Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About GaetanVP
GaetanVP
Communicator
Member since:
01-29-2021
Friday
Community Statistics
| Posts | 63 |
| Solutions | 1 |
| Karma Given | 213 |
| Karma Received | 7 |
| Member Since | 01-29-2021 |
Activity Feed
- Karma Re: Schedule cron job for base report for isoutamo. Friday
- Posted Re: Schedule cron job for base report on Alerting. Friday
- Karma Re: Why am I not seeing Forwarders? for gcusello. Friday
- Posted Why am I receiving unwanted HB (Heartbeat ?) logs from my Heavy Forwarder? on Getting Data In. Friday
- Karma Re: Splunk Forwarder logs to Splunk Indexer for sowings. Thursday
- Karma Re: Splunk Forwarder logs to Splunk Indexer for yannK. Thursday
- Karma Re: Why am I receiving "splunk-cooked-mode-v3" data from a universal forwarder in the format "\x00\x00\x00..."? for MuS. Thursday
- Karma Re: What does the heartbeatFrequency setting do in outputs.conf? for wrangler2x. Thursday
- Karma Re: Services typically running on a heavy forwarder? for isoutamo. a week ago
- Karma Re: Splunk search to build a table for PASS and FAIL percentage for ITWhisperer. a week ago
- Karma Re: Splunk search for PASS and FAIL for ITWhisperer. a week ago
- Karma Re: web console error for gcusello. a week ago
- Karma Re: Need to modify the search query to get the count of fields separately for gcusello. a week ago
- Karma Re: How to make a shortcut to a page in an app from my own app? for gcusello. a week ago
- Karma Re: Stop Data ingestion to Splunk permenantly. for gcusello. a week ago
- Karma Re: How to keep particular parts of a raw event using regex and drop the rest before indexing? for richgalloway. a week ago
- Karma Splunk Add-on for Microsoft - SSL Issue when upgrading to enterprise v9? for brdr. 2 weeks ago
- Posted Indexers outage - What can I do to troubleshoot? on Getting Data In. 3 weeks ago
- Karma Azure AD sign-ins report MFA to Splunk for laauespinosa. 3 weeks ago
- Karma Re: What is the cause of these socket errors reported in splunkd.log since upgrading to 6.0? for hexx. 03-20-2023 07:59 AM
Friday
Hello ! As @ITWhisperer suggested, you can use his complementary cron expression, but I think you will need to duplicate your first report. Should do the work, good luck !
... View more
Friday
Hello Splunkers,
Here is my use-case : I am cloning some events that arrive to my Heavy Forwarder and then forward those cloned event to another Splunk (standalone - free trial) machine.
I am able to receive the logs on my targeted machine with the following configuration :
On my HF (sender / forwarder)
transforms.conf
[srctype-clone] CLONE_SOURCETYPE = mynewsrctype REGEX = .* DEST_KEY = _TCP_ROUTING FORMAT = tcp_output_conf
outputs.conf
[tcpout:tcp_output_conf] server = <ip>:<port> sendCookedData = false
On my Splunk standalone machine (receiver)
inputs.conf
[tcp://15601] disabled = false index = whatever_index sourcetype = mynewsrctype
Based on that I have some questions...
- First, I am receiving the logs but also some unwanted logs containing only "HB", does it correspond to Heart Beat ? Why do I received that ? - Should I use splunktcp instead of tcp on my receiver ? - Should I use enableS2SHeartbeat = true on my receiver ? - Should I use sendCookedData = true on my sender ?
Thanks a lot for your help !
Regards, GaetanVP
... View more
Labels
3 weeks ago
Hello Splunkers, I am facing a problem with my indexers that are not able to index anymore. Neither the data forwarder to those indexers, neither the internal Splunk logs... I even tried to index data (simple txt file) directly from the indexer GUI, I do not get any error but my selected indexe will not be filled/updated.
Any clue what I can do to troubleshoot ? There is nothing in splunkd.log file, what other logs should I check?
Regards, GaetanVP
... View more
Labels
- Labels:
-
indexer
01-27-2023
05:25 AM
Hello Splunkers,
Here is my use-case : I am monitoring apache logs on 3 different VMs, one VM for each env : dev, uat, prod
I do not see the point to create a specific index for each env (no security / restrictions needed). But I still want to be able to distinguish the logs by environment.
What would be the best practice to do that ? Create a tag / event type ? for each host from where the logs are coming ?
Regards, GaetanVP
... View more
Labels
- Labels:
-
indexer
01-27-2023
05:02 AM
Please do not excuse ! It's working like a charm now 👍 Thanks, GaetanVP
... View more
01-27-2023
02:50 AM
Hello @PickleRick, Haha you're right... My LB is now the SPOF ! I have never thought about that... 🤔 I will definitely take a look at Splunk Connect for Syslog, I have never tried it for now Thanks again for your help, GaetanVP
... View more
01-27-2023
02:46 AM
Hello @PickleRick, That's a nice trick indeed but I would not be able to use my DS anymore to deploy inputs.conf on both HF - since forwarder1 and forwarder2 are "hardcoded". If preferer to keep a generic inputs.conf (being deployed by DS) in my specific app location and have a custom file in /etc/system/local for each HF. Or maybe I am missing something ! But your proposition is great and can fit a lot of other situations thanks 👍
... View more
01-27-2023
02:37 AM
Hello @gcusello, I tried your solution but it is not working... In the fields.conf the [foo] stanza should be [hf] here right ? Do we agree that afterwards, I should see the hf fields/value when I do a search right ? Thanks a lot, GaetanVP
... View more
01-26-2023
06:03 AM
Ok thanks @gcusello, I will try to use the answer you gave above Bye, GaetanVP
... View more
01-26-2023
06:03 AM
Hi again @PickleRick, thanks again for all those information (you even made me laugh with the last sentence) ! So basically for the above Palolo use case, how would you have done it ?
... View more
01-26-2023
04:51 AM
Hello @gcusello, yes understood. But in my use cases I am talking about logs coming directly from udp or tcp, not from UF. For instance in the Palo Alto documentation, it is literally said to configure this udp or tcp input (via GUI or CLI) to forward data from Panorama instance to Splunk Indexer or HF : https://splunk.paloaltonetworks.com/firewalls-panorama.html#gui So here, if I do not want to have a Single Point Of Failure, I need to have a load balancer between the Panorama machine and my 2 HF listening for incoming network logs. I also cannot tell my Panorama to send the logs to the two HF otherwise I would end up with duplicated events. Thanks for your time, GaetanVP
... View more
01-26-2023
02:53 AM
Thanks @PickleRick, All clear for your first parameter, good to know ! For the second parameter, I am not sure to understand. I have many use cases where a network appliance (where UF cannot be installed) can send udp or tcp logs on a specific port. So instead of targeting a unique HF I target a F5 virtual IP and then load balance to my two Splunk HF - it keeps protocol and port. What is wrong with that approach ? As far as I know Splunk does not provide a HA feature for HF listening to incoming network data. Also I see a lot of Splunk Add-On that needs to be installed on a HF to just pull data from Network Appliances but with that pulling mechanism, you always end up with your HF being a Single Point of Failure... I made this post in the past where we discussed about pulling limitation : https://community.splunk.com/t5/All-Apps-and-Add-ons/Multiple-HF-for-one-Event-Hub-Splunk-Add-on-for-Microsoft-Cloud/m-p/622370 Thanks a lot for always sharing your knowledge!
... View more
01-26-2023
01:31 AM
Hello @gcusello, Ok it means I cannot have a generic inputs.conf to be deployed on both HF right ? Because HF1 is basically an hardcoded value, there is not Splunk variable to say "for this fields look at the hostname of the machine itself" right ? If I want to add the metadata to all my logs I can create the inputs.conf files in /ect/systen/local path of the HFs ? The [default] stanza will apply to all logs ? I've never worked with fields.conf... I will take a look at it thanks
... View more
01-26-2023
12:54 AM
Hello Splunkers,
I am currently using a F5 load balancer in front of two HFs that are used as intermediate forwarders and also doing the parsing jobs for incoming data.
I would like to create (index time) a new field for all logs passing through my HF that can indicate which HF has done the job.
In other words, I want to keep a trace of which HFs was choose for each logs.
I suppose I need to use a props.conf file but I do not where to place it and I do not know how to dynamically set a field = hostname of my machine.
I am using a DS to deploy apps on my HFs by the way and I would like to avoid any custom / manual config on each HF.
Thanks a lot,
GaetanVP
... View more
Labels
01-25-2023
02:36 AM
Thanks for all those info ! One last question, when you mentioned " Syslog server (Rsylog or SyslogNG) to listen to TCP/UDP ports and writes to a file, HF monitors this file and ingests data" Does the HF and the Syslog server would be on the same machine ?
... View more
01-25-2023
01:08 AM
Hello @scelikok, thanks but I am not sure to understand How does the src port impact the data flow ? I configured f5 to forward data to a specific port on the HF, and I configured the HF to listen on that port. Why would F5 retry to connect to HF with a different source port ? Thanks
... View more
01-25-2023
12:26 AM
Hello Splunkers, I the following error on my Splunk HF which is listening to incoming data from F5 network appliance. 01-25-2023 08:06:56.794 +0000 ERROR TcpInputProc [2612981 FwdDataReceiverThread] - Error encountered for connection from src=<internal_ip_f5>:59697. Read Timeout Timed out after 600 seconds. I am wondering what the number after the F5 IP is... I specified a unique port for the forwarding of data between f5 and the HF so I do not understand why I have number like 59697 (and many others). More generally I do not know how to troubleshoot this... Thanks for your help, GaetanVP
... View more
Labels
01-24-2023
05:03 AM
Hello @PickleRick, thanks for your answer This give details about settings precedence but I understand there is no possibility to combine stanza Regards, GaetanVP
... View more
01-23-2023
01:45 AM
Hello @jamie00171, This can be very useful in my use case, not exactly what I had in mind but it seems to be a real Splunk limitation ! Thanks for your answer, GateanVP
... View more
01-23-2023
01:44 AM
Hello @isoutamo, Okok, indeed I would like to avoid clone sourcetype but I will keep that in mind if needed. Thanks a lot, GaetanVP
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Friday
|
Karma from
