About TheEggi98

TheEggi98 · ‎08-29-2024

Alright Thank you i will use sourcetype and index overriding and then make the data of the newly added available for our qs cluster to build dashboards

TheEggi98 · ‎08-29-2024

Hi @gcusello thanks for the fast response. if im not wrong i theoretically could bypass the precedence by doing this (at least btool dont complain) but i will not do that [monitor://<path to logfile>.log] ... [monitor://<path to same logfile>.lo*] ... When overriding sourcetype and index on the indexer, am i able to route data of the second sourcetype to our qs cluster to build dashboards?

TheEggi98 · ‎08-28-2024

Hi there, i have a file monitoring stanza on a universal forwarder where i filter using transforms.conf to only get logentries i need, because the server writes logentries of multiple business processes into the same logfile. Now i need entries of another process with different ACL in a different index from that logfile but in our QS cluster while the first datainput still ingests into our PROD cluster So i have my inputs.conf [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 1> sourcetype = <dataspecific sourcetype 1> a props.conf [<dataspecific sourcetype 1>] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRUNCATE = 1500 TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = [%y/%m/%d %H:%M:%S] TRANSFORMS-set = setnull, setparsing and a transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (<specific regex>) DEST_KEY = queue FORMAT = indexQueue As standalone Stanza i would need the new input like this, with its own setparsing transforms [monitor://<path_to_logfile>] disabled = 0 index = <dataspecific index 2> sourcetype = <dataspecific sourcetype 2> _TCP_ROUTING = qs_cluster to be honest i could just create a second stanza thats a little different and still reads the same file, but i dont want two tailreader on the same file. What possibilities do i have? Thanks in advance

TheEggi98 · ‎06-24-2024

Hi there, for better visibility i built a dashboard for indexer restarts, this dashboard is based on the _internal index and the /var/log/messages from the indexers themself. I would like to add the Info how the restart was triggered. so i can see whether the restart came from the manager (WebUI: Configuration Bundle Actions) or was done via the cli. Does Splunk log this? If yes where do i find that info? Thanks in advance!

TheEggi98 · ‎04-26-2024

As Workaround i now used CSS to hide the "View on Mobile" button. .view-mobile { display: none !important; }

TheEggi98 · ‎04-25-2024

Thank you, found the authentication.conf with LDAP Configuration on our indexers

TheEggi98 · ‎04-25-2024

Hi, i have a question on Authenticating to IDX Cluster Peer via REST. We have the following Environment: 3 IDX in Cluster 3 SH in Cluster 1 CM (License Manager, IDX Cluster Manager, Deployer & Deploymentserver) Our normal Authentication for Web is currently with LDAP. With my LDAP-User i can directly perform a GET request to an Indexer, but with a local User created over WebUI (tried local user in SHC and on CM) i cant perform any request to an indexer. The WebUI is disabled on the Indexers and they dont have the LDAP Configuration as the Searchheads does. How does it come, that the Indexer know my LDAP User but not the locally created? And how can i let the indexers to get to know a locally on SH or CM created user?

TheEggi98 · ‎04-02-2024

Hi fellow Splunkers, i recently came across an authentication Token created by splunk-system-user and i had no clue where this token came from and my splunkadmin colleagues didnt created the token either. Is it a feature/normal that Splunk will generate a Token every single time you click on "view on mobile" from the menu of a xml dashboard? Can we turn it off? We dont want users to be able to freely create an infinite amount of authentication tokens, because it would make overview of tokens way harder and we dont have configured the secure gateway.

TheEggi98 · ‎12-22-2023

We have that false positives lately too and we found out with helkp of the following search that our peers ran into authTokenConnectionTimeout which defaults to 5 seconds authTokenConnectionTimeout is located in distsearch.conf index=_internal (GetRemoteAuthToken OR DistributedPeer OR DistributedPeerManager) source!="/opt/splunk/var/log/splunk/remote_searches.log" | rex field=_raw "Peer:(?<peer>\S+)" | rex field=_raw "peer: (?<peer>\S+)" | rex field=_raw "uri=(?<peer>\S+)" | eval peer = replace(peer, "https://", "") | rex field=_raw "\d+-\d+-\d+\s+\d+:\d+:\d+.\d+\s+\S+\s+(?<loglevel>\S+)\s+(?<process>\S+)" | rex field=_raw "\] - (?<logMsg>.+)" | reverse | eval time=strftime(_time, "%d.%m.%Y %H:%M:%S.%Q") | bin span=1d _time | stats list(*) as * by peer _time | table peer time loglevel process logMsg

TheEggi98 · ‎11-22-2023

Hello @Stives , How does your Inputstanza looks like? If no crcSalt is specified in the stanza, Splunk will look into the first (i think 256) Bytes of a file and determines based on that if it already know the File. If the first Bytes in the CSV files will always be the same you could change your inputstanza and add crcSalt = <SOURCE> docs to monitoring stanza for a deeper look into crcSalt: https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#MONITOR: But be cautious, this will tell splunk to watch for the full path to determine if this file is already been indexed, so there is a possibility that you index the same file twice. Especially for Directories with rolling logfiles. Other possibility could be that the dates are out of the retention time scope. (If the files got indexed once but due to retention time got removed again when its bucket is not hot anymore)

TheEggi98 · ‎08-11-2023

Did the blacklist/whitelist got replaced by denylist/allowlist in Splunk 9? In some Blogs i read that Splunk 9 replaced blacklist with denylist? Or is blacklist still usable? In the Changelogs of Splunk 9 i didnt found any evidence for the change, but the Splexicon and some Blogs say something different. https://docs.splunk.com/Splexicon:Denylist https://www.splunk.com/en_us/blog/leadership/biased-language-has-no-place-in-tech-a-follow-up.html?locale=en_us Thanks for explanation 🙂

TheEggi98 · ‎08-08-2023

I just found an imo ugly Workaround for that. Basically its not directly postprocessing search. Its using the SID of the basesearch and loads it using | loadjob with the "postprocessing" query, that creates an own SID for the further search, that can be used to export the results. But i have no clue how its differs to postprocessing searches in terms of performance/resource usage <form theme="dark" version="1.1"> <label>test</label> <search id="baseSearch"> <query> index="test" | table A B C D E F _time </query> <earliest>-7d@d</earliest> <latest>now</latest> <done> <set token="job_to_exportTocsv">$job.sid$</set> </done> </search> <row> <panel> <html depends="$job_exportTocsv$"> <a target="_blank" class="btn" href="/api/search/jobs/$jobexportTocsv$/results?isDownload=true&maxLines=0&count=0&filename=csv_export&outputMode=csv" role="button">CSV Export</a> </html> <table> <search> <query> | loadjob $job_to_exportTocsv$ | stats count by A | addinfo </query> <done> <set token="job_exportTocsv">$job.sid$</set> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>

TheEggi98 · ‎03-15-2023

Oh, I didnt knew that. Where is that info? In the Docs Define tokens for conditional operations with form inputs i cant find that info.

TheEggi98 · ‎03-15-2023

@annisha26 You can easily do that with the following: <input type="multiselect" token="panelTok" searchWhenChanged="true"> <label>select Panels to show</label> <choice value="1">Entry1</choice> <choice value="2">Entry2</choice> <choice value="3">Entry3</choice> <choice value="4">Entry4</choice> <change> <eval token="DisplayPanel1">if(isnull(mvfind($panelTok$, "1")),null(),true())</eval> <eval token="DisplayPanel2">if(isnull(mvfind($panelTok$, "2")),null(),true())</eval> <eval token="DisplayPanel3">if(isnull(mvfind($panelTok$, "3")),null(),true())</eval> <eval token="DisplayPanel4">if(isnull(mvfind($panelTok$, "4")),null(),true())</eval> </change> </input>

TheEggi98 · ‎03-14-2023

Hello Splunk Community, to get into ReactJS and the Splunk UI-Toolkit i created a small App with a Component, thats fetching the Splunk-Roles and the LDAP-groups from splunks REST-API for easy mapping of matching groups and roles. Fetching of the roles work, but the groups dont. Codeside i fetch against '/splunkd/services/admin/LDAP-groups?output_mode=json' That respond with 303 see other and refers to '<locale>/splunkd/services/admin/LDAP-groups?output_mode=json' where i get the 404 Page not Found response. Searching for the requestId shows following: proxy:132 - Resource not found: services/admin/LDAP-groups error:321 - Masking the original 404 message: 'Resource not found: services/admin/LDAP-groups' with 'Page not found!' for security reasons My User has the change_authentication capability, so theoretically it should work. Am i doing something wrong? Or is that endpoint denied by default if its not splunk itself?

TheEggi98 · ‎02-27-2023

Im using DBConnect 3.11.0 and cant add or change the description of Inputs via the GUI. It appears since ive upgraded from version 3.8 I can click inside the Textarea and the cursor is shown as normal, but no Keystroke is taken and i cant even delete text out of it. As workaround i`ll use config explorer with debug/refresh but i dont want to use it everytime when creating the description for a new input or changing the description of an existing input. Is this a known issue? Does anyone alse have this behavior too?

TheEggi98 · ‎02-09-2023

I have a similar Problem. I call a Dashboard with <URL To Dashboard>?form.dropdown1=val1&form.dropdown2=val2&form.show_panel_tok=panel1 In the called Dashboard i have ... <init> <eval>token="show_panel1_tok">if($form.show_panel_tok$=="panel1",true(),null())</eval> <eval>token="show_panel2_tok">if($form.show_panel_tok$=="panel2",true(),null())</eval> </init> ... <panel depends="$show_panel1_tok$"> ... <panel depends="$show_panel2_tok$"> ... the dropdown inputs dropdown1 and dropdown2 are showing the given value, but the evaluated tokens from init do sometimes work but mostly dont. Could it be a timing problem of splunk? If yes does anyone know a workaround?

TheEggi98 · ‎01-18-2023

Not the most recent Topic, but it got shown first, so i'll post my approach here. Recently i had similar difficulties and ended up with a solution with way less lines and without much <set> ans <unset> Dropdown: <input type="dropdown" token="dropdownTok" searchWhenChanged="true"> <label>dropdown</label> <choice value="all">All</choice> <choice value="1">Entry1</choice> <choice value="2">Entry2</choice> <choice value="3">Entry3</choice> <choice value="4">Entry4</choice> <change> <eval token="DisplayPanel1">if($value$="1",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel2">if($value$="2",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel3">if($value$="3",true(),if($value$="all",true(),null()))</eval> <eval token="DisplayPanel4">if($value$="4",true(),if($value$="all",true(),null()))</eval> </change> <default>all</default> </input> That couple of lines inside <change> allows to set/unset the Tokens without <condition> I simply can u8se depends="$DisplayPanel2$" and that Row/Panel only shows up when all or Entry2 is selected

TheEggi98 · ‎09-21-2022

Hi Splunkers, i work with Splunk Enterprise and wonder if i can modify content in share folder. I would like to change the fonts of the web-GUI to our corporate fonts and found the fonts used by splunk in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/fonts and the CSS for that in ../exposed/build/css/bootstrap-enterprise.css (searched for proxima in the css) Will it have any Impact on splunk Version updates or Splunksupport if i change the Fonts to corporate Fonts? Thanks in Advance for your answers

TheEggi98 · ‎07-04-2022

For testing stuff i sometimes do the following search for incremental counts: | makeresults count=10 ```for generating 10 tablerows``` | streamstats count ```for count upwards with the rows, starting with 1``` For "saving" the last count you could write that into an Index or into a Lookup or count the data that already got counted incrementally. and add that to a new incremental count.

TheEggi98 · ‎01-31-2022

After several testing i found the solution working for me. Within Config Explorer for a footer Linebreak you have to put a \ followed by an Editor-Linebreak

TheEggi98 · ‎01-18-2022

Hello Splunkers, for our email alerts i want a custom footer, but it seems no linebreak works. i already tried \ like it is in the standard footer, \r\n and just pressing enter and shift + enter. If it matters, i use the config explorer for that in Splunk Enterprise 8.2.0. thanks for help 🙂

TheEggi98 · ‎01-05-2022

The Problem is fixed now. It wasnt directly Splunk. The Logs were written line by line, and that caused Splunk to rip the events apart. Now the logs get written in a file not monitored by UF and after writing the file gets renamed so the UF monitors it.

TheEggi98 · ‎01-04-2022

Hello Splunkers, i need help. I have multiline logs looking like: 01/04/22 03:00:00 MONITOR_RAP: blah blah: blah ; blah ; blah ; blah ; blah ; 01/04/22 07:00:00 MONITOR_RAP: blah blah: blah ; blah ; blah ; blah ; blah ; i ingest them with the following sourcetype stanza: [mysourcetype] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRUNCATE = 1000 TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %m/%d/%y %H:%M:%S The Universal Forwarder monitors the Directory where the logs landing. The first ingestion succeded without problems but when new logs written in the logfile of today, the parsing made multiple events out of the new logentries. The monitor Stanza: [monitor://<path>/*.log] disabled = 0 sourcetype = mysourcetype index = myindex So the first couple events were parsed like it should but when new logs arrived splunk made multiple events like (the codeblocks represent one multiline event, each codeblock represents a wrong parsed event in splunk): 01/04/22 03:00:00 blah: blah ; blah ; blah ; blah; blah ; What is wrong? Is it maybe a bug? I dont get it.

TheEggi98 · ‎10-11-2021

@kamlesh_vaghela No, i dont get any errors from the JS. I think the Error you get, depends on the used Browser or the settings in splunks internal webserver. Wich Browser are you using? I use OperaGX

Posts	39
Solutions	3
Karma Given	13
Karma Received	4
Member Since	‎09-02-2021

Online Status	Offline
Date Last Visited	‎09-23-2024 05:40 AM

Multiple Inputs on the same File

Logging of Restart Trigger

REST Authentication to IDX Cluster Peer

"View on Mobile" button automatically creates Auth...

Splunk 9 blacklist or denylist?

UI-Toolkit React-App unable to fetch REST-Endpoint...

DBConnect cant add description via GUI

Changes in $SPLUNK_HOME/share?

Linebreak in footer.text in email Stanza

Parsing multiline does not working as expected

Re: Multiple Inputs on the same File

Re: Multiple Inputs on the same File

Multiple Inputs on the same File

Logging of Restart Trigger

Re: "View on Mobile" button automatically creates ...

Re: REST Authentication to IDX Cluster Peer

REST Authentication to IDX Cluster Peer

"View on Mobile" button automatically creates Auth...

Re: Why am I getting a false DMC Alert that search...

Re: Monitoring of files

Splunk 9 blacklist or denylist?

Re: How can I effectively retrieve the SIDs for ea...

Re: How to make panel depend on token value?

Re: How to make panel depend on token value?

UI-Toolkit React-App unable to fetch REST-Endpoint...

DBConnect cant add description via GUI

Re: Using url form parameters in section of dashb...

Re: How to make panel depend on token value?

Changes in $SPLUNK_HOME/share?

Re: Assign values in increment order to each value...

Re: Linebreak in footer.text in email Stanza

Linebreak in footer.text in email Stanza

Re: Parsing multiline does not working as expected

Parsing multiline does not working as expected

Re: Usage of JS in Dashboards