About boromir

boromir · ‎04-19-2023

Hi all, I need some support regarding ingestion of .pcap files to SPLUNK. We have another application that already creates .pcap files in a directory, and they rotate in a good enough manner.... on all of the needed machines(and I already have UF there as I am ingesting log files from these machines). I do not want /or need to push splunk to create new pcaps for me. I just want to transfer the files to SPLUNK, and hopefully be able to then analyze them there. I have read what I found regarding Stream App, and I have to say it is a bit inconsistent and unclear. I have architecture with UFs->HFs->IDXs->SHs. We have installed Stream app on the SH, the TA_stream on the SH, Indexers and HFs, I have Stream installed on UF as well. However I still do not see option for PCAPs in Data Input menu of settings. It is probably lack of configuration on my side, but I fail to find the documentation how to configure the app on each of the nodes. SPLUNK is 9.0.2/on Linux If someone has already gone through that challenge, I'd appreciate a piece of advice.

boromir · ‎01-16-2023

Hi all, I am at an impasse, and I do need some ideas how to overcome that. So here is the challenge. 1)I have CSV data coming into SPLUNK via UF(50+ sources); 2)Data is slightly restructured (not even always) , and later sent as DB_Output via SPLUNK DBConnect. 3)Data is output either using upsert(for several of the DBs, that need it), or without upsert(for the rest) 4)The automated search(for the DBoutput) is performed periodically (about once/hour, for X-amount of hours back), and it covers our needs regarding newly added data into previously added data sources. HOWEVER, and here is the main challenge, 5)When a new source is added, the CSV source files are already full of old data( older than X amount of hours, some times months) , thus though the data is indexed, it does not get DB-outputted(great word). However I have to send the old data as well. 6) Automated search for "all time" all the time is not applicable( 50+ sources, with often 10+ source files each) , the amount of "select"s sent to the target DB is too much and causes too much time for splunk to search plus the target DB is overwhelmed and stops responding. At this moment, I have a workaround solution , that involves modifying the automated output to search "All time" for that particular source, for 1 iteration, and then I change it back to normal, but, the sources keep increasing their numbers, and this solution is more and more inconvenient. I have a feeling that there is a better solution(easy solution) but it eludes me. If anyone could share ideas, that would be helpful. Have a great day!

boromir · ‎04-12-2022

So... Here is the outcome. And for some it could be a solution. After testing I can confirm that if MariaDB driver is used for the DB Connection, the normal SELECT(in case of a SQL query) works just fine, inputs are also fine, but when used for lookup the format switches to using Quotation marks instead of single quotations. Thus the return is an empty set, which brings no value to the lookup. With MySQL driver this does not happen.(that is one solution if you could afford it) I however, needed the MariaDB driver, so the solution that we found is actually changing a configuration on the SQL side , adding ANSI_QUOTES in sql.mode. This resolved the issue. So...I hope it helps 🙂 Have fun! RD

boromir · ‎03-31-2022

OK, OK.... I have an update on the matter. After some troubleshooting and log collection on the SQL side....I see that in both cases(Old environment, where things are still working, and in the new one, where it stopped) the SELECT is formed and sent towards the SQL side, however the command format is different, thus in one of the cases, the result is an empty set, resulting in failed dbxlookup. I hope this makes sense... but let me try to illustrate : working select : SELECT `id`, `user_id` FROM (SELECT * FROM `my_db`.`tbl_mytbl`) dbxlookup WHERE `id` IN (1,2,3,4,5,6,7,8,9,10,11,12,13); Non-working select: SELECT "id", "user_id" FROM (SELECT * FROM `my_db`.`tbl_mytbl`) dbxlookup WHERE "id" IN ('1','2','3','4','5','6','7','8','9','10','11','12','13'); Now... the quotes and apostrophes are the immediate reason, because, if I manually execute the selects with one format it works, with the other...as said (Empty set). Where is the difference, though. One is using MySQL connector for the DBC and the non-working case uses MariaDB connector. For good or for bad.... I need to use MariaDB connector for other reasons, but also need to find how to resolve the SELECT format.... Any ideas? regards! RD

boromir · ‎03-29-2022

So here is the issue. We have a distr. environment with a DBConnect 3.5.1 running on a HF. DBinputs and DBoutputs are seeing heavy use and are working, I used dblookup as well for a while( about a month ago) and it worked just fine. Today though neither the old dbxlookups, nor any of my new ones work. They return empty columns(column that should have been filled is there but no values are present). Here is a test example : | makeresults count=10 | streamstats count as id | dbxlookup connection="myconnection" query="SELECT * FROM `my_db`.`tbl_id_to_name`" "id" AS "id" OUTPUT "name" AS "name" I have an old environment which i use for tests with older DBC, and the same queries work over there(and as said, they worked a few weeks ago). I have triple-quadruple checked if the tables used for lookups have data inside, and yes they do......I am baffled, no idea what is going on. any suggestions?

boromir · ‎02-21-2022

Hi all, I am facing strange behavior, for which I can't find anything in the docs. I have a source that generates CSV files(comma sep.). They are indexed in a dedicated index, and sourcetype. A look-alike example : id,service_id,product_id,shop_id,user_id,blah_blah,whatever,name,date,client_id 1,34456789,12234,23,4,f,45678,ivan,2022-01-13 07:04:49,1 2,34452789,12134,25,4,f,45678,ivan,2022-01-13 07:14:49,1 3,34451789,12134,27,4,f,45678,ivan,2022-01-13 07:14:49,1 4,34451789,12134,27,4,f,45678,ivan,2022-01-13 07:15:49,1 5,34451789,12133,23,4,f,45678,ivan,2022-01-13 07:15:49,1 6,34456789,12234,23,4,f,45678,ivan,2022-01-13 07:04:49,1 7,34452789,12134,25,4,f,45678,ivan,2022-01-13 07:14:49,1 8,34451789,12134,27,4,f,45678,ivan,2022-01-13 07:14:49,1 9,34451789,12134,27,4,f,45678,ivan,2022-01-13 07:15:49,1 Now, the challenge no1 is that the script that generates the csv, can edit on already existing lines. challenge no2 is that this does not result in one and the same behaviors all the time. If a simple value is changed ( from 1 to 2, or from ivan to ivag - important is same number of characters) , the change is no-were to be found in the indexed data. However, if the change includes a change in the number of characters(say ivan becomes johnathan) then, the whole file is re-indexed with the new value, causing lots of duplications. I am sure that this must be documented somewhere....but I can not find it, thus can not really understand it. Does anyone know what is going on( I managed to find something in the community about splunk checking the first 256 char. of a file to decide, but I have tested changing both before 256 threshold and after it).....? Kind regards! rd

boromir · ‎11-04-2021

I had a similar issue. It started as normal push for a new Index configuration, however it was not pushed towards all indexers. My next moves might not have been the best, but I tried a Rollback, failing with the same error. Master app directory on the CM was empty. Once it failed all other push configurations failed with one and the same message as the one in the thread. The solution was the one proposed in the message , and it worked. However it was reassuring to have the directories back-uped first.

boromir · ‎07-28-2021

Had the same issue with distributed architecture UF/HF/indexers/SH on different machines. Tested with props.conf on all of the machines in order to extract the fields from a CSV source with no header line. Didn't work until we tried the proposed here..... props.conf with CSV configuration on the UF alone. It worked like a charm.

boromir · ‎07-19-2021

Using the key value for the upsert as the first column in the output worked for me. Output to MySQL.

boromir · ‎01-15-2021

hi, this thing does work and provide the expected result, I have to say that i was hping to make it a bit simpler, but hey, if it works, it works. Thanks!

boromir · ‎01-14-2021

Hi, unfortunately no, I tried it.....to no avail. I have also tried with changing the mx_span using eval span=tonumber(mx_span), in case the maxspan does like only integer values, but it didn't work.

boromir · ‎01-14-2021

Hi I am searching for an option to dynamically assign value for MAXSPAN in a transaction. The value should come as a result of a LOOKUP. So far I have no success whatsoever. I have tried the proposed solution here: https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398004 however this does not work for me, in particular the proposed solution "fixes" the maxspan to the value in the eval expression. which is 7m in this case. | makeresults | eval maxspan="7m" | map search="search index=_* | transaction host maxspan=$maxspan$" in essence i would like to be able to notify myself for related events that happen for a certain period of time, however that time and the number of event per each type is dynamically assigned as per the lookup. here is an example of my search line: sourcetype=servername host=hostname |lookup flex_test f1 as f1 OUTPUT mx_span AS mx_span , ev_count AS ev_count |transaction f1 f2 maxspan={dynamic value should come here} |eval alert = if(eventcount>ev_count,"ev_ALERT","OK") |...... and here is an example of the lookup table (tried different formats) f1,mx_span,ev_count 34,1,5 35,60,10 36,2m,5 kind regards!

boromir · ‎11-12-2020

Just an update, We got a different perspective now. We managed to take a fresh look at it , and as usual the problem was easy to solve and infront of our eyes. Date formats.....it is just that we are used to D/M/Y, while the SPLUNKs defaults are M/D/Y ..... 🙂 kind regards!

boromir · ‎11-11-2020

Hi, thanks for the response. I spent a bit more time trying to narrow down the actual problem, and have some new findings. The year change actually happened only once, and it could have been because of a SPLUNK restart, or restart of some of the machines with the Forwarders(or any other event) however, i managed to find out that it is not the year change was that is the real problem . It seems that the search plays some game with us when searching for events. here is an explanation. An event is logged and existing(known date, know hour) alert is triggered - correctly alert_fire event is logged correctly in _audit if search for the actual event in logs (_main index)is performed using "All time" option, the event is present in the results if the search is performed using any "Relative" option the event is not present - despite the event being within the relative range if the search is performed using "Date range" or "Date and time range" with "before" sub-option, the event is there and it is fine. If i use the aforementioned options with "Since or Between" sub-options.....nothing That is for every type of event , and so far I do not see any connection to Sourcetype or Host..... baffling isn't it....

boromir · ‎11-11-2020

Hi, I have several data sources that have each their own timestamp(different times, one format) due to Geo differences, however according to source_type time settings, they should all be indexed according to the time of the enterprise. That works like a charm most of the times, however every now and then, SPLUNk decides to change the year of my events from 2020 to 2019, or some other time change. This does not happen to all indexes, For example , I read the _audit for fired alerts, which are then dashboareded correctly, however, the events themselves are nowhere to be found, unless I decide to change the search to 2019. So far I can not relate such situations to anything out of normal. Any ideas? kind regards!

boromir · ‎09-02-2020

I have a similar issue..... my Real-Time alerts are triggering always, no problem with that, mails are being received, so no issue there. However the scheduled alerts are not always triggering. I have days when the alerts are fine, and then i have days when though the search finds an event, the alert is never triggered. We do suspect that the difference between system time and the time stamp of the event might have something into that, but will let you know if we manage to prove it. regards!

boromir · ‎08-04-2020

Hi all, I have to say , I found the issue that was bugging me. As suggested, it was something simple , that was in front of me all the time. Here is what didn't work: sourcetype="log2" | lookup ranges.csv comment OUTPUT state | table comment state And here is what worked: sourcetype="log2" | lookup ranges comment OUTPUT state | table comment state I can't believe I didn't figure it out earlier, but hey, learning is a process 🙂 Thanks!

boromir · ‎08-03-2020

Hi, Thanks, I will try to explain it better. My client provides me a table(csv 1000x lines , 2 columns) with prefixes that I will be able to find in the logs from the monitored equipment. Based on those prefixes, I have to structure them, assign them new values, which we will use later. Based on what I have read, Lookup with wildcard in the lookup table is the solution to my challenge, and based on https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/... I should be able to get exactly what i need, however , it still doesn't work. I have tested your example, but it gets me exactly the same result. The wildcard does not match. Kind regards!

boromir · ‎07-31-2020

Hi, Thanks for responding:) Exacltly the same. I feel like I am missing something. I can't even make the example work. As mentioned, I am now fighting to make the example from the link to work, and have completely put my put my case on the backburner. So here is what i have , and doesn't work: userlookup.csv user,username user*,USERNAME transforms.conf [userlookup] batch_index_query = 0 case_sensitive_match = 1 filename = userlookup.csv match_type = WILDCARD(user) Props.conf [log2] LOOKUP-user = userlookup user OUTPUT username ...And for the full picture : I think that the solution is in front of my eyes, but I fail to see it.

boromir · ‎07-31-2020

Hi all, I have a challenge, that i have been struggling for the past few days, and can't find the correct solution. I have read https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513 and done pretty much exactly the same thing, but it doesn't work for me. So here are the details. I have a simple lookup csv file (2 columns ), first one with starting digits prefix, state 23401*, log1 23402*,log2 34602*,log5 ....etc I have used the GUI to create the lookup definitions, but i have also double-cheked transformes.conf and props.conf. It is exactly as in the example in the link. I can't make the wildcard work for me. Here is a simple search line just to illustrate source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" | lookup prefixlookup.csv prefix OUTPUT state | table prefix state If i create lookup with exact matches, it works for the match everytime, however, my client requires only prefixchecks, and to me WILDCARD is the only solution. Any ideas? PS. I have actually created exact replica of the case(user,username, userlookup, etc) in the linked example, still doesn't work Have a great day!

Posts	20
Solutions	3
Karma Given	7
Karma Received	2
Member Since	‎07-31-2020

Online Status	Offline
Date Last Visited	3 weeks ago

Already existing .PCAP to SPLUNK

Is it possible to add older data than the search p...

Why does the dbxlookup not return results?

How to Re-index from CSV sourcetype

dynamically assigned maxspan in transactions

wrong year in _time

WILDCARD in LookUp .csv files

Already existing .PCAP to SPLUNK

Is it possible to add older data than the search p...

Re: Why does the dbxlookup not return results?

Re: Why does the dbxlookup not return results?

Why does the dbxlookup not return results?

How to Re-index from CSV sourcetype

Re: Cannot push new index cluster bundle after rol...

Re: Why is INDEXED_EXTRACTIONS=csv not working in ...

Re: Splunk DB Connect - Error after enabling "Upse...

Re: dynamically assigned maxspan in transactions

Re: dynamically assigned maxspan in transactions

dynamically assigned maxspan in transactions

Re: wrong year in _time

Re: wrong year in _time

wrong year in _time

Re: Why is my alert not triggering?

Re: WILDCARD in LookUp .csv files

Re: WILDCARD in LookUp .csv files

Re: WILDCARD in LookUp .csv files

WILDCARD in LookUp .csv files