Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nickhills
nickhills
Ultra Champion
Member since:
10-10-2011
02-11-2022
Community Statistics
| Posts | 1776 |
| Solutions | 266 |
| Karma Given | 147 |
| Karma Received | 420 |
| Member Since | 10-10-2011 |
Activity Feed
- Got Karma for Re: eval with wildcard. Friday
- Got Karma for Re: Splunk Permission Error. 3 weeks ago
- Got Karma for Re: KV Store field type cidr. 4 weeks ago
- Got Karma for Re: Full queues and low IOWait???!. 03-31-2022 10:58 AM
- Got Karma for Re: Splunk addon builder checkpoint. 03-16-2022 10:13 AM
- Got Karma for Re: How to monitor a process(rhnsd) on all Linux servers via a pie chart?. 03-15-2022 10:35 AM
- Got Karma for Re: Information Disclosure Vulnerability - Splunk 7.2.4.2. 03-14-2022 03:16 AM
- Got Karma for Re: is it possible to use json file with csv lookup file?. 03-09-2022 02:08 AM
- Got Karma for Re: SSL Certificate on AWS Application Load Balancer - still have SSL port 8089 Self Signed Cert Vulnerability. 02-15-2022 05:35 AM
- Got Karma for [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing.. 02-10-2022 09:47 PM
- Got Karma for Re: [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing.. 02-10-2022 09:47 PM
- Got Karma for Re: Deployment Server Upgrade. 02-10-2022 06:25 AM
- Got Karma for Re: Why are realtime searches disliked in the Splunk world?. 02-08-2022 06:24 PM
- Posted Re: [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing. on Installation. 02-04-2022 09:48 AM
- Got Karma for Re: [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing.. 02-04-2022 09:03 AM
- Posted Re: [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing. on Installation. 02-04-2022 06:54 AM
- Posted Re: [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing. on Installation. 02-04-2022 06:45 AM
- Posted [Windows] Upgrade 7.3.9 to Versions:<8.0.8 or:<8.1.1 Fails - libxml2.dll is missing. on Installation. 02-04-2022 06:42 AM
- Got Karma for Re: How to use eval with IF?. 02-03-2022 06:44 AM
- Got Karma for Re: How to setup a channel to send raw data to HTTP event collector?. 01-26-2022 10:19 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 7 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 1 |
02-04-2022
09:48 AM
Thanks to the Splunk Docs team for updating the table I referenced above. Hopefully this makes it clearer for anyone approaching this in the future!
... View more
02-04-2022
06:54 AM
1 Karma
Solution Use the latest version of the Splunk release train. Upgrading to the latest version of the destination version will mitigate this issue. The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk) Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered. As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version. 7.3.9 > 8.1.72 > 8.2.4 (latest versions at date of this post)
... View more
02-04-2022
06:45 AM
1 Karma
Workaround From 7.3.9 > 8.0.0 Stop the splunk service using the services snapin. Snapshot the VM/Backup the system From the $SPLUNK_HOME/bin folder delete the following files (take backups first) libxml2.dll libeay32.dll ssleay32.dll Run the Splunk 8.0.0 installer (leaving the Splunk service stopped) Validate that the install process completes and check and test the upgrade.
... View more
02-04-2022
06:42 AM
1 Karma
Upgrading from Splunk 7.3.9 to Versions before 8.0.8 or 8.1.1 will fail. During the install process the installer will error with the following messages relating to the files: libxml2.dll libeay32.dll ssleay32.dll After dismissing these messages, the installer rolls back and reverts to the previously installed version 7.3.9 This appears related to the dates on these files that the installer does not handle correctly and does not overwrite. At the end of the failed install (before rollback) these 3 files are missing from the $SPLUNK_HOME/bin folder I presume the installer removes (backs up) the original files and during the install process validates that the files to be installed are newer. In the case of these 3 files, the situation is not handled correctly and the installer fails to correctly remedy the situation.
... View more
12-22-2020
01:14 AM
1 Karma
I think the wording is a little confusing, but "tstatsHomePath" allows you to dictate where this data is stored if you wanted to separate it from the rest of your index data, but importantly you do not have to specify a "tstatsHomePath"! The wording in the spec file says that you should not configure this value for an index with remote storage, so this just means for a Smartstore index do not define "tstatsHomePath" - the cachemanager will handle this for you.
... View more
12-21-2020
07:28 AM
If the syslog receiver is using UDP you can't test it with telnet, instead try netcat. nc -z -v -u <your_IP> <your_port_number> Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto! netstat -ln|grep <your_port_number>
... View more
12-21-2020
05:17 AM
1 Karma
You will need to contact the Splunk Education team on one of the below addresses and see if they can help you. Americas: education_amer@splunk.com Europe: education_emea@splunk.com Asia/Japan/Australia: education_apac@splunk.com
... View more
12-21-2020
01:15 AM
I made a minor change to the answer above, but I can not reproduce the scenario you describe. https://regex101.com/r/FXD0Q4/2
... View more
12-20-2020
01:10 AM
Splunk will not perform CIDR matches against regular expressions. You will need to construct your regex to match the range of addresses you need (10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.) But you should be able to do this in one stanza if you wish [internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue
... View more
12-18-2020
09:44 AM
1 Karma
Where are you seeing this? Inside the web datamodel? In which case, the action field should look like this (see attached) If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s. case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
... View more
- Tags:
- Where a
12-18-2020
09:11 AM
try changing it to if(action="File quarantined","blocked",action) That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )
... View more
12-18-2020
06:41 AM
@gozdeyildizz Thats great news! Don't forget to accept an answer and upvote posts that helped you!
... View more
12-16-2020
03:02 AM
2 Karma
There are additional features included in 8.x, but nothing major from a "user" perspective. There is nothing you would learn on fun2 7.x that is not applicable to 8.x
... View more
12-15-2020
01:24 PM
I am pleased you have it working, but for the record, chmod'ding to 777 is not a sensible fix for a production system. 🙂
... View more
12-15-2020
12:59 PM
In that case, unless you set up the splunk user by hand, it wont exist. At a guess you were therefore running Splunk as root. If root has permission issues then you probably have bigger problems! Can you access the contents of /opt/splunk?
... View more
12-15-2020
10:26 AM
How was splunk installed? rpm/deb or from the tar.gz? Who owns files in /opt/splunk?
... View more
12-15-2020
09:25 AM
1 Karma
Thats odd. Can you run "sudo id splunk" It should return something like uid=xxx(splunk) gid=xxx(splunk) group=xxx(splunk) or does it report "splunk" no such user
... View more
12-15-2020
08:20 AM
Splunk only allow you to download currently supported versions, since 6.6 has fallen out of support that's why it is not available for download. Raise a support ticket via the support portal, or if you have no access you should speak to your reseller/account manager.
... View more
12-15-2020
08:09 AM
3 Karma
Was Splunk configured to run as "root"? If you configured Splunk to run as "splunk" (recommended) you should not start it as root. If you do, it may mess about with the folder permissions, which means the next time you start it as "splunk" you get permission errors. If this is what happened, you should stop Splunk (if running) then (assuming linux) sudo chown -R splunk:splunk /opt/splunk Then start Splunk as "splunk" - probably easier to reboot the system and let the Splunk boot-start process handle it.
... View more
12-15-2020
07:52 AM
1 Karma
Did you set ratio to match the search sample ratio? I am guessing you are not using sampling, so set the ratio=1
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-11-2022
12:43 PM
|
