How to assi gn the sourcetype wms_oracle_sessions to the data on ingestion phase. ... View more

We have created sourcetype wms_oracle_sessions but no luck. No data is getting displayed on the dashboard ... View more

This worked. dbquery wmsewprd  "select REC_TYPE, CODE_TYPE, CODE_DESC, SHORT_DESC, USER_ID from SYS_CODE_TYPE"   We created database connection under setting->External Databases and after that restarted splunk on the host. When we tried the below query, it worked.   dbquery wmsewprd  "select REC_TYPE, CODE_TYPE, CODE_DESC, SHORT_DESC, USER_ID from SYS_CODE_TYPE"   This issue is resolved. ... View more

This issue is resolved. ... View more

The issue was "Java Bridge server was not running". We engaged splunk support and they fixed the issue. We configured to connect DB of webmethods and restarted splunk. That resolved the issue. ... View more

                                                                                  eventtype err0r (error)   nix-all-logs   nix_errors (error)     oracle_sid wmb2bprd     tag error     unix_category all_hosts     unix_group default     wmApplication database     wmApplicationType b2b     wmEnvironment prd   Time   _time 2019-06-15T03:30:46.948+10:00   Default   index webmethods_prd     linecount 12     punct --_::.=----=----=----=.=.=..:=..:=----=__=_:,__:__     splunk_server aeapsplnd01 ... View more

Type   Field Value Actions Selected   host aeapwmora02     source dbmon-tail://wmb2bprd/webmethods:WMERROR     sourcetype webmethods:wmerror   Event   AUDITTIMESTAMP 1560497446.948     CONTEXTID d34b7125-313a-4d6f-9638-ad324032802f     ERRORMESSAGE document is null     ERRSTACKTRACE Error Type:exception, Error Message:document is null, Service Name:     INSERTTIMESTAMP 1560497446.949     MSGID 8090bffc-5837-93c2-cb9c-833f427fb709     PARENTCONTEXTID 61739280-d3af-44fd-a7c6-0afd3cf4d450     ROOTCONTEXTID 702f9ad0-1c19-4181-b543-56f3ee69e010     SERVERID aeapwmappb2b39.ce.corp:5555     SERVICENAME pub.event.exception:logToFile     eventtype err0r (error)   nix-all-logs   nix_errors (error) ... View more

Following is the search query.   index=webmethods_prd sourcetype=webmethods:wmerror   Time range picker : All time Sample data of 15th June, 2019. 15/06/2019 03:30:46.948 aeaxwmora02 dbmon-tail://wmb2bprd/webmethods:WMERROR webmethods:wmerror     ... View more

Hi,   I typed the command java -version on Indexer sever.  [root@aeaxsplnd01 ~]# java -version -bash: java: command not found [root@aeaxsplnd01 ~]# which java /usr/bin/which: no java in (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)   Is JRE needs to be installed on Indexer server or it needs to be installed on Search head server. ... View more

Hi,   I incorporated the following in inputs.conf. [monitor://dbmon-tail://wmb2bprd/webmethods:WMERROR] index = webmethods_prd sourcetype = webmethods:wmerror disabled = false [root@aeaxwmora02 local]# pwd /opt/splunkforwarder/etc/system/local [root@aeaxwmora02 local]# cat inputs.conf [default] host = aeaxwmora02 [monitor://dbmon-tail://wmb2bprd/webmethods:WMERROR] index = webmethods_prd sourcetype = webmethods:wmerror disabled = false Restarted Splunk, but still showing data till 6/15/2019. Data  after 6/15/2019 is not showing.     ... View more

User says that it’s a database, not a file, and hence doesn’t follow the usual Splunk forwarder file indexing process. Source is like this  dbmon-tail://wmb2bprd/webmethods:WMERROR   How should I go. ... View more

Can you please help me on next steps. ... View more

data are generated by the source system? you can check this analyzing files on source system; I need to check from the user what data he is looking for.   the source system reach to send logs to the Indexer? you can check this with a simple search index=_internal host=source_system_hostname​ Yes source system can able to reach indexer to send logs. This I verified by the following query. index=_internal host=aeapwmora02 Events got generated of today's data.   are index and sourcetype correct? you can check this analyzing inputs.conf on the source system.   I verified the inputs.conf on the source sytem but nothing defined in inputs.conf   [root@aeaxwmora02 local]# pwd /opt/splunkforwarder/etc/system/local [root@aeaxwmora02 local]# cat inputs.conf [default] host = aeaxwmora02 [root@aeaxwmora02 local]# We found that index  webmethods_prd is existing by the following query. | eventcount summarize=false index=* index=_* | dedup index | fields index   and sourcetype is existing by the following query. sourcetype="webmethods:wmerror" host=aeaxwmora02 Events are getting generated and we got latest event dated 6/15/2019.  No events generated after the data 6/15/2019.  Under interesting fields, value of  index is showing as webmethods_prd.   What should be the next steps.   Do I need to get the information from the user what source files he is looking for along with the path. and configure in inputs.conf     ... View more

Yes we installed TA-meraki. Following is the output of $SPLUNK_HOME/bin/splunk btool props list --debug meraki ./splunk btool props list --debug meraki /opt/splunk/etc/apps/TA-meraki/default/props.conf [meraki] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 cat props.conf [meraki] This line is needed to be on the indexer or heavy forwarder meraki includes their own date/time which is a unix timestamp, this transforms detect it and removes it which saves you data TRANSFORMS-meraki_date_clipper = meraki_date_clipper KV_MODE = none REPORT-dvc = meraki_dvc REPORT-dvc2 = meraki_dvc2 REPORT-dvc_ip = meraki_dvc_ip REPORT-dvc_ip2 = meraki_dvc_ip2 REPORT-content_filtering_generic = meraki_content_filtering_generic REPORT-transport = meraki_transport REPORT-url_protocol = meraki_url_protocol REPORT-http_user_agent = meraki_http_user_agent REPORT-src = meraki_src REPORT-dst = meraki_dst REPORT-http_method = meraki_http_method REPORT-src_mac = meraki_src_mac REPORT-user = meraki_user REPORT-user2 = meraki_user2 REPORT-url = meraki_url REPORT-url2 = meraki_url2 REPORT-category = meraki_category REPORT-dest_port = meraki_dest_port REPORT-dest_port2 = meraki_dest_port2 REPORT-src_port = meraki_src_port REPORT-src_port2 = meraki_src_port2 REPORT-icmp_type = meraki_icmp_type REPORT-meraki_action = meraki_action REPORT-meraki_flows_action = meraki_flows_action REPORT-meraki_priority = meraki_priority REPORT-signature_id = meraki_signature_id REPORT-signature = meraki_signature Sets value for meraki_app; in REPORT first device that sets value overrides secondary queries REPORT-meraki_1events_ad = meraki_events_ad REPORT-meraki_2dhcp_conflict = meraki_dhcp_conflict REPORT-meraki_3dhcp_lease_added = meraki_dhcp_lease_added REPORT-meraki_4dhcp_lease_release = meraki_dhcp_lease_release REPORT-meraki_5dhcp_lease_fail = meraki_dhcp_lease_fail REPORT-meraki_6dhcp_lease_fail2 = meraki_dhcp_lease_fail2 REPORT-meraki_7port = meraki_port REPORT-meraki_8authentication = meraki_authentication REPORT-meraki_91wireless = meraki_events_wireless REPORT-meraki_92app = meraki_app REPORT-meraki_93app = meraki_app2 These handles the airmarshal_events REPORT-air_signature = air_signature REPORT-air_ssid = air_ssid REPORT-air_bssid = air_bssid REPORT-air_src_mac = air_src_mac REPORT-air_dest_mac = air_dest_mac REPORT-air_wired_mac = air_wired_mac REPORT-air_client_mac = air_client_mac REPORT-air_vlan_id = air_vlan_id REPORT-air_channel = air_channel REPORT-air_fc_type = air_fc_type REPORT-air_fc_subtype = air_fc_subtype REPORT-air_inter_arrival = air_inter_arrival REPORT-air_dos_count = air_dos_count REPORT-air_alarm_id = air_alarm_id REPORT-air_state = air_state REPORT-air_radio = air_radio REPORT-air_packet = air_packet REPORT-air_reason = air_reason REPORT-air_rssi = air_rssi REPORT-air_vap = air_vap REPORT-air_client_ip = air_client_ip REPORT-air_instigator = air_instigator REPORT-air_duration = air_duration REPORT-air_last_auth_ago = air_last_auth_ago REPORT-air_is_wpa = air_is_wpa REPORT-air_full_conn = air_full_conn REPORT-air_ip_resp = air_ip_resp REPORT-air_ip_src = air_ip_src REPORT-air_http_resp = air_http_resp REPORT-air_arp_resp = air_arp_resp REPORT-air_arp_src = air_arp_src REPORT-air_dns_server = air_dns_server REPORT-air_dns_req_rtt = air_dns_req_rtt REPORT-air_dns_resp = air_dns_resp REPORT-air_dhcp_lease_completed = air_dhcp_lease_completed REPORT-air_dhcp_ip = air_dhcp_ip REPORT-air_dhcp_server = air_dhcp_server REPORT-air_dhcp_server_mac = air_dhcp_server_mac REPORT-air_dhcp_resp = air_dhcp_resp REPORT-air_aid = air_aid REPORT-air_info = air_info REPORT-air_type = air_type REPORT-meraki_wireless_action = meraki_wireless_action FIELDALIAS-dest = dst AS dest FIELDALIAS-src_ip = src AS src_ip FIELDALIAS-srcip = src AS srcip FIELDALIAS-dest_ip = dst AS dest_ip FIELDALIAS-user_agent = http_user_agent AS user_agent FIELDALIAS-ua = http_user_agent AS ua FIELDALIAS-urlc = category AS urlc FIELDALIAS-signature = category AS signature FIELDALIAS-urlp = dest_port AS urlp FIELDALIAS-client_ip = client_ip AS src_ip EVAL-http_user_agent_length = len(http_user_agent) EVAL-ids_type = if(meraki_app=="ids-alerts", "network", if(meraki_app=="events-airmarshal","wireless",null())) EVAL-app = "meraki-".meraki_app EVAL-url_length = len(url) EVAL-response_time = sum(arp_resp+dhcp_resp+ip_resp) CIM states that (src|dest|x)_mac should be lower case docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic EVAL-src_mac = lower(src_mac) EVAL-dest_mac = lower(dest_mac) EVAL-client_mac = lower(client_mac) EVAL-cached = "0" EVAL-lease_scope = if(len(lease_scope_subnet)=>1,src."/".lease_scope_subnet,null()) EVAL-signature = coalesce(dhcpsignature,category,signature) EVAL-category = coalesce(category,signature) EVAL-signature_id = coalesce(dhcpsignature_id,signature_id) EVAL-meraki_action = coalesce(meraki_action,meraki_dhcp_action,meraki_wireless_action,meraki_airmarshal_action) EVAL-meraki_priority = coalesce(meraki_port_priority,meraki_priority,meraki_dhcp_priority,meraki_ad_priority,meraki_url_priority) LOOKUP-vendor_info_for_meraki = meraki_vendor_info_lookup sourcetype OUTPUT vendor,product,vendor_product LOOKUP-action_for_meraki = meraki_action_lookup meraki_action OUTPUT action LOOKUP-severity_for_meraki = meraki_severity_lookup meraki_priority OUTPUT severity LOOKUP-icmp_code_for_meraki = meraki_icmp_code_lookup icmp_type OUTPUT icmp_code LOOKUP-status_code_for_meraki = meraki_status_code_lookup meraki_app,meraki_action OUTPUT status_code,status,rule What I need to do to create sourcetype meraki. ... View more