Activity Feed
- Got Karma for Re: Cloud Snowflake DB Connect Integration. 06-05-2020 12:50 AM
- Got Karma for Re: Cloud Snowflake DB Connect Integration. 06-05-2020 12:50 AM
- Karma Re: Not able to get Correct Cert working on SH for MuS. 06-05-2020 12:49 AM
- Karma Re: How can I set a custom linemerge sourcetype event break regex to ensure that an entire event is ready to be captured for bestpa. 06-05-2020 12:48 AM
- Karma Re: Is it better to use 'offline' mode or 'maintenance mode' in a multisite indexer cluster when a peer node will be down for an extended amount of time for maintenance? for dxu_splunk. 06-05-2020 12:48 AM
- Karma Re: Cacti Mirage Add-On for Splunk: Why are no hosts being reported? for mattymo. 06-05-2020 12:48 AM
- Karma Re: How to use the timewrap command and set an alert for +/- 10% on compared values? for mattymo. 06-05-2020 12:48 AM
- Karma Re: timechart span over custom period of day for woodcock. 06-05-2020 12:47 AM
- Karma Re: How do you "fillnull" a sparkline field? for martin_mueller. 06-05-2020 12:46 AM
- Posted Re: Cloud Snowflake DB Connect Integration on All Apps and Add-ons. 10-30-2019 01:11 PM
- Posted Re: Not able to get Correct Cert working on SH on Deployment Architecture. 05-29-2018 08:11 PM
- Posted Re: Cisco Networks App/Add-on on All Apps and Add-ons. 05-29-2018 07:38 PM
- Posted Re: Splunk package CLI is not bundling my saved searches or event types. Why? on Splunk Dev. 08-22-2017 06:28 AM
Topics I've Started
No posts to display.
10-30-2019
01:11 PM
2 Karma
Hi there,
Please try the following steps:
Make sure you download the latest Snowflake JDBC Driver jar version and NOT javadoc.jar :
https://docs.snowflake.net/manuals/user-guide/jdbc-download.html#downloading-the-driver
OR https://search.maven.org/classic/#search%7Cga%7C1%7Csnowflake-jdbc
Drop the .jar file (driver) under $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers
Create or update db_connection_types.conf under $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local with the following:
[snowflake]
displayName = Snowflake
serviceClass = com.splunk.dbx2.DefaultDBX2JDBC
jdbcDriverClass = net.snowflake.client.jdbc.SnowflakeDriver
jdbcUrlFormat = jdbc:snowflake://<host>:<port>/?db=<database>
ui_default_catalog = $database$
port = 443
Restart Splunk
Now, the Snowflake Driver should be available via the UI
Create a new Identity with your Snowflake credentials
Create a new Database Connection for Snowflake with the following:
Snowflake Identity
Snowflake Connection Type
Select the Timezone set/used by your Snowflake Database/Environment
Check the "Edit JDBC URL" checkbox, this will have to be manually provided as per
https://docs.snowflake.net/manuals/user-guide/jdbc-configure.html or something similar to
jdbc:snowflake://<account_name>.snowflakecomputing.com/?<connection_params>
OR jdbc:snowflake://<account_name>.snowflakecomputing.com/?db=<database>&warehouse=<warehouse>&schema=<schema>
Replace all the <parameters> to reflect your environment.
Make sure that Read Only is unchecked as this parameter is not available on Snowflake
Fetch size can be left alone
Your Database Connection should look as follows: Screenshot
The JDBC URL can be adapted as per your environment as long as it matches their JDBC Driver Connection String: https://docs.snowflake.net/manuals/user-guide/jdbc-configure.html#jdbc-driver-connection-string!
... View more
05-29-2018
08:11 PM
btool never lies and this usually means either:
the file is not accessible by the Splunk user
web.conf not in the right location - $SPLUNK_HOME/etc/apps//[default|local]/web.conf
configuration file precedence - http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles
perhaps check file md5 checksum - maybe corrupted file?
What path does it point to when using:
splunk cmd btool web list settings --debug
... View more
05-29-2018
07:38 PM
Hi splunknvi,
First: It would be good to know how is your Splunk architecture, especially how are you feeding the Syslog to Splunk.
Are you simply using a standalone instance that does both the Search Head and Indexer? From your post, I would assume it is.
(The reason behind that question is to figure where is your parsing phase (Heavy Forwarder or Indexer), thus the Technical Add-on (TA) will need to be installed on that specific instance as well.)
Since you are able to search sourcetype="cisco:ios" or source="udp:514" , verify if the fields are being extracted accordingly.
Installation matrix:
Install TA on the Search Head and Heavy Forwarder or Indexers (depending on your data flow)
Install the App on the Search Head only
Second: Syslog event format and data flow - it could be possible the events being received are not in the appropriate format expected by the TA. Feel free to share a raw event and obfuscate any confidential information and/or share us your data flow (ie: Syslog-ng server with UF --> IX).
Third: The next thing I would ask is: where is your data being indexed - which index? If you used a custom index (ie: index=cisco_ios), make sure the index is part of your "Indexes searched by default" in your user role. ( Settings > Access Controls > Roles > your_current_role > Indexes searched by default ). By default, Splunk will make the main index searched by default if an index is not specified in your SPL search.
Example - This SPL search will only search inside the default searched indexes (default: index=main ):
eventtype=cisco_ios
Fourth: Edit the cisco_ios_index macro (default: index=ios ) to include your index where the data resides. ie: index=ios OR index=your_index
Anyhow, let us know what you figured or require further assistance.
Regards,
Philippe
... View more
08-22-2017
06:28 AM
Hi @mumblingsages,
Could you check if your reports, eventtypes or any other knowledge objects are under your app folder: $SPLUNK_HOME/etc/apps/your_app_name/default or /local?
My first thought would be to verify if your knowledge objects are not Private and they need to be shared to apps. In such case, it won't be part of the package as private objects are under $SPLUNK_HOME/etc/users/...
However, please let me know if that is the case.
Thanks,
Philippe
... View more
