Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About schose
schose
Builder
Member since:
06-28-2012
a week ago
Community Statistics
| Posts | 184 |
| Solutions | 22 |
| Karma Given | 20 |
| Karma Received | 79 |
| Member Since | 06-28-2012 |
Activity Feed
- Posted Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? on Splunk Enterprise. a week ago
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. a week ago
- Posted Re: Does anyone have a Splunk 7.3.6 download? on Splunk Enterprise. a month ago
- Posted Re: refresh cron schedule of a savesearch from cli/api on Splunk Enterprise. 04-24-2023 04:12 AM
- Posted How to refresh cron schedule of a savesearch from cli/api? on Splunk Enterprise. 04-19-2023 12:06 PM
- Posted Re: How can we use tstats with TERM and PREFIX? on Splunk Search. 03-28-2023 10:05 AM
- Posted Re: Why is splunk UF version 9.0.1 stuck while accepting license? on Splunk Enterprise. 12-16-2022 12:39 AM
- Posted Re: Why is splunk UF version 9.0.1 stuck while accepting license? on Splunk Enterprise. 12-15-2022 06:31 AM
- Posted Re: Why is splunk UF version 9.0.1 stuck while accepting license? on Splunk Enterprise. 12-14-2022 08:16 AM
- Posted Re: Why is splunk UF version 9.0.1 stuck while accepting license? on Splunk Enterprise. 12-14-2022 04:11 AM
- Posted Re: What add-on can I use for integration of HPE iLO logs? on Getting Data In. 12-08-2022 07:20 AM
- Posted Re: How to disable IOWAIT? on Alerting. 12-08-2022 06:44 AM
- Got Karma for Re: Getting an Error setting up Clustering. 11-09-2022 08:57 PM
- Got Karma for Re: How to create a custom alert action Python script with parameters from search results?. 11-02-2022 02:19 AM
- Posted Re: How to write regular expression for the below log and to extract Error code, ErrorMessage ? on Alerting. 11-01-2022 10:28 AM
- Posted Re: How to write regular expression for the below log and to extract Error code, ErrorMessage ? on Alerting. 11-01-2022 09:44 AM
- Posted Re: How to delete entire lookup table data on Getting Data In. 11-01-2022 09:32 AM
- Posted Re: How to delete entire lookup table data on Getting Data In. 11-01-2022 06:54 AM
- Got Karma for Re: "[Errno 111] Connection refused" when I restart Splunk on my HF. 10-31-2022 05:56 AM
- Got Karma for Re: Message Format. 10-31-2022 05:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a week ago
Hi @rkantamaneni , Well, i can rerun the tests with a 9.x version, but wouldn't expect different results with the same level setting. I would be also interested in behaviour for different sourcetypes, as we see huge differences there. Do you have an idea for good high cardinality logfiles? Best regards, Andreas
... View more
a month ago
Hi @AdrianMa , hope you mean splunk enterprise x86_64 Linux? Here is a way: docker pull splunk/splunk:7.3.6 docker run -ti --entrypoint /bin/bash splunk/splunk:7.3. tar zcfv /tmp/splunk-7.3.6.tar.gz splunk docker ps -> get container id docker cp CONTAINERID:/tmp/splunk-7.3.6.tar.gz . regards, Andreas
... View more
04-24-2023
04:12 AM
Hi @VatsalJagani , updating the app using REST API or GUI doesn't make a difference. We will open a call for this behaviour. as a workaround it's possible to "version" your savedsearches -> putting 0001,2,3 at the end. Not very user friendly, but working. best regards, Andreas
... View more
04-19-2023
12:06 PM
Hi all,
I have an testapp with a savesearch containing:
[testsearch]
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 1 * * * 1
dispatch.earliest_time = -7d@d
dispatch.latest_time = -0d@d
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
search = | makeresults
when i install the app using gui/api or commandline i see the schedule for next monday 1am. When i now change the schedule and settings to:
[testsearch]
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 5 * * * *
dispatch.earliest_time = -16m@m
dispatch.latest_time = -1m@m
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
search = | makeresults
and checking by
| rest /servicesNS/-/testsearch/saved/searches | table title cron_schedule eai:acl.app cron_schedule next_scheduled_time | rename eai:acl.app as app | search title=*testsearch
i see that next_scheduled_time is still next monday. running a /debug/refresh or curl -k -u admin:XXX https://localhost:8089/servicesNS/nobody/testsearch/admin/localapps/_reload does not fix the issue. It seems only restarting the searchhead, wait until next schedule (multiple day in this case) or change using the gui fixes the issue.
In our case non of the above is possible, as we are deploying our apps using a cicd pipeline.
Any hint or workaround?
Best regards,
Andreas
... View more
Labels
- Labels:
-
configuration
-
development
-
upgrade
03-28-2023
10:05 AM
Hi @danielbb , It's EventCode, not EventID. 😉 | tstats count where index=wineventlog* TERM(EventCode=4688) by _time span=1m best regards, Andreas
... View more
12-16-2022
12:39 AM
Hi NIranjan, can you send an ansible-playbook debug while the task is hanging? I'm using .tgz files as, .rpm always seems a blackbox for me - i cannot see from outside what post scripts are running in. there. best regards, Andreas
... View more
12-15-2022
06:31 AM
Hi Niranjan, yes, i simply run - name: accept license
tags:
- install
shell: /opt/splunkforwarder/bin/splunk status --accept-license --answer-yes
become: yes
when:
- splunk_path.stat.exists == false or current_version.rc != 0
ignore_errors: true before.. cheers, Andreas
... View more
12-14-2022
08:16 AM
Hi Niranjan, Mongo is no component started by UFW but only by Splunk Enterprise.. So this is surely a bug.. it also see to make a difference if you use .tgz or .deb. I had the issue using .tgz. My workaround is this task: - name: ensure kvstore is disabled on UFW
ini_file:
dest: /opt/splunkforwarder/etc/system/local/server.conf
section: kvstore
option: disabled
value: true regards, Andreas
... View more
12-14-2022
04:11 AM
Hi, Same here.. for some reason the update script tries to upgrade mongo-db on UFW and get stuck. seems like a bug. disable kvstore in server.conf works for me. https://community.splunk.com/t5/Splunk-Enterprise/Splunk-9-Universal-Forwarder-getting-quot-App-Key-Value-Store/m-p/613838#M13969 regards, Andreas
... View more
12-08-2022
07:20 AM
Hi @ojay , there doesn't seem to be a ready-to-go iLO TA. We ingest data by sending iLO data to syslog and using UFW on syslog to ingest to splunk. best regards, Andreas
... View more
12-08-2022
06:44 AM
Hi @jcourses , right, the iowait check in distributed health reporter is quite aggressive. You can raise the limits by configure health.conf We changed iowait to: [feature:iowait]
display_name = IOWait
indicator:single_cpu__max_perc_last_3m:description = This indicator tracks the IOWait percentage for the single most bottle-necked CPU on the machine running the Splunk Enterprise instance, over the last 3 minute window. By default, this indicator will turn Yellow if the percentage exceeds 5% and Red if it exceeds 10% during this window.
indicator:single_cpu__max_perc_last_3m:red = 20
indicator:single_cpu__max_perc_last_3m:yellow = 10 meaning iowait is yellow for 10% io wait, red for 20% io wait in a 3 min period. best regards, Andreas
... View more
11-01-2022
10:28 AM
Hi @venkatanagendra , If the json you provided is part of an already existing field i would go with eval json functions | makeresults
| eval json = "{\"IsProductValidated\":\"false\",\"ErrorCodes\":[{\"errorCode\":\"PRD-202\",\"errorMessage\":\"Product Validation Service Returned Error :: Reason: Options you have selected are not available at this time. Please change your selections.\"}]}"
| eval errorCode = json_extract(json,"ErrorCodes{}.errorCode"), errorMessage = json_extract(json,"ErrorCodes{}.errorMessage")
| table _time errorCode errorMessage Best Regards, Andreas
... View more
11-01-2022
09:44 AM
Hi @venkatanagendra , You do not need to do regex, as your data is already in structured json format. Ensure your sourcetype is using kv_mode=json or kv_mode=auto and you can address fields ErrorCodes{}.errorCode ErrorCodes{}.errorMessage Best regards, Andreas
... View more
11-01-2022
06:54 AM
Hi @pdafale_avantor , i hope i understood your question correctly: you want to recreate identities.csv every week from ldap. You already have your ldap query, so it would be as simple as using the outputlookup command. This will create the lookup in the current app and overwrite the existing identities.csv | ldapsearch domain=SPL search="(objectClass=user)" | stats something | outputlookup createinapp=t indentities.csv best regards, Andreas
... View more
10-31-2022
05:01 AM
1 Karma
hi metylkinandrey, you can send your custom message via without 'fields' and 'event'. instead of sending it like in your example to: /services/collector/event just send it to: /services/collector/raw see: https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector best regards, Andreas
... View more
10-31-2022
04:56 AM
Hi Ra1n, the | rest command gives you the state of an endpoint - in this case savedsearches. Dit does not - what you might expect - gives you a history. That's why timebases searches are not working by default. if you want an audit on your correlation searches, i would suggest implement a cicd workflow and have the app and/or savedsearches.conf file version controled... particularly if dealing in security environments. best regards, Andreas
... View more
10-31-2022
04:40 AM
1 Karma
Hi GaetanVP, I see the same errormessages in _internal. They are coming from modular input assist::supervisor_modular_input.py and assist::uiassets_modular_input.py .. nothing to worry about.. only seems like a timing issue when stop splunkd the modular inputs are not able to connect at this point in time. loglevel is shown as INFO. logfiles are splunk_assist_*.log best regards, Andreas
... View more
10-28-2022
08:51 AM
1 Karma
Hi, i would go with this event in splunkd.log: "IndexProcessor [5762669 MainThread] - request state change from=RUN to=SHUTDOWN_SIGNALED" this is triggering Splunk to shutdown.. last events at shutdown looks like this: 10-28-2022 16:35:56.890 +0100 INFO Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_Duo2FAHttpClient"
10-28-2022 16:35:56.890 +0100 INFO Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_S3ConnectionPoolManager"
10-28-2022 16:35:56.891 +0100 INFO Shutdown [5763136 Shutdown] - shutting down level="ShutdownLevel_WorkloadManager"
10-28-2022 16:35:56.894 +0100 INFO loader [5762669 MainThread] - All pipelines finished meaning shutdown could be measured with this: index=_internal sourcetype="splunkd" source=*splunkd.log (request state change from=RUN to=SHUTDOWN_SIGNALED) OR (Shutdown shutting down level=*) | transaction startswith=SHUTDOWN_SIGNALED | table _time duration best regards, Andreas
... View more
10-28-2022
04:20 AM
1 Karma
hi @uagraw01 , you are searching for the workload management feature @chaker already provided the links. regards, Andreas
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma from
