cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
FlorianScho
Path Finder
Member since: ‎08-30-2021
‎03-19-2025
Community Statistics
Posts 17
Solutions 1
Karma Given 4
Karma Received 0
Member Since ‎08-30-2021
Activity Feed
View All

Re: app or add-on for IBM Aspera HSTS?

by in All Apps and Add-ons
‎12-03-2024 04:49 AM
‎12-03-2024 04:49 AM
Hi mitag,  its been a while since you posted this. Were you able to work on such an app / add-on? I would be interested in it.  ... View more

Re: Routing of events located at Indexers / Search...

by in Getting Data In
‎09-11-2024 06:06 AM
‎09-11-2024 06:06 AM
Understood! I appreciate your answers.  I will keep this post unresolved for now and test it. ... View more

Re: Routing of events located at Indexers / Search...

by in Getting Data In
‎09-11-2024 05:55 AM
‎09-11-2024 05:55 AM
Hi, yes, I know the setup might look a bit overengineered, but it best fits our needs as we need to “logically” separate the ES data from other Splunk use cases. Anyway, I wasn't aware that I can run a Universal Forwarder together with another Splunk Enterprise Component. Is this supported or is it at least officially documented somewhere?   ... View more

Routing of events located at Indexers / Search Hea...

by in Getting Data In
‎09-11-2024 04:28 AM
‎09-11-2024 04:28 AM
 Hi Community! i have a (kind of ) special problem with my data routing. Topology: We have 2 different Clusters, one for ES and one for Splunk Enterprise. Each clusters consist of minimum 1 Search head 4 Indexer peers (Multisite Cluster). All hosted on RedHat Virtual Machines. Usecase: On all Linux systems (including Splunk itself) are some sources defined for ES and some sources for normal Splunk Enterprise indexes. E.g.: /var/log/secure - ES (Index: linux_security) /var/log/audit/audit.log - ES (Index: linux_security) /var/log/dnf.log - Splunk Enterprise (Index: linux_server) /var/log/bali/rebootreq.log - Splunk Enterprise (Index: linux_server) Problem: The Routing of those logs from the collecting tier (Universal Forwarder, Heavy Forwarder) is fine, because those components have both clusters as output groups defined including props / transforms config.  On Search heads there are only the search peers defined as output group (ES Search head --> ES Indexer Cluster, Splunk Enterprise Search head --> Splunk Enterprise Cluster). This is due to several summary searches and inputs from the Search head, im not able to adjust the routing like we do on the Heavy Forwarder because of the frequent changes made my powerusers. That is working fine so far except for the sources that require to be sent to the opposite cluster. Same for the logs directly on the Indexer Tier, the defined logs requires to get sent to the other cluster. So simplified: The log /var/log/secure on Splunk Enterprise Cluster Search head / Indexer needs to be sent to ES Cluster Indexer. The log /var/log/dnf.log on the ES Cluster Search head / Indexer needs to be sent to the Splunk Enterprise Indexer. What i have done already: Configured both Indexer Clusters to sent data to each other based on the specific index in outputs.conf. With this the events are now available in the correct cluster, but are also available as duplicates in their source cluster. I try to get rid of the source events! Splunk Enterprise Indexer outputs.conf: [indexAndForward] index = true [tcpout] ... forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) forwardedindex.3.blacklist = .* forwardedindex.4.whitelist = linux_secure forwardedindex.5.blacklist = _.* forwardedindex.filter.disable = false useACK = false useClientSSLCompression = true useSSL = true [tcpout:es_cluster] server = LINUXSPLIXPRD50.roseninspection.net:9993, LINUXSPLIXPRD51.roseninspection.net:9993, LINUXSPLIXPRD52.roseninspection.net:9993,LINUXSPLIXPRD53.roseninspection.net:9993 ES Indexer outputs.conf: [indexAndForward] index = true [tcpout] ... forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) forwardedindex.3.blacklist = .* forwardedindex.4.whitelist = linux_server forwardedindex.5.blacklist = _.* forwardedindex.filter.disable = false useACK = false useClientSSLCompression = true useSSL = true [tcpout:rosen_cluster] server = LINUXSPLIXPRD01.roseninspection.net:9993, LINUXSPLIXPRD02.roseninspection.net:9993, LINUXSPLIXPRD03.roseninspection.net:9993,LINUXSPLIXPRD04.roseninspection.net:9993 Additionally i tried to setup props.conf / transforms.conf like we do on HF to catch at least events from Search head and send them to the correct _TCP_ROUTING queue but without any success. I guess because they got parsed already on the Search head. Splunk Enterprise props.conf: [linux_secure] ... SHOULD_LINEMERGE = False TIME_FORMAT = %b %d %H:%M:%S TRANSFORMS = TRANSFORMS-routingLinuxSecure = default_es_cluster Splunk Enterprise transforms.conf: [default_es_cluster] ... DEST_KEY = _TCP_ROUTING FORMAT = es_cluster REGEX = . SOURCE_KEY = _raw ES props.conf: [rhel_dnf_log] ... SHOULD_LINEMERGE = True TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%Q TRANSFORMS-routingLinuxDNF = default_rosen_cluster ES transforms.conf: [default_rosen_cluster] ... DEST_KEY = _TCP_ROUTING FORMAT = rosen_cluster REGEX = . SOURCE_KEY = _raw Example: Source: /var/log/dnf.log _time _raw host source index splunk_server count 2024-09-10 12:07:21 2024-09-10T12:07:21+0000 DDEBUG timer: config: 3 ms linuxsplixprd51.roseninspection.net (Indexer ES) /var/log/dnf.log last_chance linux_server linuxsplixprd01.roseninspection.net linuxsplixprd51.roseninspection.net 2 2024-09-11 12:24:31 2024-09-11T10:24:31+0000 DDEBUG timer: config: 4 ms linuxsplixprd01.roseninspection.net (Indexer Splunk Enterprise) /var/log/dnf.log linux_server linuxsplixprd01.roseninspection.net 1 2024-09-10 13:15:04 2024-09-10T11:15:04+0000 DDEBUG timer: config: 3 ms linuxsplshprd50.roseninspection.net (Search head ES) /var/log/dnf.log last_chance linux_server linuxsplixprd01.roseninspection.net linuxsplixprd50.roseninspection.net 2 2024-09-10 13:22:53 2024-09-10T11:22:53+0000 DDEBUG Base command: makecache linuxsplshprd01.roseninspection.net  (Search head Splunk Enterprise) /var/log/dnf.log linux_server linuxsplixprd01.roseninspection.net 1 2024-09-11 11:55:51 2024-09-11T09:55:51+0000 DEBUG cachedir: /var/cache/dnf kuluxsplhfprd01.roseninspection.net (Heavy Forwarder) /var/log/dnf.log linux_server linuxsplixprd01.roseninspection.net 1 Any idea how i can achieve to get rid of those duplicate events at the source cluster (last_chance)? ... View more

Re: Bitlocker Windows Events Inputs.conf

by in Getting Data In
‎06-17-2024 12:33 PM
‎06-17-2024 12:33 PM
Hi,  I know this post is quite old but anyway, here is my stanza which is working fine: [WinEventLog://Microsoft-Windows-BitLocker/BitLocker Management] index = windows disabled = 0 renderXml = 1 evt_resolve_ad_obj= 1 start_from = oldest current_only = 0 checkpointInterval = 5 sourcetype=XmlWinEventLog   Did you check the Splunkd.log on you UF on start? Maybe the user running Splunk Forwarder Service is not able to access the logs. Or there are just no logs available? On my site it is not written very frequently.  The Splunk_TA_windows is also required on the UF.  ... View more

Re: XML Field extraction from Syslog messages

by in Splunk Search
‎06-07-2024 05:30 AM
‎06-07-2024 05:30 AM
Hi rsreese,  i know this post is some years old already but maybe it can help someone in the future. The McAfee ePO or now called Trellix Orchestrator can only sent data to tcp ports via SSL.  So switch the input from [tcp://514] to [tcp-ssl:514]. Be sure to fulfill the configuration requirements for tcp-ssl inputs.  ... View more

Re: TLS validation fails in connection from search...

by in Security
‎12-12-2023 12:07 AM
‎12-12-2023 12:07 AM
We have the same issue.  Any news on this how to fix? ... View more

Re: cliVerifyServerName failing because Splunk sta...

by in Splunk Enterprise
‎10-23-2023 06:17 AM
‎10-23-2023 06:17 AM
You got that fixed? ... View more

Persistent Queue logging

by in Monitoring Splunk
‎09-20-2023 02:07 AM
‎09-20-2023 02:07 AM
Hi,  we implemented persistent queues to catch high latencies between the locations.  E.g. Connection is down for some minutes / hours and the firewall is not buffering logs itself so it gets lost if queues are filled up..  Is there a way to monitor the persistent queues? Fill ration or other metrics?    I dont want to build custom scripts collecting bash information.   ... View more

Re: Issue with Dashboard - browser needs to be ref...

by in Dashboards & Visualizations
‎09-04-2023 12:26 AM
‎09-04-2023 12:26 AM
Hi @kozanic_FF, did you solve the problem? ... View more

Re: SSL error with tcp-ssl input

by in Getting Data In
‎01-11-2023 12:31 AM
‎01-11-2023 12:31 AM
Hi,  having the exact same issue. Were you able to fix it? ... View more

Re: Reduce license usage for performance data from...

by in Getting Data In
‎11-15-2022 11:29 PM
‎11-15-2022 11:29 PM
A transforms INGEST_EVAL did the magic. INGEST_EVAL = queue=if(match(_raw, "vm-") AND (random()%100)!=0, "nullQueue", "indexQueue") ... View more

Re: How to ignore and stop indexing of timestamps ...

by in Getting Data In
‎07-12-2022 05:59 AM
‎07-12-2022 05:59 AM
Hi @krish3 , This i a very old post but maybe worth a try - did you fix the csv input? Im currently facing the same to force the timestamp of the current time and not using the timestamp written into the csv...  Regards ... View more

Re: Force splunk to get timestamp of file created

by in Getting Data In
‎07-12-2022 04:40 AM
‎07-12-2022 04:40 AM
Hi @kannu, did this fix your problem? Currently im facing the same, set DATETIME_CONFIG = Current - this inserts the file now in my configured schedule but only the headers of the CSV file..  Any suggestions? ... View more

Re: Why my csv file indexed only the header ?

by in Getting Data In
‎07-12-2022 04:36 AM
‎07-12-2022 04:36 AM
Hi @mah, did you fixed the problem? Im currently facing the same. ... View more

Reduce license usage for performance data from Add...

by in Getting Data In
‎02-01-2022 05:12 AM
‎02-01-2022 05:12 AM
Hi,  i already did some research but seems our case is a bit special: We colllect inventory and performance data from our vCenters with the Add-On for VMware (Splunk_TA_vmware) in version 4.0.2. The heavy forwarder running this TA is also the DCN.  I am not able to restrict data collection of performance data with the given options.  The interval can be set to higher or lower value but the data gathered from the worker is still the same. It collects all since the last input.  Due to the fact, that we dont need performance data every 20 seconds - i would prefer an 1 hour average event . Or if not possible 1 Events per 30 minutes with the latest values.  Is there a way to achieve this? Doesn't matter if it is by design or splunk workaround.  Example raw data: vm-44 500c714d-861b-2f53-1f7f-16d8e72c4e28 aggregated 20 0.04 0.04 2.79 2.73 389 410  ... View more

Re: Status code=responder, SSO disabled

by in Security
‎08-30-2021 04:16 AM
‎08-30-2021 04:16 AM
Hi, we also get this error in a new instance. Old configurations on other systems are working fine and ADFS seems to be configured correctly (like the working one).  EDIT: pl2345 answer resolved it! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-19-2025 05:09 PM
Karma given to