Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kochera
kochera
Communicator
Member since:
02-15-2011
04-26-2023
Community Statistics
| Posts | 49 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 18 |
| Member Since | 02-15-2011 |
Activity Feed
- Got Karma for Use extracted field in a subsearch. 09-05-2022 08:21 PM
- Karma Re: Unknown error message from Admin Manager for florho. 06-05-2020 12:49 AM
- Got Karma for Unknown error message from Admin Manager. 06-05-2020 12:49 AM
- Got Karma for Unknown error message from Admin Manager. 06-05-2020 12:49 AM
- Got Karma for In our Oracle RAC environment with dataguard, how do we make Splunk DB Connect 'dataguard aware'?. 06-05-2020 12:47 AM
- Karma Re: Event not complete in Splunk with field extraction for dwaddle. 06-05-2020 12:46 AM
- Karma Re: DB connect - timestamp issue for ziegfried. 06-05-2020 12:46 AM
- Got Karma for export raw AllTime: file not found. 06-05-2020 12:46 AM
- Got Karma for Same hour for the last 7 days. 06-05-2020 12:46 AM
- Got Karma for Re: DBX: Problems after upgrading to 1.0.8. 06-05-2020 12:46 AM
- Got Karma for Indexes are not visible for adding them to a role on a Splunk SearchHead. 06-05-2020 12:46 AM
- Got Karma for export raw AllTime: file not found. 06-05-2020 12:46 AM
- Got Karma for Event not complete in Splunk with field extraction. 06-05-2020 12:46 AM
- Got Karma for Re: DB connect - timestamp issue. 06-05-2020 12:46 AM
- Got Karma for DB connect - timestamp issue. 06-05-2020 12:46 AM
- Got Karma for DB connect - timestamp issue. 06-05-2020 12:46 AM
- Got Karma for Re: serverinfo.py on Solaris x86 server. 06-05-2020 12:46 AM
- Got Karma for serverinfo.py on Solaris x86 server. 06-05-2020 12:46 AM
- Got Karma for Event not complete in Splunk with field extraction. 06-05-2020 12:46 AM
- Got Karma for Event not complete in Splunk with field extraction. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 |
08-28-2019
11:16 PM
problem solved. I put part of the the props.conf
[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 99999
LINE_BREAKER = -{2,3}[a-zA-Z0-9]{8}-{1,3}Z-{2}([\r\n]+)-{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}
TIME_PREFIX = -{2,3}[a-zA-Z0-9]{8}-{1,3}A-{2}\n[
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none
directly on the heavyforwarders and keep the other part of the configuration in the TA on the indexers.
... View more
08-27-2019
06:52 AM
Hi,
find below the sample.
cheers,
Andy
---6uIk3EEg---A--
[27/Aug/2019:15:35:57 +0200] 7fc42219c6c4d351842309e9d537dc9c 13.93.46.20 34698 13.93.46.20 443
---6uIk3EEg---B--
POST /services/collector/event HTTP/1.1
Host:
Authorization: Splunk 75B1123F-D42B-47A8-8146-F24704BE9C70
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: /
Content-Length: 382
User-Agent: python-requests/2.9.1
---6uIk3EEg---F--
HTTP/1.1 200
Server: nginx
Date: Tue, 27 Aug 2019 13:35:57 GMT
Content-Length: 27
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Connection: keep-alive
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000
---6uIk3EEg---H--
ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Content-Type' (Value: 0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Content-Type' (Value: 0' ) [file "/etc/modsecurity/owasp-modsecurity-crs/v3.1.1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "732"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.1.1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "13.93.46.20"] [uri "/services/collector/event"] [unique_id "7fc42219c6c4d351842309e9d537dc9c"] [ref "v217,3"]
---6uIk3EEg---J--
---6uIk3EEg---K--
---6uIk3EEg---Z--
... View more
08-26-2019
12:43 AM
Hi,
Our raw events from mod_security logfile are split into three different events.
I've tried multiple settings in props.conf without success.
Current config is:
[modsec:audit]
SHOULD_LINEMERGE = false
TRUNCATE = 0
NO_BINARY_CHECK = true
#LINE_BREAKER = (\-{2,3}[a-zA-Z0-9]{8}\-{1,3}Z\-{2}([\r\n]+)\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
LINE_BREAKER = ([\r\n]+)(\-{2,3}[a-zA-Z0-9]{8}\-{1,3}A\-{2})
MAX_TIMESTAMP_LOOKAHEAD = 32
MAX_EVENTS = 1024
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
KV_MODE = none
Cheers,
Andy
... View more
11-10-2017
02:22 AM
I checked on that already. the permissions are ok.
we get the error on all SH-cluster members although not equally spreaded.
... View more
11-10-2017
01:25 AM
we don't know. it just generates a lot of error messages in the splunkd.log
... View more
11-10-2017
01:16 AM
2 Karma
Hi,
has anyone seen the error message below?
ERROR AdminManager - Argument "actual_only" is not supported by this handler.
Any ideas what may cause this?
Cheers,
Andy
... View more
- Tags:
- splunk-enterprise
06-13-2017
04:58 AM
Hi,
we already have a HEC up and running and this is the only service we want to expose.
cheers,
Andy
... View more
06-12-2017
12:46 AM
Hi,
the reason why we want to use HEC is that we don't want to open additonal tcp ports towards our on-premise Splunk instance.
cheers,
Andy
... View more
06-11-2017
11:57 PM
Hi,
we would like to forward all data from a splunk instance in the "cloud" to an on-premise http event collector. Is there a way of doing this?
cheers,
Andy
... View more
- Tags:
- splunk-enterprise
11-30-2015
02:38 AM
Hi,
thanks for your answer. But why is it writting the data properly when running it manually?
cheers,
Andy
... View more
11-30-2015
01:36 AM
Hi,
I've a scheduled saved search running every day to collect events and writting the events to a new index. Running the search interactively is working fine but running the job started by the scheduler is not working at all. No data is written to the new index. Find below the search:
index=access sourcetype="legacy" [search (index=access sourcetype="tap") OR (index=access sourcetype=vdi) |fields + user ] |collect index=access sourcetype=legacy_spec
Any ideas what might cause this behaviour?
cheers,
Andy
... View more
01-09-2015
05:44 AM
Basically we should have a list of hosts and ports DB connect tries to connect to.
... View more
01-09-2015
05:28 AM
1 Karma
Hi,
We have an Oracle RAC environment with dataguard. We don't know which instance is the active one and which is the passive one. The JDBC connection string looks like:
jdbc:oracle:thin:@(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP) (HOST = <hostA-scan>) (PORT = 1532))
(ADDRESS = (PROTOCOL = TCP) (HOST = <hostB-scan>) (PORT = 1532))
(CONNECT_DATA =
(SERVICE_NAME = kudaps_rw.T.pnet.ch)
(CONNECT_TIMEOUT=5)(RETRY_COUNT=2)
)
)
Any idea how to make DB Connect 'dataguard aware'?
Cheers,
Andy
... View more
03-24-2014
11:35 PM
1 Karma
Hi,
I would like to compare the same hour for the last seven days. Is there a chance of using timewrap for this?
cheers,
Andy
... View more
- Tags:
- Timewrap
12-31-2013
01:47 AM
Hi,
on our newly installed Windows servers (windows server 2012 r2) we get the following error message while starting the Splunk Universal forwarder
12-31-2013 09:58:31.630 +0100 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"" splunk-netmon - NetmonConfig::InitNetmonConfig: No valid stanzas found.
What I saw in the docs (http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsnetworkinformation) is that this OS version is not supported. Could this be the cause for the above error?
cheers,
Andy
... View more
- Tags:
- windows
10-28-2013
12:17 PM
Hi,
Do you have any intentions to provide a database write option within the DB Connect app?
Cheers,
Andy
... View more
- Tags:
- Splunk DB Connect 1
06-25-2013
11:06 PM
1 Karma
Hi,
thanks for the hint. Finally I got a it working.
1) SELECT TO_TIMESTAMP(TO_CHAR(LOG_ENTRYDATE),'YYYY-MM-DD HH24:MI:SS.FF') LOG_ENTRYDATE,
2) SELECT TO_CHAR (TO_TIMESTAMP (LOG_ENTRYDATE, 'YYYY-MM-DD HH24:MI:SS,FF6'),
'YYYY-MM-DD HH24:MI:SS.FF3')
LOG_ENTRYDATE,
Both should work, for me solution 1) was just fine.
Cheers,
Andy
... View more
06-19-2013
10:59 PM
Hi Sigi,
find below the definition of the log_entrydate field.
LOG_ENTRYDATE VARCHAR2 YES 29 0 10
cheers,
Andy
... View more
06-19-2013
05:16 AM
2 Karma
Hi,
we use DB connect to monitor database jobs. Each job generates an entry. the field log_number is an increasing counter, the fiels log_entrydate is the actual timestamp.
log_entrydate format: 2013-06-19 14:03:12.183506
I tried to extract the timestamp and to get an event for each log_number but was not successful. Configuration:
output.timestamp = true
output.timestamp.column = LOG_ENTRYDATE
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss.SSS --> I don't know how to specify
Any help is appreciated.
Cheers,
Andy
... View more
- Tags:
- Splunk DB Connect 1
02-04-2013
04:23 AM
Hi Sigi,
I added the entry to dbx/local/database.conf and restart splunk. I still get the same error message when I try to add a new database connection.
$ cat etc/apps/dbx/local/database.conf
[default]
database.sid = true
cheers,
Andy
... View more
01-31-2013
06:23 AM
Hi,
we're running the DBX App 1.0.4 in production. After upgrading to 1.0.8 we get the following error:
Encountered the following error while trying to save: In handler 'dbx-databases': Error connecting to database: java.sql.SQLException: Listener refused the connection with the following error: ORA-12514, TNS:listener does not currently know of service requested in connect descriptor
Any idea what might cause this?
Cheers,
Andy
... View more
01-23-2013
05:59 AM
2 Karma
Hi,
We're running Splunk 4.3.3. One of our customers would like to export the search results (approx. 300 events) over AllTime in raw-format. The UI export fails with an error message:
File not found
Firefox can't find the file at https://pspka028:7020/splunk/en-US/api/search/jobs/1358949211.44213/event?isDownload=true&timeFormat=%FT%T.%Q%:z&maxLines=0&count=500&filename=test&outputMode=raw&spl_ctrl-limit=limit&spl_ctrl-count=500.
This seems to be a known problem, I found some similar questions on splunkbase but did not find an answer. Are there any updates regarding this?
Cheers,
Andy
... View more
10-05-2012
02:41 AM
Hi,
thanks for the answer.
what we get is a report portrait format. But for better readability(scalability) the customer would like to have in portrait format.
Cheers,
Andy
... View more
