cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
christopherr_sp
Splunk Employee
Member since: ‎10-20-2016
‎01-01-2021
Community Statistics
Posts 26
Solutions 5
Karma Given 50
Karma Received 30
Member Since ‎10-20-2016
Activity Feed
Topics I've Started
View All

Re: Longitude in DA-ESS-ThreatIntelligence is name...

by Splunk Employee in Splunk Enterprise Security
‎07-31-2019 07:09 AM
‎07-31-2019 07:09 AM
The following Bug had been logged with Product Management to clarify whether it was a Bug. SOLNESS-19368 iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security The response from Product Management (who confirmed it is not a Bug) is below: CIM uses "long", but Splunk Enterprise's geo-location search command outputs "lon". So the discrepancy itself is expected, we just missed the conditional eval component to align things properly. ... View more

Longitude in DA-ESS-ThreatIntelligence is named as...

by Splunk Employee in Splunk Enterprise Security
‎07-31-2019 07:07 AM
‎07-31-2019 07:07 AM
There is a BUG in the DA-ESS-ThreatIntelligence app. In the Datamodel under Threat Intelligence > IP Intelligence there is a field named “long” this field is supposed to hold the longitude of the IP address in the “ip” field. Given the base search the field should be called “lon” because that is the field that the “iplocation” command outputs OR a rename should be done in the search to rename “lon” to “long”. The problem found in DA-ESS-ThreatIntelligence 4.5.0 and above (all versions including the latest). ... View more

Re: Restrict Index access

by Splunk Employee in Security
‎04-01-2019 09:55 AM
‎04-01-2019 09:55 AM
No, not yet. ... View more

Re: Upgraded from Splunk 7.0.3 to 7.2.1 and the Sp...

by Splunk Employee in Installation
‎01-15-2019 02:44 AM
‎01-15-2019 02:44 AM
The workaround is to disable health reporting in health.conf (until the Bug is fixed in Splunk 7.2.x). The issue is a known and is caused by the Bugs below. SPL-162549 splunkweb fails to start and SHC member shows as down Affects: 7.1.4 Fixed in: 7.1.6 SPL-160230 Splunkd web fails to start due to deadlock among Health Reporter threads Affects: 7.1.2 Fixed in: 7.1.6 Steps Make the changes to the file below: /etc/system/local/health.conf [clustering] disabled = 1 [feature:batchreader] disabled = 1 [feature:tailreader] disabled = 1 [feature:s2s_autolb] disabled = 1 [feature:indexers] disabled = 1 [feature:data_durability] disabled = 1 [feature:cluster_bundles] disabled = 1 [feature:indexing_ready] disabled = 1 [feature:data_searchable] disabled = 1 [feature:searchheadconnectivity] disabled = 1 [feature:replication_failures] disabled = 1 [feature:master_connectivity] disabled = 1 [feature:slave_state] disabled = 1 [feature:slave_version] disabled = 1 2.Restart Splunk. ... View more

Upgraded from Splunk 7.0.3 to 7.2.1 and the Splunk...

by Splunk Employee in Installation
‎01-15-2019 02:41 AM
‎01-15-2019 02:41 AM
Upgraded from Splunk 7.0.3 and 7.2.1 the Splunk Web Server is unavailable. When Splunk is started from the command line, the following output appears on the screen: Waiting for web server at http://127.0.0.1:8000 to be available........................... .......................................................................................... WARNING: web interface does not seem to be available! ... View more
Labels

Re: Restrict Index access

by Splunk Employee in Security
‎12-07-2018 11:37 AM
1 Karma
‎12-07-2018 11:37 AM
1 Karma
The following previously logged Enhancement Request is related to this question. SPL-116541 Search Index Blacklist Add configuration parameter to authorize.conf to disallow the searching of certain indexes. This allows users to search all indexes by default, but keep certain ones blocked. Example implementation: [role_ninja] srchIndexesAllowed = * srchIndexesDenied = private_index;super_ninjas_only ... View more

Re: How come replication isn't working on the Inde...

by Splunk Employee in Getting Data In
‎12-07-2018 01:13 AM
‎12-07-2018 01:13 AM
It was found that Splunk OnPremise was installed on AWS and all of the ports were closed. Once port 8089 was opened replication resumed. The following Documentation Enhancement Request has been raised to be considered in a future release of Splunk. SPL-163427 Enhancement Request to check all ports are open in an Indexer Cluster/Search Head Cluster environment The default ports that Splunk uses are below. What are the ports that I need to open? https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html ... View more

How come replication isn't working on the Index cl...

by Splunk Employee in Getting Data In
‎12-07-2018 01:11 AM
1 Karma
‎12-07-2018 01:11 AM
1 Karma
We had to shut down one of the machines and create a new one. The cluster replication between the new and old ones does not work after a reboot. The error message that was found in the splunkd.log files was: ERROR RetryableClientTransaction - transactionDone(): transactionId=0x7fda3f101000 rTxnId=0x7fda3c5fe4d0 success=N HTTP-statusCode=404 HTTP-statusDescription=Not Found retry=N no_retry_reason="transaction had fatal error" ... View more

Re: Unable to start splunk

by Splunk Employee in Splunk Enterprise
‎11-30-2018 09:52 AM
‎11-30-2018 09:52 AM
Yes $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor is the only directory that needs to be deleted, then Splunk restarted. I can confirm this as I had encountered this twice since my original reply. ... View more

Re: I would like to disable WinRegistry from the W...

by Splunk Employee in All Apps and Add-ons
‎11-29-2018 04:27 AM
1 Karma
‎11-29-2018 04:27 AM
1 Karma
The actual input stanza in the Universal Forwarder for WinRegistry is: WinRegMon Therefore, to disable WinRegistry input, please make changes to the following stanzas within your etc/apps/Splunk_TA_windows/local/inputs.conf on your Windows Universal Forwarder(s) that are sending out WinRegistry data to the indexers. ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://hklm_run] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.* ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = set|create|delete|rename ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://hkcu_run] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = \REGISTRY\USER\.\Software\Microsoft\Windows\CurrentVersion\Run\. ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = set|create|delete|rename ../etc/apps/Splunk_TA_windows/local/inputs.conf [WinRegMon://default] ../etc/apps/Splunk_TA_windows/local/inputs.conf disabled = 1 ../etc/apps/Splunk_TA_windows/local/inputs.conf hive = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf index = windows ../etc/apps/Splunk_TA_windows/local/inputs.conf proc = .* ../etc/apps/Splunk_TA_windows/local/inputs.conf type = rename|set|delete|create So basically 'disabled = 0' switches it on and 'disabled = 1' switches it off. To stop WinRegistry set 'disabled = 1'. I note on the Splunk Server 'splunk' it is already disabled within etc/apps/Splunk_TA_windows/local/inputs.conf. Please make the changes above then restart your universal forwarder. ... View more

I would like to disable WinRegistry from the Windo...

by Splunk Employee in All Apps and Add-ons
‎11-29-2018 04:26 AM
‎11-29-2018 04:26 AM
I am using the Windows App/Add-on for Windows and would like to stop WinRegistry indexing as I have exceeded my license limit. splunk_app_windows_infrastructure 1.4.4 Splunk_TA_windows 4.8.4 ... View more

Re: Why can't I see most of the dashboards after m...

by Splunk Employee in Splunk Enterprise Security
‎11-20-2018 01:37 AM
1 Karma
‎11-20-2018 01:37 AM
1 Karma
Support logged a Bug with Development and it was confirmed as a Bug. After Splunk 4.7.x SA (Security Add on)/DA (Domain Add on) apps were disabled before the post-installation setup. During the 5.1.1 upgrade SAs were re-enabled, but DAs were not. SOLNESS-17018 Navigation: Splunk ES 5.1.1 not showing most of the dashboards after migration from 4.7.1 The solution is to re-enable all DAs (Domain Add ons). To re-enable apps click "Manage Apps" from the app dropdown on the navigation bar in ES or navigate to https://examplehost.splunk.com:8000/en-US/manager/SplunkEnterpriseSecuritySuite/apps/local (Replace: examplehost.splunk.com with the name of your host). ... View more

Why can't I see most of the dashboards after migra...

by Splunk Employee in Splunk Enterprise Security
‎11-20-2018 01:37 AM
1 Karma
‎11-20-2018 01:37 AM
1 Karma
Splunk Enterprise is migrated from 6.5.3 to 7.1.2 and also Splunk Enterprise Security App has been upgraded from 4.7.1 to 5.1.1. After the upgrade, most of the navigational dashboards are not visible anymore. For example, inside Enterprise Security under Security Intelligence, you will see “Risk Analysis”, “Protocol Intelligence”, “Threat Intelligence”, “User Intelligence” and “Web Intelligence”. Now, after upgrade to 5.1.1, inside Enterprise Security Under Security Intelligence I can only see “Risk Analysis”. I can only see that for Security Domains as well. “Identity” are not visible anymore. ... View more

Re: Unable to start splunk

by Splunk Employee in Splunk Enterprise
‎07-26-2018 05:09 AM
2 Karma
‎07-26-2018 05:09 AM
2 Karma
This issue occurred following an upgrade from Splunk 6.5.2 to 7.1.2. This also included an upgrade of the Splunk Enterprise Security App to 5.1.0 which exhibited this error: ERROR UiHttpListener - An applicaiton server has exited unexpectedly, web UI cannot be used until it is restarted Follow the workaround steps in release notes. http://docs.splunk.com/Documentation/ES/5.0.1/RN/KnownIssues SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security to 5.0.0 Affects Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1. Fixed in workaround below: Known Issues for Splunk Enterprise Security The following are issues and workarounds for this version of Splunk Enterprise Security. Highlighted issues Date filed Issue number Description 2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security to 5.0.0 Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor ... View more

Re: Why am I getting an error when starting UBA?

by Splunk Employee in Deployment Architecture
‎07-24-2018 02:27 AM
‎07-24-2018 02:27 AM
Concerning the '/brokers/ids' error you should not run: /opt/caspida/bin/Caspida start  Instead, run: /opt/caspida/bin/Caspida start-all  'caspida start' is usually used against an individual service name.  The documentation for this is included below for your future reference.  https://docs.splunk.com/Documentation/UBA/4.1.2/Install/DeploymentArchitecture An * indicates services that are started with the caspida start command and stopped with the caspida stop command. To start or stop all services, use caspida start-all or caspida stop-all.  e.g.  3 servers postgresql  caspida-jobagent*  hive-metastore  influxdb  impala-server  impala-catalog  impala-state-store  caspida-jobmanager*  etc. ... View more

Why am I getting an error when starting UBA?

by Splunk Employee in Deployment Architecture
‎07-24-2018 02:25 AM
‎07-24-2018 02:25 AM
Error when starting UBA using: /opt/caspida/bin/Caspida start  Starting Topologies Exception in thread "main" org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode = ConnectionLoss for /brokers/ids at org.apache.zookeeper.KeeperException.create(KeeperException.java:99) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.getChildren(ZooKeeper.java:1468) at org.apache.zookeeper.ZooKeeper.getChildren(ZooKeeper.java:1496) at org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:723) at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591) at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354) at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282) ... View more

Re: The timezone for Turkey will stay at the Dayli...

by Splunk Employee in Getting Data In
‎03-15-2017 04:04 AM
‎03-15-2017 04:04 AM
Splunk handles timezones with the following order: (1) A time zone indicator in the raw event data e.g. -800, GMT-8 or PST (2) The value of a TZ attribute set in props.conf * Checks the host, source or sourcetype stanzas * If a forwarder is used, the forwarder-provided time zone is used e.g. [host::myserver*] TZ = Europe/Moscow [source::/mnt/eu_east/*] TZ = Europe/Volgograd (3) If all else fails, Splunk applies the timezone of the indexer's host server. https://en.wikipedia.org/wiki/List_of_tz_database_time_zones So in the meantime you just need to use a timezone (close to Turkey) that has +03:00 all year around until a patch has been created. CC* Coordinates* TZ* Comments* UTC offset UTC DST offset Notes RU +554521+0373704 Europe/Moscow MSK+00 - Moscow area +03:00 +03:00 RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd, Saratov +03:00 +03:00 The following Enhancement Request has been logged: SPL-129875 Turkey timezone change to +03:00 (permanent Daylight Saving) ... View more

Re: Keyboard Shortcut to Format Search

by Splunk Employee in Splunk Search
‎02-23-2017 02:12 AM
4 Karma
‎02-23-2017 02:12 AM
4 Karma
A similar question was asked by a customer who uses a Norwegian Keyboard (below): https://www.datacal.com/image/popup?imagePath=%2fimages%2fproduct%2flarge%2f310.jpg There is a §| key above the Tab key (left of the 1) and that produces the \ character within Splunk. Pressing Ctrl+§| enables Search Bar formatting in Splunk 6.5.x. This was confirmed to work by the customer. That is the same physical location of the ^ character on a German T2 Keyboard https://en.wikipedia.org/wiki/German_keyboard_layout#/media/File:German-T2-Keyboard-Prototype-May-2012.jpg (See also: https://answers.splunk.com/answers/459003/what-is-the-keyboard-shortcut-for-the-splunk-650-s.html) ... View more

Re: What is the keyboard shortcut for the Splunk 6...

by Splunk Employee in Splunk Search
‎02-23-2017 02:08 AM
‎02-23-2017 02:08 AM
A similar question was asked by a customer who uses a Norwegian Keyboard (below): https://www.datacal.com/image/popup?imagePath=%2fimages%2fproduct%2flarge%2f310.jpg There is a §| key above the Tab key (left of the 1) and that produces the \ character within Splunk. Pressing Ctrl+§| enables Search Bar formatting in Splunk 6.5.x. This was confirmed to work by the customer. That is the same physical location of the ^ character on a German T2 Keyboard https://en.wikipedia.org/wiki/German_keyboard_layout#/media/File:German-T2-Keyboard-Prototype-May-2012.jpg ... View more

Re: Splunk Universal Forwarder 6.4.1 and all Versi...

by Splunk Employee in Getting Data In
‎02-01-2017 07:01 AM
12 Karma
‎02-01-2017 07:01 AM
12 Karma
Consulted Development to see if any of the keys in the branch that you had exported were in a non-standard format (as this affects the ability for the Splunk installer to complete  the installation).  When upgrading a Universal Forwarder or Splunk Enterprise if the hexadecimal value after HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products is not 32 hexadecimal characters the Splunk installer will report an error. It performs this check as part of the upgrade. In the example below, there is a rogue character _. Output:  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C173E5AD3336A8D3394AF65D2BB0CCE6_]  Use the Windows PowerShell to see if you have the issue: Get-ChildItem HKLM:\SOFTWARE\Classes\Installer\Products | Where-Object { $_.Name -notmatch '\[0-9A-F]{32}$' } | Select-Object Name Please take a backup of the key above (by exporting it to a file), then delete the branch within the registry. If you have multiple hosts you can use the link below which can help automate the deletion process. https://support.microsoft.com/en-gb/help/310516/how-to-add--modify--or-delete-registry-subkeys-and-values-by-using-a Ensure the existing Splunk installer is no longer running. Development are working to make future releases of the installer work around those registry entries.  This has been logged as a Bug: SPL-128643 Splunk will not install if Windows' Installer's Products key contains invalid entries ... View more

Splunk Universal Forwarder 6.4.1 and all Versions ...

by Splunk Employee in Getting Data In
‎01-31-2017 01:22 AM
4 Karma
‎01-31-2017 01:22 AM
4 Karma
 The Error Message on the screen is enter code here : "UniversalForwarder Setup ended prematurely"  Versions older than 6.2 (e.g. 6.1.3) of Splunk Universal Forwarder and Splunk Enterprise (and other applications) can be installed without problems.  Since SSLv3 has been disabled in our environment, the older versions do not deliver any data and cannot be used.  As I can see in the MSI Installer log splunk has problems getting installed version:  --------------------  Action start 16:49:22: GetPreviousSettings.  GetPreviousSettings: Error 0x80004005: Failed to get lookup product code.  -------------------  Also tried to install as administrator from CMD-Line  ... View more

Re: Why are alerts not working after upgrade to Sp...

by Splunk Employee in Alerting
‎01-27-2017 01:02 AM
1 Karma
‎01-27-2017 01:02 AM
1 Karma
Splunk Enterprise 6.5.2 was released on 25 January 2016. This should fix your issue with Alerts. The download link is below. https://www.splunk.com/en_us/download/splunk-enterprise.htmlhttps://www.splunk.com/en_us/download/splunk-enterprise.html ... View more

Re: Why are alerts not working after upgrade to Sp...

by Splunk Employee in Alerting
‎01-19-2017 06:27 AM
‎01-19-2017 06:27 AM
You can manually check whether you have the issue in the file: SPLUNK_HOME/var/log/splunk/scheduler.log. Search for the string SavedSplunker and will see multiple instances of the following: SavedSplunker ERROR message in scheduler.log needs more context ERROR SavedSplunker - vector::M_range_check: _n (which is 0) >= this->size() (which is 0) ... View more

Re: Why are alerts not working after upgrade to Sp...

by Splunk Employee in Alerting
‎01-19-2017 06:26 AM
‎01-19-2017 06:26 AM
The error is not caused by a defective .conf file. As soon as the Splunk Enterprise 6.5.2 is released, I will let you know via this Splunk Answers posting. ... View more

Re: Why are alerts not working after upgrade to Sp...

by Splunk Employee in Alerting
‎01-09-2017 10:06 AM
2 Karma
‎01-09-2017 10:06 AM
2 Karma
The issue with sending alerts in Splunk Enterprise 6.5.0 and 6.5.1, will be fixed in Splunk Enterprise 6.5.2 targeted for release by the end of January 2017. SPL-131375 SavedSplunker ERROR message in scheduler.log needs more context ERROR SavedSplunker - vector::_M_range_check: __n (which is 0) >= this->size() (which is 0) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-01-2021 10:13 AM
Karma from
Top