi Oj, i wrote several blogposts about monitoring splunk using nagios on batchworks.de: one thing you would like to monitor is e.g. license usage on your licenseserver. a cornercase is to monitor for old ufs.. out-of-the-box there good checks are included in the Managementconsole. Those alerts should trigger your nagios. in the end i would suggest an "end-to-end" test using a technical user and doing a search in you splunk instance - by using rest api for example. At you could be quite sure that everthing is running smooth. those test including basic os montoring should be a good start. regards, Andreas
... View more
11-16-2021
02:44 PM
Hi all, we are currently testing desaster recovery of our enviroment. We have a full backup of kvstore, apps and passwd for the searchhead instance. We are using local technical users using tokens to authenticate and edit kvstores using rest api. In the backup we found system/JsonWebTokensV1/JsonWebTokensV10.json and restored that. Now we see tokens in the gui, but getting 500 errors when trying to log in using the tokens. The json structure of the kvstore backup only seems to hold meta information about the token, like description and id. But where are the token actually are stored? What file information have to be recovered on a complete new instance? Thanks for your help in advance, Andreas
... View more
Labels
- Labels:
-
other
07-19-2021
11:31 AM
Hi all, v8.1.5 also seems to have no issues..
... View more
07-19-2021
09:49 AM
Hi, after further testing it looks like upgrading to v.8.2.1 fixes the issue. But I havn't found anything usefull in release notes. 😞 Regards, Andreas
... View more
- Tags:
- btw.
07-19-2021
08:54 AM
Hi forum, I have a 2 peer single site (sf2, rf2) index cluster. We recognized that the primaries for indexes are not distributed even by using the search: | rest splunk_server=local /services/cluster/master/buckets
| rex field=title "^(?<repl_index>[^\~]+)" | search repl_index="*" standalone=0 frozen=*
| rename title AS bucketID | fields bucketID peers.*.search_state peers.*.bucket_flags frozen repl_index
| rename peers.3DAB62DE-6D21-4C93-B8E5-A65370709B79.bucket_flags as bucketflags
| eval prim=if(bucketflags = "0x0","prim_yes","prim_no")
| stats count by repl_index prim
| xyseries repl_index prim count
| fillnull prim_yes,prim_no
| eval ratio=prim_yes/(prim_yes+prim_no)
| eval ratio=round(ratio*100,2)
| search repl_index="*" More or less all primaries are either on one indexer or the other, resulting in uneven load as we have a search hotspot on one index. We were able to have a far better distribution after we set sf=1, removed excess buckets and set sf=2 again. Unfortunatly after stop an indexer for a while or do a rolling restart it's again very uneven distributed (as seen on the first screenshot). it's also possible to get an even distribution when stopping clustermaster and peers at the same time and starting again - in this time we have data loss. restarting any component for it's own doesn't fix the issue. we tried to rebalance primaries using: curl -k -u admin:plaseentercreditcardnumber --request POST https://localhost:8089/services/cluster/master/control/control/rebalance_primaries any hints how to fix this? We are using v8.0.7. best regards, Andreas
... View more
- Tags:
- index cluster
Labels
- Labels:
-
configuration
07-07-2021
05:50 AM
1 Karma
Hi all, @Martin_Doering solved it. | rest /services/data/indexes datatype=all |table title *type* works like a shame! Regards, Andreas
... View more
07-06-2021
01:40 PM
Hi @burwell .. thx for verification.. I'll do.
... View more
07-06-2021
09:48 AM
hi, looks like when you are using the more specific endpoint you are getting the information. | rest /services/data/indexes/mtest | table *title* *type* good enough for me, but /services/data/indexes still not looking fine. regards, Andreas
... View more
07-06-2021
09:41 AM
Hi all, can anyone confirm the behaviour? when running: | rest /services/data/indexes | table title *datatype*
I'm only getting back event indexes. From the documentation : https://docs.splunk.com/Documentation/Splunk/8.0.0/RESTREF/RESTintrospect datatype = The type of index (event | metric). i would expect to get all indexes back with datatype set. I've tested with v8.0.7 and v8.2.0. Looks like a bug? What would be alternatives to determine the type of an index programatically from outside using the API? best regards, Andreas
... View more
Labels
- Labels:
-
metrics
01-13-2021
09:27 AM
Hi all, I'm having non-indexed-extracted json in events. When there is a json "host" field host, which is different from the indexed "host", then the search view is showing you 2 values for host in smart or verbose mode. you can't work with the searchtime extracted json host field - clicking on it gives you no results - as host is an indexed field. .. when you are doing a ... | stats count by host, then only "indextimehost" is reported back - as expected. this behaviour differers from "normal" kv searchtime detection: i found multiple posts regarding this like: https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/292472 unfortunately i'm not able to change the json field name at the source. Rewriting is also no good option for me. This more looks like a display bug for me.. but drives the poweruser crasy. best Regards, Andreas
... View more
Labels
- Labels:
-
field extraction
-
JSON
-
sourcetype
01-12-2021
07:35 AM
a working transforms.conf: [ilookuptest1] INGEST_EVAL = pod = "testpod1" [ilookuptest2] INGEST_EVAL = annotation =json_extract(lookup( "testlookup.csv" ,json_object( "pod" ,pod), json_array(annotation)), "annotation" ) message: WARN CsvDataProvider - Unable to find filename property for lookup=testlookup.csv will attempt to use implicit filename. still there, but working. Regards, Andreas
... View more
- Tags:
- solution
01-11-2021
03:32 AM
Hi all, I'm receiving a lot of splunk-optimize errors in splunkd.log. ls -l /opt/splunk/var/lib/splunk/audit/db/hot_v1_455 | grep tsidx | wc -l 105 [root@indexer-2 splunk]# /opt/splunk/bin/splunk-optimize -v -d /opt/splunk/var/lib/splunk/audit/db/hot_v1_455 Logging configuration: verbose=1, log2splunk=0 tm= 1610364481 INFO splunk-optimize start: dir=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455 mode=0 isfinal=false max_iteration=2147483647 min_src_count=8 lex_tpb=64 write_level=1 target_size=1572864000 tm= 1610364481 DEBUG source_0=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610362948-1610362948-15554879922328683899.tsidx sz=1080 tm= 1610364481 DEBUG source_1=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363147-1610363147-16387064457660043774.tsidx sz=1168 tm= 1610364481 DEBUG source_2=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363267-1610363267-16901658911893982757.tsidx sz=1168 tm= 1610364481 DEBUG source_3=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363272-1610363272-16923132382574368602.tsidx sz=1176 tm= 1610364481 DEBUG source_4=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363092-1610363092-16150633440092436534.tsidx sz=1176 tm= 1610364481 DEBUG source_5=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363178-1610363178-16519774093793408615.tsidx sz=1176 tm= 1610364481 DEBUG source_6=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363057-1610363057-16000335144082864920.tsidx sz=1176 tm= 1610364481 DEBUG source_7=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363122-1610363122-16279466559003501729.tsidx sz=1176 tm= 1610364481 DEBUG source_8=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363058-1610363058-16004583287645382032.tsidx sz=1176 tm= 1610364481 DEBUG source_9=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363212-1610363212-16665396587756881875.tsidx sz=1176 tm= 1610364481 DEBUG source_10=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363152-1610363152-16408391753423458229.tsidx sz=1176 tm= 1610364481 DEBUG source_11=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363242-1610363242-16797814191883895619.tsidx sz=1176 tm= 1610364481 DEBUG source_12=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363238-1610363238-16777050395829684027.tsidx sz=1176 tm= 1610364481 DEBUG source_13=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363062-1610363062-16021755056521050397.tsidx sz=1176 tm= 1610364481 DEBUG source_14=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363298-1610363298-17035162030350365663.tsidx sz=1176 tm= 1610364481 DEBUG source_15=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363182-1610363182-16537360674905484228.tsidx sz=1176 tm= 1610364481 DEBUG source_16=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363288-1610363288-16996035449514477598.tsidx sz=1224 tm= 1610364481 DEBUG source_17=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363221-1610363221-16704811249229177472.tsidx sz=1240 tm= 1610364481 DEBUG source_18=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363248-1610363248-16826109427840005476.tsidx sz=1248 tm= 1610364481 DEBUG source_19=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363226-1610363226-16726339824340034748.tsidx sz=1248 tm= 1610364481 DEBUG source_20=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363103-1610363103-16197833266659683219.tsidx sz=1248 tm= 1610364481 DEBUG source_21=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363038-1610363038-15927433915388732711.tsidx sz=1248 tm= 1610364481 DEBUG source_22=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363278-1610363278-16953970350838872388.tsidx sz=1248 tm= 1610364481 DEBUG source_23=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363048-1610363048-15965922895444683963.tsidx sz=1248 tm= 1610364481 DEBUG source_24=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363296-1610363296-17026567070646661147.tsidx sz=1248 tm= 1610364481 DEBUG source_25=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363268-1610363268-16910815734924420355.tsidx sz=1248 tm= 1610364481 DEBUG source_26=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363218-1610363218-16695936197528204421.tsidx sz=1248 tm= 1610364481 DEBUG source_27=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363118-1610363118-16266549629544376987.tsidx sz=1248 tm= 1610364481 DEBUG source_28=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363138-1610363138-16352697168739542857.tsidx sz=1248 tm= 1610364481 DEBUG source_29=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363084-1610363084-16116233719873926123.tsidx sz=1248 tm= 1610364481 DEBUG source_30=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363238-1610363238-16782065727925460598.tsidx sz=1248 tm= 1610364481 DEBUG source_31=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455/1610363174-1610363174-16502826878692865729.tsidx sz=1248 tm= 1610364481 ERROR optimize finished: failed, see rc for more details, dir=/opt/splunk/var/lib/splunk/audit/db/hot_v1_455, rc=-29 (unsigned 227), errno=2 tm= 1610364481 INFO exiting splunk-optimize process with rc=-29 (unsigned 227) I haven't found any documentation what returncode -29 means or how to get more logs for this issue. Could anybody help out? Regards, Andreas
... View more
- Tags:
- splunk-optimize
Labels
- Labels:
-
troubleshooting
01-06-2021
11:39 AM
Hi, This sounds like a typical multiline issue. Check crio logs on the worker node where your application pods are running. If the displayed json is line by line - what i would guess - then you will need to setup multiline support in fluentd.. https://github.com/splunk/splunk-connect-for-kubernetes/blob/8ba455e7f988d129c9bfa13fdcf2025c6c4ae724/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/values.yaml#L191 .. meaning you need to concat the event to fluentd before sending it to hec. Another technical working solution is to fix the events in splunk on hec side. When your sourcetype for the damaged application is brokensourcetype set at SCK you can rename it, write it to aggQueue and so fix it with splunk props.conf capabilities. props.conf [brokensourcetype]
TRANSFORMS - streams = renamest , write - agg [jsonfixed]
... fix your json here transforms.conf: [ write - agg ]
REGEX = .*
DEST_KEY = queue
FORMAT = aggQueue
[ renamest ]
REGEX = .*
FORMAT = sourcetype ::jsonfixed
DEST_KEY = MetaData : Sourcetype
Regards, Andreas
... View more
- Tags:
- props.conf
01-06-2021
09:51 AM
Hi all, I'm trying to ingest data using a lookup like descripted in: https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups props.conf: [ilookuptest] TRANSFORMS-a = ilookuptest1 TRANSFORMS-b = ilookuptest2 transforms.conf: [ilookuptest1] INGEST_EVAL = pod = "testpod1" [ilookuptest2] INGEST_EVAL = annotation =lookup( "testlookup.csv" , json_object( "pod" , "pod" ), json_array( "annotation" )) lookup testlookup.csv: pod,annotation testpod1,testannotation1 testpod2,testannotation2 ingest data using: curl -k http://192.168.208.5:8088/services/collector -H 'Authorization: Splunk f05eedbb-a706-427e-9606-baa3e8036411' -d '{"index": "test", "sourcetype": "ilookuptest", "event":"this is for testing ingest eval lookup12"} props.conf and transforms.conf are located at $SPLUNK_HOME/etc/system/local .. lookup at $SPLUNK_HOME/etc/system/lookups . I'm getting errors in splunkd.log: WARN CsvDataProvider - No valid lookup table file found for this lookup=testlookup ERROR CsvDataProvider - The lookup table ' testlookup ' does not exist or is not available. ERROR pipeline - Runtime exception in pipeline=typing processor=regexreplacement error='Invalid function argument' confkey='source::http:test|host::192.168.208.5:8088|ilookuptest|' ERROR pipeline - Uncaught exception in pipeline execution (regexreplacement) - getting next event The event is not indexed... When defining transforms.conf INGEST_EVAL = annotation =lookup( "testlookup" , json_object( "pod" , "pod" ), json_array( "annotation" )) I'm getting errors in splunkd.log: WARN CsvDataProvider - Unable to find filename property for lookup=testlookup.csv will attempt to use implicit filename. Event is indexed but not getting the value from the lookup. File is there, read permissions are set, "| inputlookup testlookup.csv" is displaying results. Any hints or a working INGEST_EVAL using lookups example? Best Regards, Andreas
... View more
Labels
- Labels:
-
props.conf
-
transforms.conf
