Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nickhills
nickhills
Ultra Champion
Member since:
10-10-2011
06-23-2022
Community Statistics
| Posts | 1777 |
| Solutions | 266 |
| Karma Given | 147 |
| Karma Received | 433 |
| Member Since | 10-10-2011 |
Activity Feed
- Got Karma for Re: Decrease bundle size. Thursday
- Got Karma for Re: Deployment Server Upgrade. 3 weeks ago
- Got Karma for Re: Deployment Server Upgrade. 3 weeks ago
- Got Karma for Re: TCPDUMP Command. 3 weeks ago
- Got Karma for Re: How to find the path for persistent queues. 3 weeks ago
- Posted Re: Deployment Server Upgrade on Deployment Architecture. 06-23-2022 12:30 PM
- Got Karma for Re: Transaction command - Way to change from timestamp to a different field?. 06-23-2022 10:14 AM
- Got Karma for Re: splunk certification exam cost. 06-15-2022 10:24 AM
- Got Karma for Re: What is the process of decommissioning indexers?. 06-13-2022 12:35 PM
- Got Karma for Re: start request repeated too quickly for splunk.service. 06-02-2022 04:03 AM
- Got Karma for Re: How to add a new row to a lookup using a Splunk query?. 05-26-2022 03:24 PM
- Got Karma for Re: Could not load lookup=LOOKUP-browser ???. 05-25-2022 11:00 PM
- Got Karma for GOTCHA: Upgraded Memory with systemd? Read This!. 05-24-2022 12:47 AM
- Got Karma for Re: eval with wildcard. 05-13-2022 01:27 PM
- Got Karma for Re: Splunk Permission Error. 04-27-2022 04:40 AM
- Got Karma for Re: KV Store field type cidr. 04-21-2022 12:37 PM
- Got Karma for Re: Full queues and low IOWait???!. 03-31-2022 10:58 AM
- Got Karma for Re: Splunk addon builder checkpoint. 03-16-2022 10:13 AM
- Got Karma for Re: How to monitor a process(rhnsd) on all Linux servers via a pie chart?. 03-15-2022 10:35 AM
- Got Karma for Re: Information Disclosure Vulnerability - Splunk 7.2.4.2. 03-14-2022 03:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 8 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 1 |
06-23-2022
12:30 PM
1 Karma
If your metrics are coming from the nix or windows TA then changing the DS version would not have any effect as it is the TA providing that data not the Splunk version. With that said, so far, my limited testing of v9 I haven’t seen any differences in any of the internal metrics either, so you *should* be ok. if you need anything further you are better off starting a new topic so more people will see your question!
... View more
02-04-2022
09:48 AM
Thanks to the Splunk Docs team for updating the table I referenced above. Hopefully this makes it clearer for anyone approaching this in the future!
... View more
02-04-2022
06:54 AM
1 Karma
Solution Use the latest version of the Splunk release train. Upgrading to the latest version of the destination version will mitigate this issue. The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk) Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered. As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version. 7.3.9 > 8.1.72 > 8.2.4 (latest versions at date of this post)
... View more
02-04-2022
06:45 AM
1 Karma
Workaround From 7.3.9 > 8.0.0 Stop the splunk service using the services snapin. Snapshot the VM/Backup the system From the $SPLUNK_HOME/bin folder delete the following files (take backups first) libxml2.dll libeay32.dll ssleay32.dll Run the Splunk 8.0.0 installer (leaving the Splunk service stopped) Validate that the install process completes and check and test the upgrade.
... View more
02-04-2022
06:42 AM
1 Karma
Upgrading from Splunk 7.3.9 to Versions before 8.0.8 or 8.1.1 will fail. During the install process the installer will error with the following messages relating to the files: libxml2.dll libeay32.dll ssleay32.dll After dismissing these messages, the installer rolls back and reverts to the previously installed version 7.3.9 This appears related to the dates on these files that the installer does not handle correctly and does not overwrite. At the end of the failed install (before rollback) these 3 files are missing from the $SPLUNK_HOME/bin folder I presume the installer removes (backs up) the original files and during the install process validates that the files to be installed are newer. In the case of these 3 files, the situation is not handled correctly and the installer fails to correctly remedy the situation.
... View more
12-22-2020
01:14 AM
1 Karma
I think the wording is a little confusing, but "tstatsHomePath" allows you to dictate where this data is stored if you wanted to separate it from the rest of your index data, but importantly you do not have to specify a "tstatsHomePath"! The wording in the spec file says that you should not configure this value for an index with remote storage, so this just means for a Smartstore index do not define "tstatsHomePath" - the cachemanager will handle this for you.
... View more
12-21-2020
07:28 AM
If the syslog receiver is using UDP you can't test it with telnet, instead try netcat. nc -z -v -u <your_IP> <your_port_number> Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto! netstat -ln|grep <your_port_number>
... View more
12-21-2020
05:17 AM
1 Karma
You will need to contact the Splunk Education team on one of the below addresses and see if they can help you. Americas: education_amer@splunk.com Europe: education_emea@splunk.com Asia/Japan/Australia: education_apac@splunk.com
... View more
12-21-2020
01:15 AM
I made a minor change to the answer above, but I can not reproduce the scenario you describe. https://regex101.com/r/FXD0Q4/2
... View more
12-20-2020
01:10 AM
Splunk will not perform CIDR matches against regular expressions. You will need to construct your regex to match the range of addresses you need (10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.) But you should be able to do this in one stanza if you wish [internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue
... View more
12-18-2020
09:44 AM
1 Karma
Where are you seeing this? Inside the web datamodel? In which case, the action field should look like this (see attached) If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s. case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
... View more
- Tags:
- Where a
12-18-2020
09:11 AM
try changing it to if(action="File quarantined","blocked",action) That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )
... View more
12-18-2020
06:41 AM
@gozdeyildizz Thats great news! Don't forget to accept an answer and upvote posts that helped you!
... View more
12-16-2020
03:02 AM
2 Karma
There are additional features included in 8.x, but nothing major from a "user" perspective. There is nothing you would learn on fun2 7.x that is not applicable to 8.x
... View more
12-15-2020
01:24 PM
I am pleased you have it working, but for the record, chmod'ding to 777 is not a sensible fix for a production system. 🙂
... View more
12-15-2020
12:59 PM
In that case, unless you set up the splunk user by hand, it wont exist. At a guess you were therefore running Splunk as root. If root has permission issues then you probably have bigger problems! Can you access the contents of /opt/splunk?
... View more
12-15-2020
10:26 AM
How was splunk installed? rpm/deb or from the tar.gz? Who owns files in /opt/splunk?
... View more
12-15-2020
09:25 AM
1 Karma
Thats odd. Can you run "sudo id splunk" It should return something like uid=xxx(splunk) gid=xxx(splunk) group=xxx(splunk) or does it report "splunk" no such user
... View more
12-15-2020
08:20 AM
Splunk only allow you to download currently supported versions, since 6.6 has fallen out of support that's why it is not available for download. Raise a support ticket via the support portal, or if you have no access you should speak to your reseller/account manager.
... View more
12-15-2020
08:09 AM
3 Karma
Was Splunk configured to run as "root"? If you configured Splunk to run as "splunk" (recommended) you should not start it as root. If you do, it may mess about with the folder permissions, which means the next time you start it as "splunk" you get permission errors. If this is what happened, you should stop Splunk (if running) then (assuming linux) sudo chown -R splunk:splunk /opt/splunk Then start Splunk as "splunk" - probably easier to reboot the system and let the Splunk boot-start process handle it.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-23-2022
02:00 PM
|
