Activity Feed
- Karma Re: Upgrade Splunk All-in-one - Loss of logs on Universal Forwarder for gcusello. 11-17-2020 02:35 AM
- Posted Re: Upgrade Splunk All-in-one - Loss of logs on Universal Forwarder on Getting Data In. 11-17-2020 12:39 AM
- Posted Upgrade Splunk All-in-one - Loss of logs on Universal Forwarder on Getting Data In. 11-13-2020 08:53 AM
- Posted Error while upgrading Splunk Enterprise 7.2.4.2 to 8.0.5 on Installation. 08-05-2020 08:06 AM
- Karma Re: Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf for richgalloway. 08-05-2020 01:12 AM
- Posted Microsoft IIS - Remove 0#.w| with transforms.conf and props.conf on Getting Data In. 06-30-2020 12:37 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 |
11-17-2020
12:39 AM
Thank you for your reply @gcusello , Indeed, stoping the indexer is a good idea. Yes, I performed the Splunk Upgrade readiness app and according to the result, I do not have any blocking apps, only warnings. I will spend some time to upgrade all my apps but it is not blocking for the upgrade itself.
... View more
11-13-2020
08:53 AM
Hello everyone, I am planning to upgrade my all-in-one Splunk which is on version 7.2.4 to 8.1. According to the documentation about the upgrade, I am able to perform this upgrade. However, I have a little question: Actually I am using a deployment-server and I am collecting logs from universal forwarders only. According to the documentation, I do not have to stop my indexer during the upgrade. In this case, I will not lose any logs during the upgrade. If we are following the documentation, upgrade sounds very easy but we never know what can happen during the upgrade. My All-in-one Splunk is installed on a virtualized machine and I will perform a snapshot. I will rollback if any problem happens during the upgrade. During the upgrade my UFs will keep sending logs to my indexer but if I rollback, every log that my UFs sent to my indexer will be lost. What can I do to prevent this loss of logs? Thank you for your replies.
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
08-05-2020
08:06 AM
Hello everyone, I am trying to upgrade my all-in-one Splunk Enterprise which is actually in version 7.2.4.2 to the latest version 8.0.5. According to the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.5/Installation/HowtoupgradeSplunk I can do it without any mid upgrade. I tried to upgrade according to this documentation: https://docs.splunk.com/Documentation/Splunk/8.0.5/installation/UpgradeonWindows I checked with the App "Splunk Platform Upgrade Readiness App", I do not have any critical points. Only warning which I can handle right after updating. Here now what I am doing in order to upgrade my Splunk Enterprise. I downloaded the latest version on https://splunk.com/downloads and then stop the entire Splunk with the command : "$SPLUNK_HOME$/bin/splunk stop" to be sure that nothing can create a conflict during the upgrade (according to the official documentation it is not mandatory contrary to a Linux server). My Splunk is installed on an attached drive which is located in "S:\", I modified my props.conf in order to change the environment variable $SPLUNK_HOME$. Through both method (GUI and CLI) it is returning these screens: I read on other posts to run as admin the CLI and used this command: msiexec.exe /i splunk-8.0.5-a1a6394cc5ae-x64-release.msi /l*v S:\TEMP\Splunkinstall.log INSTALL_DIR="S:\Splunk" I am trying to upgrade with the same local admin account that I used on my first installation. I guess the wizard detected that a Splunk is already installed because I only have these 2 screens: And here is this pop-up error which is displaying 3 times in a row: Then it starting to "Copying new files" in the C:\ hard drive (where my OS is installed) The log file generated through the installation is very verbose but I did not find anything interesting in it when the pop-up "installation failed" happened. Do I need to overwrite my "S:\Splunk" folder with the "C:\Program Files\Splunk"? I guess that this installer is made in order to avoid this messy upgrade. What can I do in order to upgrade my Splunk installed in my "S:\" hard drive?
... View more
06-30-2020
12:37 AM
Hello everyone, I am trying to remove this string "0#.w|" with a transforms.conf file. To be sure that my regex is working I tried it with the rex command : | rex field=cs_username "(^[^|]+\|(?<cs_username>[^|]+)$)" I just want to overwrite the field "cs_username" without this string. It works! Now I want to put this regex on a transforms.conf and in props.conf I am not sure that I can do this but here is what I am trying to do : Transforms.conf [username] SOURCE_KEY = cs_username REGEX = ^[^|]+\|(?<cs_username>[^|]+)$ REPEAT_MATCH = true MV_ADD = true Props.conf TRANFORMS-mynewusername = username I reload in the indexer by using the command: | extract reload=true But apparently it is not working that is why I am asking if it is possible to use a field as I did through the rex command in the GUI in the transforms.conf file? Thank you for your answers,
... View more
Labels
- Labels:
-
indexer
-
props.conf
-
transforms.conf