cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ehqtrainorm
Explorer
Member since: ‎09-04-2019
‎09-09-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎09-04-2019
Activity Feed
View All

Eventgen - Ensure current timestamp

by in Getting Data In
‎08-27-2020 03:53 PM
‎08-27-2020 03:53 PM
Hi All, I have a few existing inputs with EventGen (v6.5.2) and they work perfectly on Splunk 8.0.5. The use case I am having trouble with is where: a) The timestamp is not contained in the _raw data (the actual Production input uses the current index time) b) There are other timestamps in _raw (they are not related to _time, are separate fields). c) All events in the csv sample file must be ingested each interval.   I have tried both sample mode and replay mode. Sample mode ingests the data but identifies different date/time values in _raw and uses that as _time, which is unexpected. This is even while autotimestamp = false.   In replay mode, nothing is ingested due to errors where it can't find the timeField (there is a time column in the csv that I referenced).   So how can I ingest all events in the sample csv file while ensuring _time is the current time, and not dependent on any timestamps in the _raw?   Here is my config for mode = sample.   [ops_724events_ggprocdetail_sample] disabled = false mode = sample interval = 60 sampletype = csv autotimestamp=false earliest = -1m latest = now   Csv sample file has the following columns: time,index,host,source,sourcetype,"_raw" ... View more

Re: ITSI Service Template Sync Schedule

by in Splunk IT Service Intelligence
‎07-13-2020 04:01 PM
1 Karma
‎07-13-2020 04:01 PM
1 Karma
Hey mate,   I can't address your other questions, but I also wondered what the schedule was for syncing service templates. In SA-ITOA/default/inputs.conf there is a stanza: [itsi_service_template_update_scheduler://itsi_service_template_update_scheduler] interval = 900 disabled = 0   If you look in SA-ITOA/bin you will find itsi_service_template_update_scheduler.py. This is the modular input script invoked by the scheduled input.   You can check the log by running the SPL: index=_internal source="*itsi_service_template_update_scheduler*" ... View more

Re: Sparkline after Join Command Problem

by in Splunk Enterprise Security
‎04-01-2020 06:39 PM
‎04-01-2020 06:39 PM
Hey mate, I had a similar issue with the sparkline persisting after a subsequent join/stats. All I did was in the stats command following the join: | stats list(spark) as spark So yours would be after the join: | stats list(sparkline) as sparkline by host It worked for me. YMMV. Let me know how you go. ... View more

Centos 7 - Splunk 7.4.2 - Enable/Disable boot star...

by in Deployment Architecture
‎11-10-2019 03:46 PM
1 Karma
‎11-10-2019 03:46 PM
1 Karma
We have setup "enable boot-start" as the non-root user "splunk" and it's not systemd managed: /opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0 --no-prompt --accept-license --answer-yes From what I have read, this changes the SPLUNK_OS_USER in splunk-launch.conf, as well as creates a new init.d script. However, according to this document, you still need to edit the init.d script to run splunkd as a non-root user. I would have thought that specifying "-user splunk" would have been enough to ensure this happened. So can you please verify that, in order to properly run splunk as non-root user and for splunk to start at boot, you need to: Enable boot-start as per the command above; Edit the init.d script to ensure that the commands are being run as the appropriate non-root user. I ask this because this makes maintenance a bit more tricky. Say I want to disable boot-start. This deletes the init.d script apparently. Then when we run the enable boot-start command again, the file is re-created, without our edits. So we need to edit the file again. Failing to do so could cause issues when splunk is started on boot as root rather than the non-root user. ... View more

Re: Why are all services still being indexed, even...

by in Getting Data In
‎09-04-2019 03:02 PM
‎09-04-2019 03:02 PM
The hacky way I got around this was to use the [powershell://] block in the inputs.conf: [powershell://<name>] # Get service status script = Get-Service -ComputerName localhost | Where-Object DisplayName -in ('Service1','Service2','Service3') | Select-Object Name, DisplayName, Status # Run every 5 mins schedule = */5 * * * * index = <index_name> sourcetype = <sourcetype_name> ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-09-2020 03:56 AM
Karma from
View All