Activity Feed
- Got Karma for Re: Duplicates events in search. a week ago
- Got Karma for Re: /local/inputs.conf Not Being Read. 03-05-2025 01:02 PM
- Got Karma for Re: Do we need to take Splunk exams every time I want to renew our current Splunk certs?. 02-14-2025 11:03 PM
- Got Karma for Re: Windows Security events: XML vs. non-XML format. 01-10-2025 07:24 AM
- Got Karma for Re: How to search for logon/logoff activity of domain admins. 12-18-2024 11:48 AM
- Got Karma for Re: AWS Database logs to Splunk. 12-09-2024 01:58 PM
- Got Karma for GOTCHA: Upgraded Memory with systemd? Read This!. 11-10-2024 11:56 PM
- Got Karma for Re: TCPDUMP Command. 11-05-2024 02:38 AM
- Got Karma for Re: Forwarding data from Heavy forwarder to syslog server. 10-11-2024 07:02 AM
- Got Karma for Re: What is the best practice for moving frozen data into a bigger disk without losing any data?. 09-12-2024 02:35 AM
- Got Karma for Re: GOTCHA: Upgraded Memory with systemd? Read This!. 09-04-2024 12:33 AM
- Got Karma for Re: Why am I receiving too many Splunk logs on audit.log?. 08-18-2024 11:59 PM
- Got Karma for GOTCHA: Upgraded Memory with systemd? Read This!. 07-29-2024 11:31 PM
- Got Karma for Re: Why is Splunk not starting after upgrade to 8?. 07-09-2024 11:17 AM
- Got Karma for Re: How can i monitor linux commands in splunk. 06-18-2024 06:57 AM
- Got Karma for Re: How can i monitor linux commands in splunk. 06-18-2024 06:57 AM
- Got Karma for Re: Splunk Get Earliest Data by Index and Sourcetype. 06-05-2024 08:16 AM
- Got Karma for Re: What is the best practice for moving frozen data into a bigger disk without losing any data?. 05-28-2024 07:54 AM
- Got Karma for Re: How to Re-enable firewalld service on Splunk servers?. 04-24-2024 08:02 AM
- Got Karma for Re: What are the ports that I need to open?. 04-16-2024 09:31 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
1 | |||
2 | |||
9 | |||
0 | |||
3 | |||
0 | |||
0 | |||
2 | |||
0 | |||
1 |
04-05-2023
03:35 AM
The important part (and missing from your post) is how much of that allocated space is actually "in-use"? If you are using all 8TB of hot and 160TB of cold, then there is no way around it - you need more disk. However, if your true usage of space falls below this, then you can set your limits to match the space that is available. For example. if your only using 4TB of your 8TB actual hot-device you can safely amend the maxVolumeDataSizeMB to 1TB on each host. You should also understand that if you set the maxVol.. to a value smaller than what you have in current use will only cause that data to roll to cold - not be removed. The limits only tell Splunk what to do at those limits, so as long as you have a small amount of Cold space you can add your new indexers leaving the cold maxVol... set to 40TB each (320 total) Let the cluster replicate and balance, then when that process is complete you can reduce it to 20TB each. But, Ideally your retention should be dictated by dates rather than volume. I tend to think of the maxVol.. setting as a safety net incase you are getting close to the physical limits of the hardware, but what really drives my storage is how long i need to keep that data for.
... View more
04-05-2023
03:15 AM
How are you installing the package - are you using the UI, or copying the package directly? Also are you certain you are using specific Windows version? https://apps.splunk.com/app/2883/
... View more
04-05-2023
03:12 AM
1 Karma
Can you provide a bit more detail on what you are trying to do - are you trying to trigger a webhook as an alert action?
... View more
04-04-2023
07:33 AM
1 Karma
@splunkreal wrote: So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood? That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to. The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration
... View more
06-23-2022
12:30 PM
1 Karma
If your metrics are coming from the nix or windows TA then changing the DS version would not have any effect as it is the TA providing that data not the Splunk version. With that said, so far, my limited testing of v9 I haven’t seen any differences in any of the internal metrics either, so you *should* be ok. if you need anything further you are better off starting a new topic so more people will see your question!
... View more
02-04-2022
09:48 AM
Thanks to the Splunk Docs team for updating the table I referenced above. Hopefully this makes it clearer for anyone approaching this in the future!
... View more
02-04-2022
06:54 AM
1 Karma
Solution Use the latest version of the Splunk release train. Upgrading to the latest version of the destination version will mitigate this issue. The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk) Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered. As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version. 7.3.9 > 8.1.72 > 8.2.4 (latest versions at date of this post)
... View more
02-04-2022
06:45 AM
1 Karma
Workaround From 7.3.9 > 8.0.0 Stop the splunk service using the services snapin. Snapshot the VM/Backup the system From the $SPLUNK_HOME/bin folder delete the following files (take backups first) libxml2.dll libeay32.dll ssleay32.dll Run the Splunk 8.0.0 installer (leaving the Splunk service stopped) Validate that the install process completes and check and test the upgrade.
... View more
02-04-2022
06:42 AM
1 Karma
Upgrading from Splunk 7.3.9 to Versions before 8.0.8 or 8.1.1 will fail. During the install process the installer will error with the following messages relating to the files: libxml2.dll libeay32.dll ssleay32.dll After dismissing these messages, the installer rolls back and reverts to the previously installed version 7.3.9 This appears related to the dates on these files that the installer does not handle correctly and does not overwrite. At the end of the failed install (before rollback) these 3 files are missing from the $SPLUNK_HOME/bin folder I presume the installer removes (backs up) the original files and during the install process validates that the files to be installed are newer. In the case of these 3 files, the situation is not handled correctly and the installer fails to correctly remedy the situation.
... View more
12-22-2020
01:14 AM
1 Karma
I think the wording is a little confusing, but "tstatsHomePath" allows you to dictate where this data is stored if you wanted to separate it from the rest of your index data, but importantly you do not have to specify a "tstatsHomePath"! The wording in the spec file says that you should not configure this value for an index with remote storage, so this just means for a Smartstore index do not define "tstatsHomePath" - the cachemanager will handle this for you.
... View more
12-21-2020
07:28 AM
If the syslog receiver is using UDP you can't test it with telnet, instead try netcat. nc -z -v -u <your_IP> <your_port_number> Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto! netstat -ln|grep <your_port_number>
... View more
12-21-2020
01:15 AM
I made a minor change to the answer above, but I can not reproduce the scenario you describe. https://regex101.com/r/FXD0Q4/2
... View more
12-20-2020
01:10 AM
Splunk will not perform CIDR matches against regular expressions. You will need to construct your regex to match the range of addresses you need (10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.) But you should be able to do this in one stanza if you wish [internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue
... View more
12-18-2020
09:44 AM
1 Karma
Where are you seeing this? Inside the web datamodel? In which case, the action field should look like this (see attached) If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s. case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
... View more
- Tags:
- Where a
12-18-2020
09:11 AM
try changing it to if(action="File quarantined","blocked",action) That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )
... View more
12-18-2020
06:41 AM
@gozdeyildizz Thats great news! Don't forget to accept an answer and upvote posts that helped you!
... View more
12-15-2020
01:24 PM
I am pleased you have it working, but for the record, chmod'ding to 777 is not a sensible fix for a production system. 🙂
... View more
12-15-2020
12:59 PM
In that case, unless you set up the splunk user by hand, it wont exist. At a guess you were therefore running Splunk as root. If root has permission issues then you probably have bigger problems! Can you access the contents of /opt/splunk?
... View more
12-15-2020
10:26 AM
How was splunk installed? rpm/deb or from the tar.gz? Who owns files in /opt/splunk?
... View more
12-15-2020
09:25 AM
1 Karma
Thats odd. Can you run "sudo id splunk" It should return something like uid=xxx(splunk) gid=xxx(splunk) group=xxx(splunk) or does it report "splunk" no such user
... View more
12-15-2020
08:20 AM
Splunk only allow you to download currently supported versions, since 6.6 has fallen out of support that's why it is not available for download. Raise a support ticket via the support portal, or if you have no access you should speak to your reseller/account manager.
... View more
12-15-2020
08:09 AM
3 Karma
Was Splunk configured to run as "root"? If you configured Splunk to run as "splunk" (recommended) you should not start it as root. If you do, it may mess about with the folder permissions, which means the next time you start it as "splunk" you get permission errors. If this is what happened, you should stop Splunk (if running) then (assuming linux) sudo chown -R splunk:splunk /opt/splunk Then start Splunk as "splunk" - probably easier to reboot the system and let the Splunk boot-start process handle it.
... View more
12-15-2020
07:52 AM
1 Karma
Did you set ratio to match the search sample ratio? I am guessing you are not using sampling, so set the ratio=1
... View more
12-15-2020
07:24 AM
1 Karma
I think ( @priyastalin correct me if wrong) it looks like this is just so you can filter on the groupId? I'm not sure if seeing the contents of the macro would help to understand if its doing a simple filter or if there is something more complex going on to get the set of results. If this is something you run frequently, I think a lookup might be a far simpler (and faster) approach.
... View more
12-15-2020
07:17 AM
1 Karma
First, a correction. In my final query I should have removed "earliest=-24h latest=now" Please run the query again without those time constraints. (I have updated the original post) Second, did you set a value for X? If you don't use sampling then ratio should be "ratio=1", if you used a 1:100,000 sampling ratio, then "ratio=100000" Next, as I mentioned, Splunk measures volume licence against sourcetypes. It does not break licence usage down on a per field basis, hence the reason for the estimated calculation I have provided above. If you want daily consumption, you can make a simple change to produce these values for each day. index=wineventlog sourcetype=winlog EventCode=4688
| eval bytes=len(_raw)
| timechart avg(bytes) as avg_bytes count span=1d
| eval ratio=10000
| eval consumptionBytes=((avg_bytes*count)*ratio)
| eval consumptionKB=((avg_bytes*count)*ratio)/1024
| eval consumptionMB=((avg_bytes*count)*ratio)/1024/1024
| eval consumptionGB=((avg_bytes*count)*ratio)/1024/1024/1024
... View more