Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About misterduke
misterduke
Explorer
Member since:
07-07-2020
10-17-2020
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 07-07-2020 |
Activity Feed
- Posted Re: db connect event time mismatch on Getting Data In. 08-11-2020 01:56 AM
- Got Karma for Re: db connect event time mismatch. 08-07-2020 12:09 AM
- Posted Re: db connect event time mismatch on Getting Data In. 07-15-2020 06:04 AM
- Posted Re: Datamodel issues on Knowledge Management. 07-08-2020 08:11 AM
- Posted Re: db connect event time mismatch on Getting Data In. 07-08-2020 08:02 AM
- Posted Re: Downloading Free Enterprise Splunk to complete training on Installation. 07-08-2020 07:49 AM
- Posted Re: Universal Forwarder doesn't forward specific log on Getting Data In. 07-08-2020 07:43 AM
- Posted Re: Restart a UF via CLI / other remote means on Getting Data In. 07-08-2020 05:35 AM
- Posted Re: Universal Forwarder doesn't forward specific log on Getting Data In. 07-08-2020 03:44 AM
- Posted Re: Universal Forwarder doesn't forward specific log on Getting Data In. 07-07-2020 08:22 AM
- Posted Universal Forwarder doesn't forward specific log on Getting Data In. 07-07-2020 02:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
08-11-2020
01:56 AM
Hello, so basically the time of your event timestamp is "behind" the timestamp your indexer sets for the indexed event. therefore the events aren't using the given timestamp in the event. in the props.conf you need to define the sourcetype and set the following parameters to match the event timestamp: TIME_PREFIX MAX_TIMESTAMP_LOOKAHEAD TIME FORMAT as seen in : https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Configuretimestamprecognition With those you tell splunk to use the timestamp that is in the event itself rather than it's own time and therefore you eliminate the possibility of latency between _time and _indextime . hope that'll do
... View more
07-15-2020
06:04 AM
1 Karma
So usually with dbconnect you can set the used timestamp at "indexing time" or a specific field. do you have any other timestamp field which shows the creation of the dataset? if so, you can use this field as your timestamp and the "last update" as your rising column granted it changes everytime when something is changed in your dataset. if you already used another field OR the indexing time option in dbconnect and get a delay of exactly 1 hour in your timestamp then it's probably a timezone issue: - Splunk is per default indexing data in UTC. you can customize the timezone for dbconnect in dbconnections.conf (Edit connection > Settings ) - The Server in which Splunk resides has its own timezone configuration. when you use "indexing time" option you might need to tweak this configuration
... View more
07-08-2020
08:11 AM
Hello, here is a similar topic. did you try those steps? in a nutshell you should check the datamodel and the macro and look what's in it. if the datamodel uses a macro and this particular macro tries to search an index that doesn't exist, you get an error. if the SPL within the datamodel/macro lacks something, you get an error. you can expand macros btw with STRG (or command)+Shift+E hope that helps
... View more
07-08-2020
08:02 AM
Hello, some questions about your issue: - do you query the data from your database via batch or rising column? - is there a timestamp included in your data string ? (field with timestamp) - did you check the Timezone in your dbconnect database connection ? - does your splunk server have the correct time/timezone to begin with? maybe some of those questions give you a possible hint in the right direction. otherwise, I'm happy to help ofc
... View more
07-08-2020
07:49 AM
Hello, so I assume you mean on a windows machine hence the Program folder, correct? actually, when you download Splunk Enterprise from the official download source here , it's saved into "downloads" and there you need to start the *.exe file. If for whatever reason the download was interrupted and therefore the file is "broken", just delete it and download it from the source I've provided. if you need any further guidance, let me know
... View more
07-08-2020
07:43 AM
Ok, I solved the Problem. In order to restart Splunk via scripted Input I need to use this in my script: /opt/splunkforwarder/bin/splunk restart > /dev/null 2>&1 without /dev/null 2>&1 it results in stopping splunk but not starting again. Therefore not forwarding my logs
... View more
07-08-2020
05:35 AM
I know this topic may be old but I wanted to add, that this solved my scripted input problem too. I had a script in which I change some things and then want to restart splunk - only with the statement /opt/splunkforwarder/bin/splunk restart > /dev/null 2>&1 it works perfectly. otherwise, when I leave 2>&1 out it results in splunk stopping but simultaneously killing the skript process too. so splunk can't come up anymore. so, thanks for that valuable information
... View more
07-08-2020
03:44 AM
Now I've drilled down the problem: - in my scripted input, the bash script has to , after all changes, restart splunk - the restart doesn't work because it also kills the process the script needs to function. so it stops splunk, therefore kills the processes and that's it Question: how can I restart splunk after my script did all the changes?
... View more
07-07-2020
08:22 AM
okay I've split the inputs.conf. one with the monitor stanza in default and one with the scripted input in local. the script does mv the inputs.conf in local into backupinput after all other loops are good. the thing I've noticed is: my script runs fine and changes the passwd just as I want and writes the echo in my log file. still, my splunk doesn't get any new input. BUT when I manually vim into the log file and write down "test test" for instance - immediately it appears in my splunk.
... View more
07-07-2020
02:16 AM
Hello! It's my first time writing here so forgive me if my question may lack information. What I want to do: I want to execute a batch file via scripted input and write the output of this script into a specific log. then I want to send this log to be indexed in another server. all of this should later on be deployed within an app to a universal forwarder which executes the script, writes the log and sends it to a specific server into a specific index. What I've done so far: I've created an app which as a script in /bin that is basically changing the passwd of the universal forwarder and creating a log in which it echos certain statements. the script itself looks like this: #!bin/sh
FILE=/opt/splunkforwarder/etc/passwd
if test -f "$FILE"; then
echo $(date) " $FILE existiert." >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
#mv /opt/splunkforwarder/etc/apps/myapp/local/inputs.conf /opt/splunkforwarder/etc/apps/myapp/local/inputs.conf.bak
mv /opt/splunkforwarder/etc/passwd /opt/splunkforwarder/etc/passwd.bak
echo $(date) " $FILE wurde umbenannt und wird neu erstellt.Inputs.conf wurde deaktiviert" >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
/opt/splunkforwarder/bin/splunk restart
else
echo $(date) " $FILE existiert nicht." >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
fi so as of now it should do the following: - check if there is a passwd - if yes, rename it to passwd.bak , renaming my inputs.conf to inputs.conf.bak (so it uses the inputs.conf in default which has a deactivated scripted input) and then restart splunk. after each previous step it writes a message into changepw.log the inputs.conf looks like this: [script://./bin/change.sh]
disabled = 0
interval= -1
[monitor:///opt/splunkforwarder/etc/apps/myapp/logging/*]
disabled = 0
index = main my outputs.conf looks like this: [tcpout]
defaultGroup = splunk_indexer
[tcpout-server://<ip>]
[tcpout:splunk_indexer]
disabled = false
server = <ip>:9997 what the problem is: when I start the script it does at it was told. changing the passwd and renaming it to passwd.bak and writing all echos into a changepw.log then restarting splunk. for whatever reason it doesn't seem to send anything to my server. I've already checked whether my forwarder is active. it is I can ping the server from the UF I've created a test.log in the same folder in which my changepw.log resides and filled it with some text. after a few moments it appeared on my server, indexed. splunk is starting with user splunk and has all the necessary rights to execute, read and write anything within /splunkforwarder did I leave somthing out? I feel like I'm standing right in front of a wall. hope someone can help! edit: I've noticed that, when I deactivate the script in my inputs.conf and comment out the mv inputs.conf inputs.conf.bak part and start the change.sh, then it works just fine and my server shows the log. why can that be? I assume that, when I mv the inputs.conf the script ends even tho it already started. can that be? if so, the final question would be how does the script need to look like in order to do the following: - check if there is a passwd, if so change it to passwd.bak , write everything in a log and restart splunk. after restarting splunk should not start the script again.
... View more
Labels
- Labels:
-
scripted input
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-17-2020
01:38 PM
|
