Nope. It uses Python 2. ... View more

Thanks! This works great unless the SAML role mapping has been deleted. ... View more

V8.2.6 - Still not fixed. https://docs.splunk.com/Documentation/Splunk/8.2.6/ReleaseNotes/Knownissues  SPL-212495, SPL-196040, SPL-219811 Excessive logging 'WARN SearchResultsFiles Unable to parse site_label, label=invalid due to err="Invalid site id: invalid"' for SearchResultsFiles Workaround: none ... View more

@RDAVISS That search doesn't work if you have the Splunk_SA_CIM installed because "action" will never equal "login attempt" [audittrail] EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action) EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app) Try it without action= index=_audit "login attempt" "info=succeeded"   ... View more

We get these too but only when the add-on first starts. Then it seems like everything line breaks correctly. The suggested props config did not fix this for us.  ... View more

I don't currently have a mac to test with and I'm not a Mac guy but something like this might work. Add this to /etc/sudoers to permit the splunk user to run log without a password. splunk ALL = NOPASSWD: /path/to/log Edit the uf_macintosh/bin/mac_log_monitor.sh and add sudo to the command. FROM log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE TO sudo /path/to/log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE Let me know how it goes! ... View more

Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin. My answer here has a tar file that contains the script. https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html #!/bin/bash # Usage: ./mac_log_monitor.sh # Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE. DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh # Setup the date file. DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt # Setup the date file. if [ ! -e "$DATE_FILE" ] # Does the date file exist. then # No. date file does not exist. if [ ! -e "$DATE_PATH" ] then mkdir $DATE_PATH fi date -v -1w +"%F %T" > $DATE_FILE # Set start date to -1 week to get old logs. Redeploying overwrites this. fi START_DATE=`cat $DATE_FILE` # Set start date for log reading. date +"%F %T" > $DATE_FILE # Set new start date for next run. END_DATE=`cat $DATE_FILE` # Set end date for log reading. # File with keywords to grep from logs. INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf # File with keywords to exclude from logs. EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf # Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything. #log show --predicate [] --style syslog --start [] --end [] --info --last [] # Should really have an if to check for the existance of include/exclude log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE ... View more

We updated /opt/splunk/share/GeoLite2-City.mmdb and started getting these errors. sha256sum in installed on RHEL so we did this. Get the new checksum. Change the checksum in the manafest. Validate. Restart. sha256sum /opt/splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 /opt/splunk/share/GeoLite2-City.mmdb vi /opt/splunk/splunk-*-manifest f 444 splunk splunk splunk/share/GeoLite2-City.mmdb c38113090d1910279f0eff39f0f4e69b8e1e76d9676a16d31d5735c7c9d15d37 splunk validate files Validating installed files against hashes from '/opt/splunk/splunk-*-manifest' All installed files intact. splunk restart ... View more

Your answer is just for Intrushield. What jbrocks is talking about sending ALL logs from ePO using syslog. KB87927 - How to set up an example syslog server for use with ePolicy Orchestrator That post has guidance using ELK. We are just getting started with this but we used RHEL w/TLS rsyslog and it works fine. We, like jbrocks, just need to read and parse the text file now. I think this is what we need Splunk to add support for. I know, I know, open an enhancement ticket. See you in a couple of years. ... View more

I ended up kludging a pretty generic scripted input that. Runs the log show command from start_date to end_date. Greps what you want using an include file. Greps out stuff with an exclude file. tar-zipped TA ... View more

Sorry I can't help other than to say that upgrading from 6.6.3 to 6.6.4 fixed it for us. Now we're on 7.1.4 with a whole bunch of new issues! ... View more

If you're talking about having the Inputs pull the data again, the checkpoint info is stored here $SPLUNK_HOME/var/lib/splunk/modinputs/sfdc_object. You can go there and delete the individual directories/files or just the ones you want to reset. ... View more

I tested this without the ctypes part and one of our daily asset queries is back to one minute instead of +30 minutes. Thanks Colin! ... View more

The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query. Probably start here and do a bunch of joins to fill in the data. | dbquery "McAfee_ePO_5" "SELECT * FROM UDLP_Incidents" limit=1000 ... View more

We didn't seem to have this issue before we upgraded from 6.6.1 to 6.6.3. Maybe it was an issue but not as bad but I'm pretty sure this is new with 6.6.3. There are no errors in the logs. In debug, I can see that the file rotates and splunk keeps looking at the .log.1 file descriptor and never changing offset. I did some more testing. Configured splunk to monitor .log*. It still just looks at the old .log.1 file. It doesn't seem to care about the brand new .log file that's getting a ton of new data! It doesn't seem to be monitoring the directory for changes. Anyway, the current work around that guarantees a consistent loss of data is to use copytruncate. Splunk keeps monitoring the same file so I don't lose a ton of logs anymore, just the 3 seconds that occur when the file gets truncated before splunk has re-read the new logs. ... View more

I enabled debug for these 3 process and found what I suspected. Splunk keeps monitoring the old log file even though there's a new /logs/file.log and the old file has been renamed to /logs/file.log.1. It keeps using the old file descriptor and offset until you restart splunk. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:38.551 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991598 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:38.551 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:41.385 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:41.385 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:41.387 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:41.389 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991601 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:41.389 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:44.220 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Enqueued file=/logs/file.log in tailreader0 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:44.220 -0500 DEBUG TailReader - Start reading file="/logs/file.log" in tailreader0 thread 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Will attempt to read file: /logs/file.log from existing fd. 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - About to read data (Reusing existing fd for file='/logs/file.log'). 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - seeking /logs/file.log to off=527773500 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604 11-06-2017 13:06:44.221 -0500 DEBUG WatchedFile - Reached EOF: fname=/logs/file.log fishstate=key=0x6284c567d04aff4f sptr=527773500 scrc=0x876eab63e055a62d fnamecrc=0x864d9a294109368b modtime=1509991604 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Finished reading file='/logs/file.log' in tailreader0 thread, disposition=NO_DISPOSITION, deferredBy=3.000 11-06-2017 13:06:44.221 -0500 DEBUG TailReader - Defering notification for file=/logs/file.log by 3.000ms 11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. 11-06-2017 13:06:47.052 -0500 DEBUG TailingProcessor - Deferred notification for path='/logs/file.log'. category.TailingProcessor=DEBUG category.WatchedFile=DEBUG category.TailReader=DEBUG ... View more

This is a known issue in v2 and has been for 2 years. Can't see it ever getting fix. 2015-12-4 TAG-9567 After you upgrade from version 1.x to version 2.x of the add-on, the custom commands (ldapsearch, ldapfetch, ldapfilter, ldapgroup, ldaptestconnection) are slower. The only "solution" is to roll back to v1. (Not a good solution.) ... View more

I think they just used the Universal Forwarder. The first line of the install instructions says this. Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens. ... View more

I downvoted this post because use tcpsendbufsz so you don't have to edit the registry. tcpsendbufsz was introduced after the initial answer. ... View more

You should mark this as answered. ... View more

Seriously? The "fix" is to manually install this on all my indexers and then manually configure it? I assume I can't use the master node to push this out because of the way the app handles passwords. The doc still says... Where to install it The Splunk Supporting Add-on for Active Directory can be installed on a search head or a heavy forwarder. It does not perform any function when you install it on an indexer or universal forwarder. This method of installation is valid for both single-instance and distributed environments. ... View more

So I think that you shouldn't have to restore the RB but you'll get errors if you don't. (I think that's a bug but I'm not sure and since I restored all my data already, it doesn't matter to me anymore.) More info at thawing-data-in-an-indexer-clustering-environment I used it and it worked for me but USE AT YOUR OWN RISK!!! I have this script on all of my indexers and yes, it does time out if it runs for too long. restore_buckets.sh #!/bin/bash # This script will copy frozen indexes to the thaweddb and restore them. # The user will be prompted for index, start time and end time. # The user will be prompted to list files to restore or restore. echo -n "$(tput setaf 2)$(tput bold)" echo -n "Enter the index you need to restore :$(tput setaf 7) " read index echo -n "$(tput setaf 2)$(tput bold)" echo -n "Enter the start time in epochtime :$(tput setaf 7) " read startTime echo -n "$(tput setaf 2)$(tput bold)" echo -n "Enter the end time in epochtime :$(tput setaf 7) " read endTime echo " $(tput bold)" echo " $(tput setaf 2)Restoring : $(tput setaf 7)$index" echo " $(tput setaf 2) From : $(tput setaf 7)`date -d @$startTime +\"%Y-%m-%d %H:%M:%S\"`" echo " $(tput setaf 2) Through : $(tput setaf 7)`date -d @$endTime +\"%Y-%m-%d %H:%M:%S\"`" #echo " $(tput setaf 2)File Count : $(tput setaf 7)`ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime \ ## ## Added to fix awk problem when underscores are in the index name. cd $SPLUNK_DB/$index echo " $(tput setaf 2)File Count : $(tput setaf 7)`ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime \ 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' | wc -l`" echo " $(tput setaf 2)" echo -n "List files [y/n]: $(tput setaf 7)" echo -n " $(tput sgr0)" read listFiles if [ "$listFiles" != "n" ]; then echo "Start $(tput setaf 2)End$(tput setaf 7) File" # ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} { "date -d @"$2 " +\"%Y-%m-%d %H:%M:%S\"" \ ## ## Added to fix awk problem when underscores are in the index name. ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} { "date -d @"$2 " +\"%Y-%m-%d %H:%M:%S\"" \ | getline ET ; "date -d @"$3 " +\"%Y-%m-%d %H:%M:%S\"" | getline ST } $2 <= et && $2 >= st \ {printf("%s\t\033[32m%s\033[0m\t%s_\033[32m%s\033[0m_%s_%s_%s\n",ST,ET,$1,$2,$3,$4,$5)}' | sort -k3 fi echo "$(tput bold)" echo "$(tput setaf 2)This will copy file from $(tput setaf 1)$index/frozendb $(tput setaf 2)to $(tput setaf 1)$index/thaweddb." echo echo -n "$(tput setaf 2)Enter $(tput setaf 3)\"c\" $(tput setaf 2)to begin copying files. Any other input will skip this step. : $(tput setaf 3)" read startCopy if [ "$startCopy" == "c" ]; then echo "$(tput setaf 3)Copying files." # ls -dA $SPLUNK_DB/$index/frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' \ ## ## Added to fix awk problem when underscores are in the index name. ls -dA frozendb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $0}' \ | xargs -I BUCKET /bin/cp -r BUCKET thaweddb echo "$(tput setaf 7)Done." fi echo echo -n "$(tput setaf 2)Enter $(tput setaf 3)\"r\" $(tput setaf 2)to begin the restore. Any other input will skip this step. : $(tput setaf 3)" read doRestore # The splunk restore command always generates the USAGE message and 2 other line. Send this to dev null. # The problem with that is you won't see the results of the restore. if [ "$doRestore" == "r" ]; then echo "$(tput setaf 3)Starting restore." # ls -dA $SPLUNK_DB/$index/thaweddb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $1"_"$2"_"$3"_"$4"_"$5}' \ ## ## Added to fix awk problem when underscores are in the index name. ls -dA thaweddb/* | awk -v et=$endTime -v st=$startTime 'BEGIN {FS = "_"} $2 <= et && $2 >= st {print $1"_"$2"_"$3"_"$4"_"$5}' \ | xargs -I BUCKET --max-procs=10 $SPLUNK_HOME/bin/splunk rebuild BUCKET 2>/dev/null echo "$(tput setaf 7)Restore complete. Splunk needs to be restarted." echo fi echo "$(tput setaf 7)$(tput sgr0)" ... View more

I down-voted this because it really didn't have much to do with my question. While it might a good idea, it doesn't consider a lot of issues that would come up. Off the top of my head, here's a couple of stopper issues for me. I'd have to copy terabytes of data from 7 indexers to a spare, multi-terabyte server that I really don't have. ... View more