cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
pbnl
Path Finder
Member since: ‎02-10-2022
‎08-26-2022
Community Statistics
Posts 25
Solutions 2
Karma Given 2
Karma Received 2
Member Since ‎02-10-2022
Activity Feed
Topics I've Started
View All

Re: wrong search results

by in Splunk Search
‎08-25-2022 11:49 PM
‎08-25-2022 11:49 PM
sorry, i forgot to update. after you proposed username=="$tUser$" i tried username="$tUser$" and that did the trick 😉 thank you... ... View more

Re: wrong search results

by in Splunk Search
‎08-24-2022 01:34 AM
‎08-24-2022 01:34 AM
i'm not really sure what you mean. i copied now two events resulting this search index=tvlog "support sul" it shows 324 events containing user "Support SuL" and "Support SuL 2" index=tvlog username="support sul" shows 161 results with only user "Support SuL" index=tvlog username="support sul 2" shows 163 results  with only user "Support SuL 2" 2022-08-08 11:25:57,2022-08-08 11:33:52,"0:07:55",cabb2212-93b4-42e9-b890-2be47b841d82,u173443428,"Support SuL",230088210,PC1102,g170315939,PC1102 date_hour = 11date_mday = 8date_minute = 25date_month = augustdate_second = 57date_wday = mondaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0 2022-08-05 06:58:45,2022-08-05 14:00:26,"7:01:41",d3e88821-f7b7-45bd-a18d-91d2dc147458,u174066842,"Support SuL 2",265385451,PC1153,g162593205,PC1153 date_hour = 6date_mday = 5date_minute = 58date_month = augustdate_second = 45date_wday = fridaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0  these searches are all correct, but in the dashboard i need to deal with the token $tUser$. ... View more

Re: wrong search results

by in Splunk Search
‎08-24-2022 12:22 AM
‎08-24-2022 12:22 AM
tried that too without success ... View more

Re: wrong search results

by in Splunk Search
‎08-23-2022 05:39 AM
‎08-23-2022 05:39 AM
thank's for the answer, but none of your proposals returns a result 😞 ... View more

Why am I getting the wrong search results?

by in Splunk Search
‎08-23-2022 05:07 AM
‎08-23-2022 05:07 AM
i have this dropdown which produces correct results:       <input type="dropdown" token="tUser" searchWhenChanged="true"> <label>User Name</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>numUsername</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>index=tvlog | stats count AS "Quantity" by username | strcat username " (" Quantity ")" numUsername </query> <earliest>$tokEarliestTime$</earliest> <latest>$tokLatestTime$</latest> </search> </input>       there's, among other's, one user named "Support Sul" and an additional user named "Support SuL 2". both show up in the dropdown with the correct number of connections (Quantity). BUT when i select  "Support SuL" from the dropdown, the resulting table contains both users. even worse: when i select "Support SuL 2", i get all "Support SuL 2" users and some "Support SuL" users. this is the table:         <table> <search> <query>index=tvlog $tUser$ | table start_date, end_date, duration, username, devicename | sort start_date desc | rename start_date as "Start Date" | rename end_date as "End Date" | rename username as "User Name" | rename devicename as "Device Name" </query> <earliest>$tokEarliestTime$</earliest> <latest>$tokLatestTime$</latest> </search> <option name="count">20</option> <option name="drilldown">none</option> </table>          the source file is a simple utf-8 encoded csv. what's wrong here? ... View more
Labels

Is it possible to get a list scheduled scripts on ...

by in Getting Data In
‎08-17-2022 01:18 AM
‎08-17-2022 01:18 AM
hi, is it possible to get a list of all scheduled scripts on a linux UF? similar to splunk list exec, but showing the next time, the script should run? ... View more
Labels

Re: Why does scripted input not get executed?

by in All Apps and Add-ons
‎08-12-2022 01:57 AM
‎08-12-2022 01:57 AM
so nobody else any idea why? to bring in some more details: the splunk landscape is build out of 4 servers. 1st is Cluster Master, KV Store, License Master, Search Head 2nd and 3rd are Indexer 4th is Deployment Server the index tvlogs is defined on the cluster master with a whole bunch of other indexes etc/master-apps/_cluster/local/indexes.conf [tvlogs] repFactor = auto maxHotSpanSecs = 86400 homePath = $SPLUNK_DB/tvlogs/db frozenTimePeriodInSecs = 15552000 thawedPath = $SPLUNK_DB/tvlogs/thaweddb coldPath = $SPLUNK_DB/tvlogs/colddb and it's deployed to the indexer cluster splunk@indexer1:[/opt/splunk]: ll var/lib/splunk/tvlogs/* var/lib/splunk/tvlogs/colddb: total 8 drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./ drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../ var/lib/splunk/tvlogs/datamodel_summary: total 8 drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./ drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../ var/lib/splunk/tvlogs/db: total 16 drwx------ 2 splunk splunk 4096 Aug 10 09:17 ./ drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../ -rw------- 1 splunk splunk 169 Aug 10 09:17 .bucketManifest -rw------- 1 splunk splunk 10 Jul 22 14:22 CreationTime the other files are located on the UF where the script should run splunk@srv141:~/etc/apps/PBNL_getTVlogs$ ll * bin: total 20 drwxr-xr-x 2 splunk splunk 4096 Aug 11 14:50 ./ drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../ -rwxrw-r-- 1 splunk splunk 573 Aug 11 14:50 getTVlogs.sh* -rwxrw-r-- 1 splunk splunk 687 Aug 11 13:34 json2csv* default: total 16 drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 ./ drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../ -rw-r--r-- 1 splunk splunk 181 Aug 11 13:34 app.conf drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 data/ local: total 20 drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./ drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../ -rw-r--r-- 1 splunk splunk 55 Aug 11 13:34 app.conf -rw-rw-r-- 1 splunk splunk 258 Aug 11 13:34 inputs.conf -rw-rw-r-- 1 splunk splunk 388 Aug 11 13:34 props.conf logs: total 16 drwxr-xr-x 2 splunk splunk 4096 Aug 11 14:49 ./ drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../ metadata: total 16 drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./ drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../ -rw-r--r-- 1 splunk splunk 403 Aug 11 13:34 default.meta -rw-r--r-- 1 splunk splunk 187 Aug 11 13:34 local.meta do i need to change something here? ... View more

Re: scripted input does not get executed

by in All Apps and Add-ons
‎08-11-2022 06:01 AM
‎08-11-2022 06:01 AM
no. the only thing i see in the UF's log is, that the app is installed. all files and folders are created. the monitor is created too: splunk@srv141:~$ splunk list monitor Monitored Directories: $SPLUNK_HOME/var/log/splunk some other directories Monitored Files: $SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv some other files ... View more

Why does scripted input not get executed?

by in All Apps and Add-ons
‎08-11-2022 05:35 AM
‎08-11-2022 05:35 AM
hello all, i have an app developed on my linux splunk sandbox and it is working fine. after copying it to the deployment server and deploy it to a UF running on linux, it's not running at all. the inputs.conf is:   [script://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/bin/getTVlogs.sh] disabled = false interval = 0 14 * * * index = tvlogs sourcetype = TVlogs [monitor://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv] disabled = false index = tvlogs sourcetype = TVlogs   so what's wrong here? any help is welcome 🙂 ... View more
Labels

Re: Experiencing role/index/restriction problem

by in Knowledge Management
‎05-03-2022 04:04 AM
‎05-03-2022 04:04 AM
hi, this was my fear after i read the comment of richgalloway. that's completely stupid, but it's like it is. i'm fiddling already around with reindexing the files to a new index, but for some reason splunk will not do so 😉 there seems to be no way to make splunk forget about an already indexed file and reindex the same file to a new index. besides changing the first line of the file. this is not what i want to do. maybe i'm going this way thanks for bringing light in the dark 😉 ... View more

Re: Experiencing role/index/restriction problem

by in Knowledge Management
‎05-02-2022 12:05 AM
‎05-02-2022 12:05 AM
nobody any idea here?  ... View more

Re: role/index/restriction problem

by in Knowledge Management
‎04-28-2022 07:14 AM
‎04-28-2022 07:14 AM
the restriction i added when creating the role is: sourcetype::log4jscan when i click on 'Preview search filter results' i get: index=main | search sourcetype::log4jscan this give me the results i want. but running a search from an other role e.g. index=msexchange OR index=srv066-vm OR index=srv067-vm OR index=ve2k8clu doesn't return any results ... View more

Experiencing role/index/restriction problem

by in Knowledge Management
‎04-28-2022 04:30 AM
‎04-28-2022 04:30 AM
hi all, i have an app with several dashboards, each displaying data from different indexes. the users have roles assigned, which allow them to view different dashboards. the roles allow access to different indexes. some month ago, i've added a monitor that sends the data to the 'main' index using a datasource. now i'm asked to add a dashboard for this data and allow some users to use it. i've added a role, inherited the company base user role and capabilities, the index 'main' and a restriction to the datasource. my testuser that only has this role can use the dashboard. BUT: as soon i add this role to other users, they can use this new dashboard, but not the otherones anymore. they simply say 'No results found.' any ideas? thanks... ... View more
Labels

Re: upgrade readiness app disable notificatios

by in All Apps and Add-ons
‎04-25-2022 12:02 AM
‎04-25-2022 12:02 AM
thank you ... View more

Upgrade readiness app: How to disable notification...

by in All Apps and Add-ons
‎04-24-2022 11:24 PM
‎04-24-2022 11:24 PM
hi all, after i've disabled notifications in splunk upgrade readiness app, it's now sending a notification to splunk@mySplunkServer.  there is no user splunk in our splunk enterprise 8.2.5 defined. splunkd is running as user splunk on ubuntu 20.04. any ideas? thank you... ... View more
Labels

Re: Why is cmd script not running?

by in Getting Data In
‎04-13-2022 11:22 PM
1 Karma
‎04-13-2022 11:22 PM
1 Karma
after finding out that i have to change execprocessor logging mode to DEBUG, it shows, that the problem was with the path. after struggling around with that, i ended up with this: inputs.conf [script://$SPLUNK_HOME/etc/apps/PBNL_log4jscanWIN/bin/log4jscan.cmd] disabled = False interval = 15 0 1 * * [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\log4jscan.log] disabled = false sourcetype = log4jscan log4jscan.cmd "%SPLUNK_HOME%\etc\apps\PBNL_log4jscanWIN\static\log4j2-scan.exe" --all-drives --scan-log4j1 --scan-logback --csv-log-path "%SPLUNK_HOME%\var\log\log4jscan.log" as you can see, it's a windows/linux mix of notation styles, where the monitor clause does'nt resolve variables. from other posts i assuemed, the "base path" for an app is in my case %SPLUNK_HOME%\etc\apps\PBNL_log4jscanWIN\. but that seems to be not the case. anyway, learned some new stuff... ... View more

Why is cmd script not running?

by in Getting Data In
‎04-13-2022 02:07 AM
‎04-13-2022 02:07 AM
hi all, i try to run a cmd script on a UF.  it's located in %SPLUNK_HOME%\etc\apps\log4jscan\bin\log4jscan.cmd and the content is ..\static\log4j2-scan.exe --all-drives --scan-log4j1 --scan-logback --csv-log-path "%SPLUNK_HOME%\var\log\log4jscan"  the inputs.conf is in %SPLUNK_HOME%\etc\apps\log4jscan\default and looks like this: (interval will be changed to run once per month) [script://..\bin\log4jscan.cmd] disabled = False interval = 600 i added> debug.txt 2>&1 to the script, but no file is created. any ideas? thanks... ... View more

Re: Why did Windows UF stopped running scripted in...

by in Deployment Architecture
‎04-08-2022 04:32 AM
‎04-08-2022 04:32 AM
hello, i'm actually on the same task and have an issue too. maybe we could help each other. my issue is, my batch file cannot delete %SPLUNK_HOME%\etc\system\local\deploymentclient.conf. splunkd.log on the client says: 04-08-2022 11:15:59.383 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\PBNL_DSconfig\bin\deleteDSconfig.bat"" The system cannot find the path specified. do you use %SPLUNK_HOME% in your delete script or the full path? and a question to your app: you have a new deploymentclient.conf in your app? i know, sounds stupid, but you never know 😉 p.s. on my linux clients the script worked. of course with / instead of \ and the name of the sript is .sh not .bat ... View more

Re: forwarder shutdown after start

by in Installation
‎03-31-2022 05:33 AM
‎03-31-2022 05:33 AM
ok. i will do. and indeed, you can help me with another issue. but in a new thread 😉 ... View more

Re: forwarder shutdown after start

by in Installation
‎03-30-2022 05:46 AM
‎03-30-2022 05:46 AM
hi @gcusello , thanks for the fast answer, but that wasn't the problem. i used this app adapted to my needs to upgrade my forwarders. for some reason, on the not running forwarder, the script was always started, everytime splunkd was started. it stopped splunkd and exited. removed the app, and it's running again. strange, but hey, it's a computer 😉 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-26-2022 03:10 AM
Karma from
View All
Karma given to
View All