About christopherr_sp

christopherr_sp · ‎07-31-2019

The following Bug had been logged with Product Management to clarify whether it was a Bug. SOLNESS-19368 iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security The response from Product Management (who confirmed it is not a Bug) is below: CIM uses "long", but Splunk Enterprise's geo-location search command outputs "lon". So the discrepancy itself is expected, we just missed the conditional eval component to align things properly.

christopherr_sp · ‎07-31-2019

There is a BUG in the DA-ESS-ThreatIntelligence app. In the Datamodel under Threat Intelligence > IP Intelligence there is a field named “long” this field is supposed to hold the longitude of the IP address in the “ip” field. Given the base search the field should be called “lon” because that is the field that the “iplocation” command outputs OR a rename should be done in the search to rename “lon” to “long”. The problem found in DA-ESS-ThreatIntelligence 4.5.0 and above (all versions including the latest).

christopherr_sp · ‎04-01-2019

No, not yet.

christopherr_sp · ‎01-15-2019

The workaround is to disable health reporting in health.conf (until the Bug is fixed in Splunk 7.2.x). The issue is a known and is caused by the Bugs below. SPL-162549 splunkweb fails to start and SHC member shows as down Affects: 7.1.4 Fixed in: 7.1.6 SPL-160230 Splunkd web fails to start due to deadlock among Health Reporter threads Affects: 7.1.2 Fixed in: 7.1.6 Steps Make the changes to the file below: /etc/system/local/health.conf [clustering] disabled = 1 [feature:batchreader] disabled = 1 [feature:tailreader] disabled = 1 [feature:s2s_autolb] disabled = 1 [feature:indexers] disabled = 1 [feature:data_durability] disabled = 1 [feature:cluster_bundles] disabled = 1 [feature:indexing_ready] disabled = 1 [feature:data_searchable] disabled = 1 [feature:searchheadconnectivity] disabled = 1 [feature:replication_failures] disabled = 1 [feature:master_connectivity] disabled = 1 [feature:slave_state] disabled = 1 [feature:slave_version] disabled = 1 2.Restart Splunk.

christopherr_sp · ‎01-15-2019

Upgraded from Splunk 7.0.3 and 7.2.1 the Splunk Web Server is unavailable. When Splunk is started from the command line, the following output appears on the screen: Waiting for web server at http://127.0.0.1:8000 to be available........................... .......................................................................................... WARNING: web interface does not seem to be available!

christopherr_sp · ‎12-07-2018

The following previously logged Enhancement Request is related to this question. SPL-116541 Search Index Blacklist Add configuration parameter to authorize.conf to disallow the searching of certain indexes. This allows users to search all indexes by default, but keep certain ones blocked. Example implementation: [role_ninja] srchIndexesAllowed = * srchIndexesDenied = private_index;super_ninjas_only

christopherr_sp · ‎12-07-2018

It was found that Splunk OnPremise was installed on AWS and all of the ports were closed. Once port 8089 was opened replication resumed. The following Documentation Enhancement Request has been raised to be considered in a future release of Splunk. SPL-163427 Enhancement Request to check all ports are open in an Indexer Cluster/Search Head Cluster environment The default ports that Splunk uses are below. What are the ports that I need to open? https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html

christopherr_sp · ‎12-07-2018

We had to shut down one of the machines and create a new one. The cluster replication between the new and old ones does not work after a reboot. The error message that was found in the splunkd.log files was: ERROR RetryableClientTransaction - transactionDone(): transactionId=0x7fda3f101000 rTxnId=0x7fda3c5fe4d0 success=N HTTP-statusCode=404 HTTP-statusDescription=Not Found retry=N no_retry_reason="transaction had fatal error"

christopherr_sp · ‎11-30-2018

Yes $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor is the only directory that needs to be deleted, then Splunk restarted. I can confirm this as I had encountered this twice since my original reply.

christopherr_sp · ‎11-29-2018

The actual input stanza in the Universal Forwarder for WinRegistry is: WinRegMon Therefore, to disable WinRegistry input, please make changes to the following stanzas within your etc/apps/Splunk_TA_windows/local/inputs.conf on your Windows Universal Forwarder(s) that are sending out WinRegistry data to the indexers. ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://hklm_run] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.* ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = set|create|delete|rename ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://hkcu_run] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = \REGISTRY\USER\.\Software\Microsoft\Windows\CurrentVersion\Run\. ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = set|create|delete|rename ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://default] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = rename|set|delete|create So basically 'disabled = 0' switches it on and 'disabled = 1' switches it off. To stop WinRegistry set 'disabled = 1'. I note on the Splunk Server 'splunk' it is already disabled within etc/apps/Splunk_TA_windows/local/inputs.conf. Please make the changes above then restart your universal forwarder.

christopherr_sp · ‎11-29-2018

I am using the Windows App/Add-on for Windows and would like to stop WinRegistry indexing as I have exceeded my license limit. splunk_app_windows_infrastructure 1.4.4 Splunk_TA_windows 4.8.4

christopherr_sp · ‎11-20-2018

Support logged a Bug with Development and it was confirmed as a Bug. After Splunk 4.7.x SA (Security Add on)/DA (Domain Add on) apps were disabled before the post-installation setup. During the 5.1.1 upgrade SAs were re-enabled, but DAs were not. SOLNESS-17018 Navigation: Splunk ES 5.1.1 not showing most of the dashboards after migration from 4.7.1 The solution is to re-enable all DAs (Domain Add ons). To re-enable apps click "Manage Apps" from the app dropdown on the navigation bar in ES or navigate to https://examplehost.splunk.com:8000/en-US/manager/SplunkEnterpriseSecuritySuite/apps/local (Replace: examplehost.splunk.com with the name of your host).

christopherr_sp · ‎11-20-2018

Splunk Enterprise is migrated from 6.5.3 to 7.1.2 and also Splunk Enterprise Security App has been upgraded from 4.7.1 to 5.1.1. After the upgrade, most of the navigational dashboards are not visible anymore. For example, inside Enterprise Security under Security Intelligence, you will see “Risk Analysis”, “Protocol Intelligence”, “Threat Intelligence”, “User Intelligence” and “Web Intelligence”. Now, after upgrade to 5.1.1, inside Enterprise Security Under Security Intelligence I can only see “Risk Analysis”. I can only see that for Security Domains as well. “Identity” are not visible anymore.

christopherr_sp · ‎07-26-2018

This issue occurred following an upgrade from Splunk 6.5.2 to 7.1.2. This also included an upgrade of the Splunk Enterprise Security App to 5.1.0 which exhibited this error: ERROR UiHttpListener - An applicaiton server has exited unexpectedly, web UI cannot be used until it is restarted Follow the workaround steps in release notes. http://docs.splunk.com/Documentation/ES/5.0.1/RN/KnownIssues SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security to 5.0.0 Affects Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1. Fixed in workaround below: Known Issues for Splunk Enterprise Security The following are issues and workarounds for this version of Splunk Enterprise Security. Highlighted issues Date filed Issue number Description 2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security to 5.0.0 Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor

christopherr_sp · ‎07-24-2018

Concerning the '/brokers/ids' error you should not run: /opt/caspida/bin/Caspida start Instead, run: /opt/caspida/bin/Caspida start-all 'caspida start' is usually used against an individual service name. The documentation for this is included below for your future reference. https://docs.splunk.com/Documentation/UBA/4.1.2/Install/DeploymentArchitecture An * indicates services that are started with the caspida start command and stopped with the caspida stop command. To start or stop all services, use caspida start-all or caspida stop-all. e.g. 3 servers postgresql caspida-jobagent* hive-metastore influxdb impala-server impala-catalog impala-state-store caspida-jobmanager* etc.

christopherr_sp · ‎07-24-2018

Error when starting UBA using: /opt/caspida/bin/Caspida start Starting Topologies Exception in thread "main" org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode = ConnectionLoss for /brokers/ids at org.apache.zookeeper.KeeperException.create(KeeperException.java:99) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.getChildren(ZooKeeper.java:1468) at org.apache.zookeeper.ZooKeeper.getChildren(ZooKeeper.java:1496) at org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:723) at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591) at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354) at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282)

christopherr_sp · ‎03-15-2017

Splunk handles timezones with the following order: (1) A time zone indicator in the raw event data e.g. -800, GMT-8 or PST (2) The value of a TZ attribute set in props.conf * Checks the host, source or sourcetype stanzas * If a forwarder is used, the forwarder-provided time zone is used e.g. [host::myserver*] TZ = Europe/Moscow [source::/mnt/eu_east/*] TZ = Europe/Volgograd (3) If all else fails, Splunk applies the timezone of the indexer's host server. https://en.wikipedia.org/wiki/List_of_tz_database_time_zones So in the meantime you just need to use a timezone (close to Turkey) that has +03:00 all year around until a patch has been created. CC* Coordinates* TZ* Comments* UTC offset UTC DST offset Notes RU +554521+0373704 Europe/Moscow MSK+00 - Moscow area +03:00 +03:00 RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd, Saratov +03:00 +03:00 The following Enhancement Request has been logged: SPL-129875 Turkey timezone change to +03:00 (permanent Daylight Saving)

christopherr_sp · ‎02-23-2017

A similar question was asked by a customer who uses a Norwegian Keyboard (below): https://www.datacal.com/image/popup?imagePath=%2fimages%2fproduct%2flarge%2f310.jpg There is a §| key above the Tab key (left of the 1) and that produces the \ character within Splunk. Pressing Ctrl+§| enables Search Bar formatting in Splunk 6.5.x. This was confirmed to work by the customer. That is the same physical location of the ^ character on a German T2 Keyboard https://en.wikipedia.org/wiki/German_keyboard_layout#/media/File:German-T2-Keyboard-Prototype-May-2012.jpg (See also: https://answers.splunk.com/answers/459003/what-is-the-keyboard-shortcut-for-the-splunk-650-s.html)

christopherr_sp · ‎02-23-2017

A similar question was asked by a customer who uses a Norwegian Keyboard (below): https://www.datacal.com/image/popup?imagePath=%2fimages%2fproduct%2flarge%2f310.jpg There is a §| key above the Tab key (left of the 1) and that produces the \ character within Splunk. Pressing Ctrl+§| enables Search Bar formatting in Splunk 6.5.x. This was confirmed to work by the customer. That is the same physical location of the ^ character on a German T2 Keyboard https://en.wikipedia.org/wiki/German_keyboard_layout#/media/File:German-T2-Keyboard-Prototype-May-2012.jpg

christopherr_sp · ‎02-01-2017

Consulted Development to see if any of the keys in the branch that you had exported were in a non-standard format (as this affects the ability for the Splunk installer to complete the installation). When upgrading a Universal Forwarder or Splunk Enterprise if the hexadecimal value after HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products is not 32 hexadecimal characters the Splunk installer will report an error. It performs this check as part of the upgrade. In the example below, there is a rogue character _. Output: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C173E5AD3336A8D3394AF65D2BB0CCE6_] Use the Windows PowerShell to see if you have the issue: Get-ChildItem HKLM:\SOFTWARE\Classes\Installer\Products | Where-Object { $_.Name -notmatch '\[0-9A-F]{32}$' } | Select-Object Name Please take a backup of the key above (by exporting it to a file), then delete the branch within the registry. If you have multiple hosts you can use the link below which can help automate the deletion process. https://support.microsoft.com/en-gb/help/310516/how-to-add--modify--or-delete-registry-subkeys-and-values-by-using-a Ensure the existing Splunk installer is no longer running. Development are working to make future releases of the installer work around those registry entries. This has been logged as a Bug: SPL-128643 Splunk will not install if Windows' Installer's Products key contains invalid entries

christopherr_sp · ‎01-31-2017

The Error Message on the screen is enter code here : "UniversalForwarder Setup ended prematurely" Versions older than 6.2 (e.g. 6.1.3) of Splunk Universal Forwarder and Splunk Enterprise (and other applications) can be installed without problems. Since SSLv3 has been disabled in our environment, the older versions do not deliver any data and cannot be used. As I can see in the MSI Installer log splunk has problems getting installed version: -------------------- Action start 16:49:22: GetPreviousSettings. GetPreviousSettings: Error 0x80004005: Failed to get lookup product code. ------------------- Also tried to install as administrator from CMD-Line

christopherr_sp · ‎01-27-2017

Splunk Enterprise 6.5.2 was released on 25 January 2016. This should fix your issue with Alerts. The download link is below. https://www.splunk.com/en_us/download/splunk-enterprise.htmlhttps://www.splunk.com/en_us/download/splunk-enterprise.html

christopherr_sp · ‎01-19-2017

You can manually check whether you have the issue in the file: SPLUNK_HOME/var/log/splunk/scheduler.log. Search for the string SavedSplunker and will see multiple instances of the following: SavedSplunker ERROR message in scheduler.log needs more context ERROR SavedSplunker - vector::M_range_check: _n (which is 0) >= this->size() (which is 0)

christopherr_sp · ‎01-19-2017

The error is not caused by a defective .conf file. As soon as the Splunk Enterprise 6.5.2 is released, I will let you know via this Splunk Answers posting.

christopherr_sp · ‎01-09-2017

The issue with sending alerts in Splunk Enterprise 6.5.0 and 6.5.1, will be fixed in Splunk Enterprise 6.5.2 targeted for release by the end of January 2017. SPL-131375 SavedSplunker ERROR message in scheduler.log needs more context ERROR SavedSplunker - vector::_M_range_check: __n (which is 0) >= this->size() (which is 0)

Posts	26
Solutions	5
Karma Given	50
Karma Received	29
Member Since	‎10-20-2016

Online Status	Offline
Date Last Visited	‎01-01-2021 10:13 AM

Longitude in DA-ESS-ThreatIntelligence is named as...

Upgraded from Splunk 7.0.3 to 7.2.1 and the Splunk...

How come replication isn't working on the Index cl...

I would like to disable WinRegistry from the Windo...

Why can't I see most of the dashboards after migra...

Why am I getting an error when starting UBA?

Splunk Universal Forwarder 6.4.1 and all Versions ...

The timezone for Turkey will stay at the Daylight ...

Re: Longitude in DA-ESS-ThreatIntelligence is name...

Longitude in DA-ESS-ThreatIntelligence is named as...

Re: Restrict Index access

Re: Upgraded from Splunk 7.0.3 to 7.2.1 and the Sp...

Upgraded from Splunk 7.0.3 to 7.2.1 and the Splunk...

Re: Restrict Index access

Re: How come replication isn't working on the Inde...

How come replication isn't working on the Index cl...

Re: Unable to start splunk

Re: I would like to disable WinRegistry from the W...

I would like to disable WinRegistry from the Windo...

Re: Why can't I see most of the dashboards after m...

Why can't I see most of the dashboards after migra...

Re: Unable to start splunk

Re: Why am I getting an error when starting UBA?

Why am I getting an error when starting UBA?

Re: The timezone for Turkey will stay at the Dayli...

Re: Keyboard Shortcut to Format Search

Re: What is the keyboard shortcut for the Splunk 6...

Re: Splunk Universal Forwarder 6.4.1 and all Versi...

Splunk Universal Forwarder 6.4.1 and all Versions ...

Re: Why are alerts not working after upgrade to Sp...

Re: Why are alerts not working after upgrade to Sp...

Re: Why are alerts not working after upgrade to Sp...

Re: Why are alerts not working after upgrade to Sp...