Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About davidoff96
davidoff96
Path Finder
Member since:
09-09-2021
2 weeks ago
Community Statistics
| Posts | 23 |
| Solutions | 4 |
| Karma Given | 8 |
| Karma Received | 7 |
| Member Since | 09-09-2021 |
Activity Feed
- Got Karma for Re: How to set the _time in SC4S events to the current time/time event was recieved??. 2 weeks ago
- Posted Re: How to set the _time in SC4S events to the current time/time event was recieved?? on Getting Data In. 2 weeks ago
- Posted How to set the _time in SC4S events to the current time/time event was recieved? on Getting Data In. 2 weeks ago
- Tagged How to set the _time in SC4S events to the current time/time event was recieved? on Getting Data In. 2 weeks ago
- Tagged How to set the _time in SC4S events to the current time/time event was recieved? on Getting Data In. 2 weeks ago
- Tagged How to set the _time in SC4S events to the current time/time event was recieved? on Getting Data In. 2 weeks ago
- Tagged How to set the _time in SC4S events to the current time/time event was recieved? on Getting Data In. 2 weeks ago
- Posted Re: sc4s app_parsers don't seem to work on Getting Data In. a month ago
- Posted sc4s app_parsers don't seem to work on Getting Data In. 09-08-2025 01:45 PM
- Tagged sc4s app_parsers don't seem to work on Getting Data In. 09-08-2025 01:45 PM
- Tagged sc4s app_parsers don't seem to work on Getting Data In. 09-08-2025 01:45 PM
- Tagged sc4s app_parsers don't seem to work on Getting Data In. 09-08-2025 01:45 PM
- Posted Monitoring SQLite DB through DB connect giving "null of stanza <stanza_name> does not exist" on All Apps and Add-ons. 12-19-2024 06:42 AM
- Karma Restoring Splunk User Search History for malbert_1. 11-15-2024 07:34 AM
- Karma Re: Restoring Splunk User Search History for malbert_1. 11-15-2024 07:34 AM
- Posted Re: Failing KVstore after upgrade on Installation. 07-08-2024 09:46 AM
- Posted Re: SentinelOne Application Risk channel stopped ingesting events on All Apps and Add-ons. 07-08-2024 09:43 AM
- Got Karma for Re: Add-on Builder "New Input" not updating. 06-18-2024 01:44 PM
- Got Karma for Re: Add-on Builder "New Input" not updating. 04-24-2024 04:46 AM
- Got Karma for Re: Add-on Builder "New Input" not updating. 01-18-2024 07:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
1 Karma
Answering my own question, mostly in case I need to do this again in the future: You can make sc4s set the _time to R_UNIXTIME (aka, the time syslog-ng actually recieved the event) by adding the following to the compliance_meta_by_source.csv file: f_name,.netsource.sc4s_use_recv_time,"yes" Explanation: I noticed that you could do this because I cloned the repo, desperate for any sort of help I could get. In the project, you can find this funny little line tucked away: Which apparently, though not documented anywhere I'm aware of, controls whether an event has the _time set to the time syslog-ng "guesses", or the time the event came in. I tested it on a noisy source, and you can see here that R_UNIXTIME and _time are the same: In this example, test_time_stamp was hard coded to be R_UNIXTIME, and test_time_stamp_actual was evaled to be the event _time. So the issue was with Dell Avamar specifically, so I did the following in compliance_meta_by_source.conf: And the following in compliance_meta_by_source.csv: Wanted to post this because I have had almost 0 luck with the documentation for sc4s in the past. Here's to any future sc4s spelunkers
... View more
2 weeks ago
Some data would be mistagged as a different time zone, or would come in very late and would miss our alarms, since the _time was set in the past. Management also prefers our _time be essentially index time. How would I set that? The following does NOT work in compliance_meta_by_source.csv: f_name,.splunk._time,${R_UNIXTIME} f_name,.splunk.time,${R_UNIXTIME} f_name,.fields.time,${R_UNIXTIME} f_name,.fields._time,${R_UNIXTIME}
... View more
Labels
- Labels:
-
syslog
a month ago
Hoookay, I managed to get it to work. I changed several things and then it worked, so lord knows which of these actually fixed it. First, my app parser: block parser app-syslog-cisco_merakinix() {
channel {
rewrite {
r_set_splunk_dest_default(
index('mymeraki')
sourcetype('meraki:syslog')
vendor("cisco")
product('meraki')
template('t_hdr_msg')
);
};
};
};
application app-syslog-cisco_meraki_nix_app[sc4s-syslog] {
filter {
match("*src=*dst=*mac=*request:*" value("MSG") type(glob))
};
parser {
app-syslog-cisco_merakinix();
};
}; The things I changed that made it work: I placed it inside the syslog folder within app_parsers instead of in the same directory as that folder (so, the full path of the file was /data/sc4s/local/config/app_parsers/syslog/app-syslog-cisco_meraki_from_nix.conf) I changed the square bracket contents to "sc4s-syslog". I still have no idea what the square brackets mean, but my running theory is that string tells sc4s what data sources should be run through this (previously I had sc4s raw. this was a syslog ingest) I made sure the template() was set in the rewrite function. I think that may be a required field. Finally, an issue with the original post was I was looking for the message in "MSG", and the app, which was (null), was not included in the MSG. That was the "program" field in syslog-ng. Also, I tried using RAWMSG, but that is NOT supported in sc4s. There is a way you can configure that to work, but their own docs say you shouldn't do it unless you are testing.
... View more
09-08-2025
01:45 PM
Hello, We're currently having an issue of SC4S tagging Cisco firepower data as nix:syslog, but I was having this issue even when I was doing some testing on a dev instance. Example log (only the starting section) (null) %NGIPS-7-430003: EventPriority: Low, DeviceUUID:.... And I basically want to match only on that starting "(null) %NGIPS-" My conf file (app_parsers/app-syslog-cisco_firepowernull.conf): block parser app-syslog-firepowernull() {
channel {
rewrite {
r_set_splunk_dest_default(
index("main")
sourcetype('cisco:firepower:syslog')
vendor("cisco")
product("firepower")
);
};
};
};
application app-syslog-firepowernull[sc4s-syslog] {
filter {
message("*(null) %NGIPS*" type(glob));
};
parser { app-syslog-firepowernull(); };
}; I made no other changes. I am aware I can also change this with the compliance csv, but I'd rather do it this way, especially if we will have new log sources in the future. After making these changes and reloading (and I know that syslog-ng can see it, because I had a typo originally and it crashed lol), the logs are still tagged with vendor as "nix" and product as "syslog". The sourcetype is also still nix:syslog. Am I missing something? I found the documentation confusing when regarding this. Also, what does the [] mean in the application name? I have tried several different values, and it seemed to make no difference.
... View more
- Tags:
- app_parser
- SC4S
- syslog
12-19-2024
06:42 AM
I have been trying to monitor a SQLite database, and have been having nothing but problems. I managed to find some stanzas that apparently worked for other people, notably this one: https://community.splunk.com/t5/All-Apps-and-Add-ons/Monitor-SQLite-database-file-with-Splunk-DB-Connect/m-p/294331
I am actually able to see the driver in the installed drivers tab, and I can see my stanza within possible connections when trying to test a query:
I used exactly what was in that previous question and that didn't work, and I tried several other changes, and currently have this:
db_connection_types.conf:
[sqlite]
displayName = SQLite
serviceClass = com.splunk.dbx2.DefaultDBX2JDBC
jdbcDriverClass = org.sqlite.JDBC
jdbcUrlFormat = jdbc:sqlite:<database>
ui_default_catalog = main
database = main
port = 443
db_connections.conf:
[incidents]
connection_type = sqlite
database = /opt/tece/pb_data/data.db
host = localhost
identity = owner
jdbcUrlFormat = jdbc:sqlite:<database>
jdbcUseSSL = 0
I am getting this error now:
I also see this in the logs:
2024-12-19 14:38:59.018 +0000 Trace-Id= [dw-36 - GET /api/inputs] INFO c.s.d.s.dbinput.task.DbInputCheckpointFileManager - action=init_checkpoint_file_manager working_directory=/opt/splunk/var/lib/splunk/modinputs/server/splunk_app_db_connect
2024-12-19 14:39:15.807 +0000 Trace-Id=6dac40b0-1bcc-4410-bc28-53d743136056 [dw-40 - GET /api/connections/incidents/status] WARN com.splunk.dbx.message.MessageEnum - action=initialize_resource_bundle_files error=Can't find bundle for base name Messages, locale en_US
I have tried 2 seperate SQLite drivers, the most up to date one, and the one specifically for the version of the database of SQLite that I am using.
Anyone have any ideas?
... View more
Labels
- Labels:
-
administration
-
troubleshooting
07-08-2024
09:46 AM
Which server.pem file did you delete? You should also run a btool to see what cert is being used: $SPLUNK_HOME/bin/splunk btool server list --debug | grep -i "ssl"
... View more
07-08-2024
09:43 AM
Just a heads up, this add-on has been archived and a new version of it exists: https://splunkbase.splunk.com/app/5435 That may be the issue. What is confusing is there aren't even any errors/warnings or anything in the logs. What search where you using, and does anything stand out, like a 404/401 error or anything
... View more
03-21-2023
06:12 AM
I tried to do this, as did another person I spoke to privately on here, and we have determined it is not possible: https://community.splunk.com/t5/Dashboards-Visualizations/400-Error-while-rendering-splunk-into-an-iframe/m-p/568621 Essentially the cookies are "3rd party cookies" as they are not from your site. I believe there is actually a setting in your browser you can change to allow these. This worked for me a while ago. I am not sure if it works currently as I do not have Splunk in an iframe anymore. When I told my manager this, they immediately dropped the ask and stopped the idea of the iframe.
... View more
01-19-2023
01:29 PM
One other thing to note is you may need to change your "MAX_TIMESTAMP_LOOKAHEAD" in the props.conf since the default is 128. Wouldnt explain why it works in default vs local, but something to consider.
... View more
01-19-2023
01:27 PM
If I understand this correctly, this is for this add-on: https://splunkbase.splunk.com/app/3757 Which sourcetype are you seeing _time issues with? Each sourcetype has a different method of getting _time (some use "createdDateTime", others use CURRENT).
... View more
10-26-2022
06:23 AM
1 Karma
Extremely late to the party, but I was also having this same issue. Figured I'd answer here in case anyone else was wondering. I was thinking of trying to get the input name and appending it to the checkpoint. This, of course, cannot be found in the documentation of the AOB from what I've seen. Here's what I've ended up doing. If you call "helper.get_input_stanza()", it will give you a dictionary of a single dictionary. The key for that dictionary is your inputs name. So you could just do a "list(helper.get_input_stanza().keys())[0]". That dictionary looks like this: HOWEVER! This does not look the same in the AOB. You should still be able to use that .keys()[0] in the code, but the output will look different. So I guess be forewarned if you want to try to access name/disabled in your code. Hopefully this helps, and I will be using this in my custom add-ons now as well too. I now use this function: def get_input_name(helper):
return list(helper.get_input_stanza().keys())[0] Another thing to note that is if you change your input's name, it will lose that checkpoint value. So there may be duplication there.
... View more
10-06-2022
02:35 PM
Alright - the issue was that the sourcetype for the metrics events had to have "INDEXED_EXTRACTIONS=json" in the props.conf. Once I had changed that, I was able to see those values in the metrics index.
... View more
10-06-2022
07:21 AM
This is through the add-on builder. When I send the metric through to a normal index, it looks like this: And my code for generating it looks like this: data = { 'metric_name:tests_performed:testing': 4 } event = helper.new_event(source=helper.get_input_type(), index='test-metrics', sourcetype=helper.get_sourcetype(), data=json.dumps(data)) ew.write_event(event) Where index test-metrics is an index I have set up with the metrics type
... View more
10-05-2022
01:17 PM
Hello,
I have to manipulate some data from an api, and send those events to splunk. One set of the api has to go to a normal index, but a subset of the data has to go to a metrics index, which is defined as an input in the add-on configuration.
However, when I try to send events to the metrics, I don't get anything showing up there. I have tried the following:
Prepending "metric_name:" to the field name for the metric
Making a new add-on to only send data to metrics (very simple create an event and send it)
In that same add-on, create the event, and send it to the index defined in the config, and defined my metrics index in that config
None of these worked. Is there a special way to send these to metrics indexes?
... View more
Labels
- Labels:
-
development
06-02-2022
11:24 AM
5 Karma
As an update, I found the solution. What you need to do is increment the version number in the add-on properties. So if you make it 1.0.0, and then later on you add a new input, you need to update it to 1.0.x or whatever. Once that is done, the app will show the new input. I only found this by changing it on a whim, since I couldn't find anything about this in the docs.
... View more
05-27-2022
08:55 AM
Hello. I am making an app in the add-on builder with multiple inputs. So naturally, once I am done and have saved the add-on, I end up with something like this:
However, when I make any updates to the app (adding a new input/ deleting an existing input) this drop down refuses to update. Is there another file I need to make a change to within the app? I looked in the UI/Nav folders but nothing stood out to me.
... View more
Labels
- Labels:
-
configuration
-
development
09-30-2021
02:15 PM
I am also currently having this issue. Has anyone found some sort of work around?
... View more
09-30-2021
01:45 PM
Okay, so I now realize it isn't only an issue with splunk. If signing into the iFrame from splunk on chrome, it fails, and it also displays that "No Cookie Support Detected". However, if I do it from firefox, the issue no longer shows up. I believe this is due to how the browsers render these iframes? Is there anyway to resolve this in chrome?
... View more
09-28-2021
06:44 AM
Hey efav, so my company doesn't want a dashboard being embeded, they want the entire application. By that I mean they want to be able to access search and reporting from the iframe, the settings for a user, etc. So that wouldn't work since it's only for 1 dashboard. I made a topic previously trying to ask if I could change the style of some "_Layout"-esque file, but the consensus seemed to be no.
... View more
09-27-2021
11:11 AM
Hello. I am trying to show our splunk instance inside another one of our application's webpages, so it can have our styling applied to splunk. (basically putting our company sidebar on the left, then with the rest of the page rendering our splunk application). Initially had the problem that it wouldn't load because of the same-origin header, so I was able to resolve that. However, now when I try to login through that iframe, I get a 400 error. The only information returned by that error is "{"status":2}". It also says server error under the login. Any ideas what this error might be, and why it may be happening?
... View more
Labels
- Labels:
-
CSS
09-13-2021
07:34 AM
Thats a great idea Jhan. I needed it to be site/application wide though. Is there an xml file I can edit to change the layout on every page? Sort of like a _Layout.cshtml in asp.net?
... View more
09-10-2021
11:14 AM
Hey Ismo, Thanks for the reply. I believe my company is actually currently doing that, so the navbar at the top looks correct. Its just that we want a sidebar on the left. Or is there some js file I can edit that will run on page load, where I can modify the html? I could add it through that if needed (though I'd rather not write the html in the javascript)
... View more
09-09-2021
12:29 PM
Hello, My company has a sidebar that is consistent throughout all our other internal applications, and we were trying to get that same sidebar on our Splunk instance as well. We wanted to add a custom sidebar, with links to other pages from there (sort of looks like the bootstrap 5 sidebar https://getbootstrap.com/docs/5.0/examples/sidebars/), within all the apps (home/search/etc). Is there anyway this can be done? When I looked elsewhere for tips on styling the UI, most of them were for styling the dashboards themselves. Is there also a way to include a custom javascript file within that UI as well? I am new to splunk, so maybe I am not looking in the right areas.
... View more
Labels
- Labels:
-
CSS
-
javascript
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
