Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ShaneNewman
ShaneNewman
Motivator
Member since:
07-25-2012
06-05-2020
Community Statistics
| Posts | 310 |
| Solutions | 35 |
| Karma Given | 339 |
| Karma Received | 85 |
| Member Since | 07-25-2012 |
Activity Feed
- Got Karma for Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 04-01-2021 10:58 AM
- Got Karma for S3 bucket with CSV files not extracting fields at index time. 06-05-2020 12:50 AM
- Karma Re: How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders? for acharlieh. 06-05-2020 12:49 AM
- Karma Re: Help with hot buckets rolling prematurely for sowings. 06-05-2020 12:49 AM
- Karma Re: Capabilities needed for a service account to enable Maintenance Mode and issue offline command for leonphelps_s. 06-05-2020 12:49 AM
- Karma RHEL/CentOS 7 & systemD not honoring ulimits for jethompson_splu. 06-05-2020 12:49 AM
- Got Karma for How do I add a dynamic _meta field pushed from deployment server to monitored files on Heavy Fowarders?. 06-05-2020 12:49 AM
- Got Karma for Re: Index cluster with multiple partitions. 06-05-2020 12:49 AM
- Karma Splunk Add-On for Google Cloud Platform: Splunk Add-on REST Handler ERROR[1021]: Fail to decrypt the encrypted credential information - Failed to get credentials for efferth. 06-05-2020 12:48 AM
- Karma How does DMC determine the status of its search peers? for lycollicott. 06-05-2020 12:48 AM
- Karma Re: Splunk not matching files with wildcard in monitor path in inputs.conf for ddrillic. 06-05-2020 12:48 AM
- Karma Mac OS X Sierra - How to get all logs from the Unified Log database? for managed_securit. 06-05-2020 12:48 AM
- Karma Re: Mac OS X Sierra - How to get all logs from the Unified Log database? for yannK. 06-05-2020 12:48 AM
- Karma Re: Color map not working on New Relic Splunk App for gpareesi11. 06-05-2020 12:48 AM
- Got Karma for Re: How to add a new Active Directory group to an existing LDAP strategy?. 06-05-2020 12:48 AM
- Karma Re: DB Connect: Why am I getting "Error connecting to /servicesNS/admin/dbx/dbx/dbmon: The read operation timed out" setting up Oracle DB input? for pmdba. 06-05-2020 12:47 AM
- Karma Re: How to configure inputs.conf and outputs.conf on the Heavy Forwarder to route data received from universal forwarders to the indexers? for rmorlen. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Setting up Deployment Server to manage multiple instances on a single server for jrodman. 06-05-2020 12:47 AM
- Karma Re: How to merge multi-line messages to one event in search query for lguinn2. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
08-21-2019
02:35 PM
1 Karma
We have a S3 bucket containing many csv files, each with different header fields that need to be extracted at index time. The current configs in place for this is:
[aws:s3:csv]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1
KV_MODE = auto
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
TRUNCATE = 999999
INDEXED_EXTRACTIONS = csv
This is on the heavy forwarder server that has the AWS add-on installed (latest version) in addition to being on the indexers. I have downloaded a sample csv file from S3 and imported it into Splunk via the UI and it parses correctly, yet it does not when setting this up via the Splunk_TA_aws app (UI or file) to use S3.
It seems that the AWS add on is causing it to ignore the HEADER_FIELD_LINE_NUMBER = 1 and INDEXED_EXTRACTIONS = csv setting entirely. Is anyone else seeing this, does anyone have a solution? Search time extractions are not an option here due to the fields changing frequently.
... View more
08-15-2018
07:03 AM
Its been a few weeks and I still have not gotten any useful feedback. Can anyone please provide assistance?
... View more
07-16-2018
11:26 AM
Hey, sorry for the delayed response, I was out sick for a few days.
I do get results back for that search.
... View more
07-11-2018
04:12 PM
Figured this out a while back and forgot to update the post.
Rsyncing the pem key to the host that is running the DB connect app and importing it into the keystore in the splunk_app_dbconnect app got me the desired results.
keytool -importcert -file /tmp/mypemkey.pem -keystore /opt/splunk/etc/apps/splunk_app_db_connect/keystore
- Default password for the keystore is 'password'
... View more
07-11-2018
03:52 PM
I am running into an issue with the Splunk App for Jenkins built in dashboards, the panels for Test Trends/Logs and Artifacts (under Build Analysis) are not loading and just return a blank screen.
I have isolated the javascript that powers the 2 tabs and the searches being used within the JS is returning data when run via the UI.
Everything else seems to be working properly - Build Trends and Build information populate correctly.
I have attempted to use the console in chrome to enable the debug feature but it is not returning any errors or warnings that are pointing to the cause of the issue. Additionally, when looking in _internal I am not seeing any warning or error message that could point to a cause either.
Permissions are correct, ownership is correct... I am not a guru when it comes to debugging JS code so any pointers/assistantance would be greatly appreciated.
... View more
01-19-2018
11:02 AM
I am trying to enable a connection from the Splunk DB Connect app to a MariaDB (MySQL) database in AWS, which requires SSL and a particular pem file to connect. I cannot find any specific documentation or examples on Answers on how to accomplish this. Can someone point me in the right direction?
I am using the MySQL 5.1 JDBC driver, if that matters - which supports SSL.
... View more
Labels
- Labels:
-
other
01-16-2018
03:09 PM
You might create a new sourcetype definition for this dataset in the props.conf that lands on the indexers and set it up something like this:
[docker:json]
NO_BINARY_CHECK=1
TIME_PREFIX = \"time\"\:\s+\"
MAX_TIMESTAMP_LOOKAHEAD = 200 (or larger)
TIME_FORMAT = %a %b %d %H:%M:%S %Y (for example)
TRUNCATE = 999999
BREAK_ONLY_BEFORE = ^\{\s+\"log\"
MUST_BREAK_AFTER = <timestamp_format_regex>:\s+\}
You will certainly have to update the regexes and such but that should get you most of the way there.
... View more
01-16-2018
02:58 PM
1 Karma
That should be perfectly fine. Might get a bit confusing in the indexes.conf depending on how many indexes you have setup. I might do something like this in the indexes.conf to make it easier to read and follow:
# Volume definitions
[volume:primary]
path = /opt/splunk/var/lib/splunk
[volume:hot]
path = /mnt/disk1/splunkdb
[volume:flash]
path = /mnt/disk2/splunkdb
# Indexes List
[index1]
maxDataSize = auto
maxHotBuckets = 3
homePath.maxDataSizeMB = 10000
homePath = volume:hot/index1/db
coldPath = volume:primary/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb
repFactor = auto
rotatePeriodInSecs=600
[index2]
maxDataSize = auto_high_volume
maxHotBuckets = 10
homePath.maxDataSizeMB = 500000
homePath = volume:flash/index2/db
coldPath = volume:primary/index2/colddb
thawedPath = $SPLUNK_DB/index2/thaweddb
repFactor = auto
rotatePeriodInSecs=600
... View more
01-11-2018
12:54 PM
If my theory is correct, you can search the os index for source=/var/log/zimbra.log and you will see data, unless you changed the name of the index from os to something else.
... View more
01-11-2018
12:37 PM
If I had to guess, I would say that you probably have the Splunk TA for linux installed, which monitors /var/log... This is a crap monitor stanza and is most likely causing a conflict with your monitor stanza. Add a blacklist to that /var/log monitor stanza for zimbra logs.
... View more
11-07-2017
07:40 AM
I have been researching the docs here: https://docs.splunk.com/Documentation/Splunk/6.6.3/Security/Rolesandcapabilities
There isn't a good mapping of what I am trying to accomplish here in the docs. We are trying to automate some routine maintenance and also enable our hardware teams to replace disks as they fail without requiring scheduling with our team - outside of approvals and verifications. Can someone assist me in identifying the minimum capabilities needed for this service account I have created (LDAP) to be able to perform the following:
Enable Maintenance Mode
Disable Maintenance Mode
Rebalance Primaries
Rebalance _raw data
Splunk offline
I have not listed splunk stop/start because those commands do not require authentication from the CLI.
... View more
11-04-2017
09:57 AM
What I have configured, which I do not like as it is not dynamic, is added:
_meta = heavy_forwarder::rsyslog.fqdn
To the /etc/system/local/inputs.conf file on each of the rsyslog hosts under the default stanza. I had to do this due to wanting to use the host regex on the monitor path for hostname. Also had to add the fields.conf on the IDXC/SHC members to be able to search for them properly. Don’t get me wrong, this works fine... It is just not as dynamic and requires me to start using puppet (which is ok, it is just another place for configurations that IMO should/could be managed by the deployment server dynamically via inputs.conf in specific inputs apps) to dynamically generate the rsyslog fqdn for the _meta tag I want to create in the system/local/inputs.conf file (per host) as new hosts are spun up.
This just seems like an oversite (not being able to use system variables in config files) - especially for systems running as Heavy Forwarders on Syslog hosts.
... View more
10-19-2017
11:41 AM
1 Karma
Just for clairification - I get $HOSTNAME in the field when I want it to be dynamic, so I don't have to set this up on system/local/inputs.conf on each host and hardcode the hostname.
... View more
10-19-2017
10:00 AM
1 Karma
I am working with a heavy forwarder tier that is running syslog where network devices are sending data. For ease of tracking where each file is being monitored from, I would like to add some metadata to the monitored files, that includes the heavy forwarder they are being collected from (this tier is load balanced so the data could land on any number of hosts).
I have tried adding _meta = heavy_forwarder::$HOSTNAME and that does not appear to be doing the trick - It actually just puts $HOSTNAME as the value.
Example monitoring stanza:
[monitor:///var/log/remote/my_network_device]
index = network
sourcetype = mysourcetype
ignoreOlderThan = 1d
disabled = false
host_segment = 4
blacklist = \.(gz|tgz|xz|\d{1})$
_meta = heavy_forwarder::$HOSTNAME
I have also tried to add _meta = heavy_forwarder::$HOSTNAME to the [default] stanza and it has the same results. I know I can hardcode the hostname in system/local/inputs.com - I just am trying to think of a much less manual solution to handle dynamic scaling of the HF tier.
Any help would be greatly appreciated.
... View more
07-27-2017
02:13 PM
Version 6.4.4
... View more
07-27-2017
02:12 PM
Sanford,
Are you aware of any tuning that I can do on the CM/Indexers to reduce the amount of time it takes buckets to register, aside from the obvious reduce the amount of buckets?
... View more
07-27-2017
02:07 PM
The CM doesnt appear to be overloaded from a resource perspective. CPU is averaging 80% idle over the last week with at least 4GB/RAM free. Load is around 1.2.
Whats wrong with 750MB hot buckets? Getting 20GB per day/12 = 1.7GB per indexer. 3X750MB hot buckets is ~2GB... seemed pretty close to me.
... View more
07-27-2017
01:55 PM
Hey mmodestino,
Utilization on the indexes for the homePath are very low, less than 50% in some cases. I update the index configs every month based on the prior month's trends to get as close to 100% utilization as I can of the homePath. I have been using the DMC and sowings FireBrigade app to research this issue. Nothing overly helpful in finding the "why" this is happening, just things pointing out the fact that it is happening.
... View more
07-27-2017
01:49 PM
Sandy,
I figured you would chime in on this at some point. I have been using fire brigade to configure the settings on the indexes the past few months and it has been very helpful. I thought of that particular scenario though. We have had some network connectivity issues over the last few months and the CM was a bit overloaded, we have since resolved those issues and the problem has lessened but it is still happening.
I am going to update the log levels on these to debug to see if I can glean any additional insight:
category.BucketMover
category.BucketReplicator
category.DatabaseDirectoryManager
category.HotBucketRoller
category.HotDBManager
category.IndexerIf
category.IndexWriter
Are there any others you would suggest turning up? If I cannot find anything after doing this I will submit a case and involve the "Andrews".
... View more
07-27-2017
01:39 PM
I just verified for the hot buckets recently rolled that the events are pretty well grouped, some were a week or two old but for the most part they are only days old. I do see some messages about max number of hot buckets and it adding a new one. I cannot find any reasons to rolling the bucket other than that.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma from
Karma given to
