Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About _pravin
_pravin
Communicator
Member since:
12-01-2021
2 weeks ago
Community Statistics
| Posts | 90 |
| Solutions | 2 |
| Karma Given | 39 |
| Karma Received | 4 |
| Member Since | 12-01-2021 |
Activity Feed
- Karma Re: Unable to push configuration bundle for gcusello. 01-16-2025 09:29 AM
- Posted Re: Unable to push configuration bundle on Installation. 01-16-2025 08:47 AM
- Posted Unable to push configuration bundle on Installation. 01-16-2025 08:00 AM
- Got Karma for Re: Indexer Web UI is not available after migrating Cluster master hardware. 12-20-2024 09:26 AM
- Posted Re: Indexer Web UI is not available after migrating Cluster master hardware on Getting Data In. 12-20-2024 08:34 AM
- Posted Re: Indexer Web UI is not available after migrating Cluster master hardware on Getting Data In. 12-20-2024 04:03 AM
- Karma Re: Swap indexers from indexer cluster with new peers for isoutamo. 12-18-2024 07:20 AM
- Karma Re: Indexer Web UI is not available after migrating Cluster master hardware for isoutamo. 12-18-2024 06:22 AM
- Posted Indexer Web UI is not available after migrating Cluster master hardware on Getting Data In. 12-16-2024 06:27 AM
- Posted Re: How to Identify which HF is sending logs/metrics on Getting Data In. 11-13-2024 02:26 AM
- Posted Re: How to Identify which HF is sending logs/metrics on Getting Data In. 11-13-2024 02:24 AM
- Posted How to Identify which HF is sending logs/metrics on Getting Data In. 11-12-2024 05:51 AM
- Posted Re: indexer not working after changing cluster configuration on Splunk Enterprise. 11-04-2024 06:50 AM
- Posted indexer not working after changing cluster configuration on Splunk Enterprise. 11-04-2024 03:48 AM
- Posted Re: DB connect page not loading on Splunk Enterprise. 10-30-2024 09:12 AM
- Posted Re: DB connect page not loading on Splunk Enterprise. 10-30-2024 06:54 AM
- Posted Re: DB connect page not loading on Splunk Enterprise. 09-30-2024 05:00 AM
- Posted Re: DB connect page not loading on Splunk Enterprise. 09-30-2024 04:14 AM
- Posted Re: DB connect page not loading on Splunk Enterprise. 09-30-2024 03:06 AM
- Karma Re: A custom JavaScript error caused an issue loading your dashboard. See the developer console for more details. for bowesmana. 08-22-2024 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-16-2025
08:47 AM
Hi @gcusello , We have enough space in the servers, it's not an issue with the disk. Thanks, Pravin
... View more
01-16-2025
08:00 AM
Hi, I am trying to push the configuration bundle from the CM to the indexers. I keep getting the error message "Last Validate and Check Restart: Unsuccessful" The validation is done for one of the indexers, and it's 'checking for restart' for the other two indexers. When I checked the last change date for all the indexers, only one of them has been updated and the other 2 are not. But it's opposite to what is shown in the UI of the CM. Regards, Pravin
... View more
12-20-2024
08:34 AM
1 Karma
I didn't copy all the files and directories mentioned by you and also didn't put the old CM in maintenance mode but did change the URL and FDQN for all the instances. Probably the problem arose from the fact that the production instance has a lot of moving data and not going into maintenance mode caused the problems. Even, the test site had moving data but did not have a lot of data like production. What was surprising is that there were no logs that showcase any exact reason of error. However, I used the techniques mentioned by you and was able to migrate CM to new hardware. Thanks to you @isoutamo
... View more
12-20-2024
04:03 AM
Hi @isoutamo , I followed a similar strategy and I'll list it below: Set up new CM, and turn on indexer clustering. Turn off the instance and copy 'etc/master-apps' and 'etc/manager-apps' Setup server.conf in the new instance with relevant changes ( pass4symkey in string format) Start the new CM Change the URL of the indexer cluster one by one. Finally, change the URL in the search head after the indexers are migrated. This had worked in the test environment but when it was time for the production setup, the indexers failed to connect and would keep stopping after changing to new CM. Regards, Pravin
... View more
12-16-2024
06:27 AM
Hi, Our Linux machine has reached the End of Support, so we are moving the Cluster Master from one machine to another. I set up the cluster master in the new hardware and it was working well, but when I changed the master node URL in the indexer it was not working. The indexer doesn't turn on by itself and even when I turn it on manually, the indexer stays running for some time but during that time the web UI of the indexer does not work. In some time the indexer stops automatically. The same happened for another indexer as well. When I revert to the old cluster master, all the issues are sorted automatically. Splunk indexer always keeps running, web UI is available. No issues are noticed. Any idea why the indexer keeps shutting down? I am Splunk version 9.0.4 Regards, Pravin
... View more
Labels
- Labels:
-
indexer
11-13-2024
02:26 AM
I use Splunk Enterprise 9.0.4 and I tried adding _meta field which didn't work. I also tried adding INGEST_EVAL to transforms and tried sending the data, still no luck identifying the source.
... View more
11-13-2024
02:24 AM
Hi @hieuba6868 , I am sending open telemetry data to heavy forwarder and the HF forwards the data to indexers. When I look at the field 'splunk_server' I can see only the name of indexers. If I look at the data I can see the name of the otel source. In my current scenario I want to know which is the HF sending the data. Regards, Pravin
... View more
11-12-2024
05:51 AM
Hi, I have incoming data from 2 Heavy Forwarders. Both of forward HEC data and the internal logs, how do I identify which HF is sending a particular HEC data? Regards, Pravin
... View more
Labels
- Labels:
-
heavy forwarder
11-04-2024
06:50 AM
Hi @PickleRick , Thanks for the response. I agree that usually web service would be disabled but we keep the UI so that we can see the changes. I managed to clean the indexer completely of all the configurations. Then recreate from backup and it worked. Thanks, Pravin
... View more
11-04-2024
03:48 AM
Hi, I am trying to change the indexer configuration from one cluster master to another but in the process of this change the indexer never starts. The web service log looks like below bash$ tail -f var/log/splunk/web_service.log
2024-11-01 16:26:18,141 INFO [6724f3196d7f1cd30e7350] _cplogging:216 - [01/Nov/2024:16:26:18] ENGINE Bus EXITED
2024-11-01 16:26:18,141 INFO [6724f3196d7f1cd30e7350] root:168 - ENGINE: Bus EXITED
2024-11-01 16:38:48,635 INFO [6724f608607f04aeca7810] __init__:174 - Using default logging config file: /data/apps/SPLUNK_INDEXER_1/splunk/etc/log.cfg
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk level=INFO
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver level=INFO
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers level=INFO
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.appserver.lib level=WARN
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.pdfgen level=INFO
2024-11-01 16:38:48,636 INFO [6724f608607f04aeca7810] __init__:212 - Setting logger=splunk.archiver_restoration level=INFO Now I have even removed the clustering configuration from the server.conf but still the same issue with the Splunk instance. Any one else face the same issue? Regards, Pravin
... View more
Labels
- Labels:
-
administration
-
configuration
-
upgrade
10-30-2024
09:12 AM
I have not had the issue where I can't see data @Strangertinz Pravin
... View more
10-30-2024
06:54 AM
Hi @Strangertinz , I tried the same steps done by you, going back and forth versions and had the same issues as mentioned. I think it's a bug in the splunk db connect app. Thanks, Pravin
... View more
09-30-2024
05:00 AM
I am using Splunk 9.2.2 Sorry that I forgot to mention the version of Splunk in the earlier version.
... View more
09-30-2024
04:14 AM
Thanks @isoutamo , that's pretty much what I am looking. I don't know if that a version issue/bug but only difference I can find between the working install and non working install is the linux kernel that I am use. kernel version DB connect version - Not Working DB connect version - working 3.10.0 3.17.0 / 3.18.0 3.16.0 5.14.0 - 3.17.0 / 3.18.0 /3.16.0 Sometimes, I also have the issue where the app gets launched but doesn't the configuration page remains empty or doesn't move forward past a point. Is this a common issue with Splunk DB Connect as well ? Regards, Pravin
... View more
09-30-2024
03:06 AM
I still have the same issue. I tried with version 3.17.0 / 3.18.0 had the same issue. I am using Splunk 9.2.2 and DB connect 3.16.0 worked fine, is this a version issue ?
... View more
08-21-2024
03:29 AM
Hi @bowesmana , I mean to ask what part of the js file defines the JS error in the UI. I have other files as well that have different functionalities but they do not have the util/console part but still throw the same error. How do I identify those parts in the JS file? Regards, Pravin
... View more
08-20-2024
04:30 AM
Hi @bowesmana , Thanks for the response. I don't know JS, so I am checking with the communty if someone else had the same issues and might have some generic solution that might help me fix the xml. I'll tried your solution and it worked. Could you please explain what it really does so that I would get idea ? Thanks, Pravin
... View more
08-19-2024
09:09 AM
Hi, I get this error in our Splunk dashboards once I migrated splunk to version 9.2.2 I was able to bypass the error in the dashboards by updating internal_library_settings and unrestricting the library requirements. But this increases the risk/vulnerability of the environment. require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) {
function setToken(name, value) {
console.log('Setting Token %o=%o', name, value);
var defaultTokenModel = mvc.Components.get('default');
if (defaultTokenModel) {
defaultTokenModel.set(name, value);
}
var submittedTokenModel = mvc.Components.get('submitted');
if (submittedTokenModel) {
submittedTokenModel.set(name, value);
}
}
$('.dashboard-body').on('click', '[data-set-token],[data-unset-token],[data-token-json]', function(e) {
e.preventDefault();
var target = $(e.currentTarget);
var setTokenName = target.data('set-token');
if (setTokenName) {
setToken(setTokenName, target.data('value'));
}
var unsetTokenName = target.data('unset-token');
if (unsetTokenName) {
setToken(unsetTokenName, undefined);
}
var tokenJson = target.data('token-json');
if (tokenJson) {
try {
if (_.isObject(tokenJson)) {
_(tokenJson).each(function(value, key) {
if (value == null) {
// Unset the token
setToken(key, undefined);
} else {
setToken(key, value);
}
});
}
} catch (e) {
console.warn('Cannot parse token JSON: ', e);
}
}
});
}); The above code is the one that I have for one of the dashboards. Not sure how to check the jQuery version of the code, but if there is some help to fix the above code that meets the requirements of Jquery 3.5, I'll implement the same for other code as well. Thanks, Pravin
... View more
- Tags:
- splunk
Labels
- Labels:
-
Classic dashboard
-
javascript
06-21-2024
04:53 AM
Hi I have a use case that involves copying historical data from a 3-indexer cluster (6 months old) to another machine. I have considered two potential solutions: Stop one of the indexers and copy the index from the source to the destination. The only drawback could be that the data might be incomplete, but this is not a concern as the data is for testing purposes. Given the volume of data, this process could take a significant amount of time. Create a new index using the collect command with the required set of data, then copy the index to the other machine. I believe this would be the best way to implement this use case. However, the downside is that the data volume is quite large and might take a considerable amount of time to execute the SPL in the search head, potentially affecting the performance of the SH. I am unsure if the collect command can handle such a large search and create an index. Is there a limitation on the size of the data when using the collect command? Please advise on how to best handle this scenario. Regards, Pravin
... View more
06-10-2024
04:29 AM
Hi, I am getting "You do not have permissions to access objects of user=admin" error message when using Analytics Store". I am logged in as administrator but still I am getting error. Thanks, Pravin
... View more
Labels
03-12-2024
02:52 AM
Hi @jorma , There are a few things you need to check for certificates. Check if the certificate is pointing to the right file in web.conf If you have a different name for the Splunk web URL, make sure that you have all of them the SAN part of the certificate file. I had encountered both of the above issues and once I made the change, our Splunk instance was working perfectly. Thanks, Pravin
... View more
01-23-2024
03:49 AM
Hi @gcusello , I agree with you. But I still don't know how accurate this can be as its uses a look up and what would be the case when the person logs in from an another country not mentioned in the lookup. Since, we use SAML I was hoping to get the information from the internal team to check if they have some sort of logs to capture such details. If they have, I might have an accurate technique to track details. If not then, lookup is the solution. Thanks, Pravin
... View more
01-23-2024
03:29 AM
Hi @gcusello , Thanks for answering my question. We use VPN within out organisation so the original IP is masked and also we have implemented SAML authentication recently, so it's tough to get the exact IP of the user. I have asked internally if there is some way of logging the user location. Thanks, Pravin
... View more
01-19-2024
04:42 AM
Hi All, I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ? index="_internal" source=*access.log user!="-" /saml/acs
| timechart span=1d count by user index=_audit login action="login attempt"
| table _time user action info reason
| timechart span=1d count by user We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well. Thanks in advance. Pravin
... View more
- Tags:
- Splunk Enterprise
Labels
- Labels:
-
metadata
12-14-2023
07:35 AM
Hi @gcusello , I got notifed that this is a bug in Splunk. Known issues - Splunk Documentation UNDEFINED keyword shouldn't be used to replace empty cells. Thanks, Pravin
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
