Hi all,
I did a search and found an answer but it is from 2013 and does not appear to be relevant any longer. Where can I find the checksum's for the downloads? In my case, I'm looking for the checksum for the splunk-6.5.2-67571ef4b87d-Linux-x86_64.gz file.
Thanks!
Andrew
... View more
That's what I thought was happening. I'd like to see what you see when you click on the events tab, the raw logs or a csv with each field in it. If Splunk can show you the related events why can't you export what you see?
... View more
From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv however I do not see Raw Events when I have a search that has the stats command present or returns a table. Any idea how to get a round this?
... View more
Updating Answers with relevant info.
Upon startup of a new version Splunk ($SPLUNK_HOME/lib/python2.7/site-packages/splunk/clilib/migration.py) scans every file in it's directory structure ($SPLUNK_HOME). Unfortunately for us we have a NAS appliance mounted under $SPLUNK_HOME used for retention purposes that takes a daily snapshot of every file and stores it. 58 files for 58 days. This scan took about 14 hours to complete. The temporary solution is to edit the script (and manage going forward during upgrades until a solution can be found).
Script edit ($SPLUNK_HOME/lib/python2.7/site-packages/splunk/clilib/migration.py), change .snapshot to whatever you'd like to avoid scanning.
def findPreviewFiles():
# skip over .snapshot subdirectories, which cause sadness when
# SPLUNK_HOME is a netapp mountpoint with exposed snapshot dirs
return comm.findFiles(comm.splunk_home, "\\.%s$" % EXT_MIGRATE,
skipdir_pattern=r"[\\/].snapshot$")
... View more
Just as the title states.
Oddly enough I've upgraded to 6.1.1 from 6.0 3 times w/o issue. This time we start splunk is hanging with the message "Checking for possible UI view conflicts".
Any ideas?
Exact commands used to upgrade.
1) Copy upgrade TAR from DEV to UAT
Log in to u-wcm-splunk
su wcsplnku
mkdir /tmp/splunk_upgrade
scp @d-wcm-splunk:/tmp/splunk_upgrade/* /tmp/splunk_upgrade
2) Copy /apps/wcm-splunk to apps/splunk-bak (or backup anywhere)
mkdir /apps/splunk-bak
rsync -av --progress /apps/wcm-splunk /apps/splunk-bak --exclude archive
3) Stop Splunk
/apps/wcm-splunk/bin/./splunk stop
4) Install upgrade
tar -xvf /tmp/splunk_upgrade/splunk-6.1.1-207789-Linux-x86_64.tar -C /apps/ --transform s/splunk/wcm-splunk/
( chmod -R 755 /apps/wcm-splunk/ if not owned by wcsplnkp users)
5) Copy the follwoing files from the lower environment to the appropriate directories:
cp /tmp/login.css /apps/wcm-splunk/share/splunk/search_mrsparkle/exposed/css/
cp /tmp/web.conf /apps/wcm-splunk/etc/system/local/
cp /tmp/application.css /apps/wcm-splunk/etc/apps/CharlesRiverInfoSec/appserver/static/
cp /tmp/default.css /apps/wcm-splunk/share/splunk/search_mrsparkle/exposed/css/skins/default/
6) Start splunk
/apps/wcm-splunk/bin/./splunk start --accept-license --answer-yes
... View more
Ahha! I think I figured it out. I copied the upgrade file over as my own user then untarred it as you should as the application user. I think the permissions on the files then retained MY (not the application user) id’s permissions causing a bunch of permissions issues.
In Dev I did a chmod 777 * in /$SPLUNK_HOME and now everything works.
So I think that was my issue….
... View more
I upgraded my dev instance today from 6.0 to 6.1.1 and am all of a sudden getting this error:
Problem parsing indexes.conf: stanza=charlesriver Required parameter=homePath not configured
Which indexes.conf file is this referring to and what does it mean?
This is the content of my etc/apps/CharlesRiverInfoSec/local/indexs.conf file:
[charlesriver]
coldPath = $SPLUNK_DB/charlesriver/colddb
homePath = $SPLUNK_DB/charlesriver/db
thawedPath = $SPLUNK_DB/charlesriver/thaweddb
maxTotalDataSizeMB = 500000
Obviously I do have a homePath here.
... View more
I ended up automating a cp cmd and adding the date on the end of the file.
cp <origfilepath> <newfilepath>_`date +"%Y%m%d"`.csv
The easiest way to do this is via chrontab but we use other means (autosys).
I also need to use the sourcefile name in the crcSalt as well in inputs.conf
crcSalt = <SOURCE>
... View more
To answer the why it's a list that is maintained, however we need the ability to go back in time and view the state of the list on any particular date. I was thinking that as well but was hoping there was a better way using inputs.conf or similar setting.
... View more
That did not seem to work. Instead I used a case to check the day of the week:
| where Date > case(strftime(now(),"%w")="1", relative_time(now(), "-3d@d"), strftime(now(),"%w")!="1", relative_time(now(), "-1d@d"))
... View more
Is there a function to return the last weekday?
Instead of:
relative_time(now(), "-1d@d")
Is there any notation to say workday or weekday?
... View more
That did not work but it put me on the right path. I'm not sure if it's @mon that isn't' working or what but this works:
| where Date > relative_time(now(), "-31d@d")
... View more
I have 3 searches that I'm appending. Each returns a Name and Date. Then I take the maximum of each of the Dates and show it.
Now I'd like to show only those that have a Date in the last month. How can I do this? earliest does not seem to be working, likely because I may be stripping the _time off when I turn it into a stats table (not sure..?).
If I do individual earliest or use the time picker it limits the entire search, which I do not want to do.
Any advice?
Basiclaly I'm taking the append results and doing a
| stats max(Date) as Date by LogonName
I tried
| stats max(Date) as Date by LogonName | Search earliest=-28d
but did not get the resutls I'm expecting (no results!)
Any advice guys and gals?
... View more