Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About rkantamaneni
rkantamaneni
Explorer
Member since:
07-19-2022
03-28-2025
Community Statistics
| Posts | 10 |
| Solutions | 2 |
| Karma Given | 10 |
| Karma Received | 2 |
| Member Since | 07-19-2022 |
Activity Feed
- Karma Re: After using outputcsv in a Splunk search, where is this CSV file located? for Raghav2384. 03-28-2025 12:44 PM
- Posted Re: How do I resolve this Splunk_TA_snow upgrade issue? (Solution) on All Apps and Add-ons. 01-03-2025 04:22 PM
- Posted Re: How do I resolve this Splunk_TA_snow upgrade issue? (Solution) on All Apps and Add-ons. 01-03-2025 01:49 PM
- Karma V. 7.3.3: css-loader.js getting MIME type of text/HTML instead of application/javascript when loading dashboard page. for joemcmahon. 05-24-2024 01:48 PM
- Got Karma for Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4?. 04-03-2024 04:57 PM
- Karma Re: Which Splunk version each of our Splunk servers are on ? for scelikok. 10-05-2023 11:19 AM
- Karma Re: Search Summary Page Automatically Runs Real-Time Searches? for richgalloway. 07-12-2023 11:36 AM
- Posted Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? on Splunk Enterprise. 06-13-2023 02:25 AM
- Posted Re: AWS Guardduty - Splunk Integration on All Apps and Add-ons. 06-13-2023 02:11 AM
- Karma Re: AWS Guardduty - Splunk Integration for splunkmagu. 06-13-2023 01:57 AM
- Posted Re: AWS GuardDuty Events are not Parsed Consistently (some events are wrapped inside a nested JSON field "detail&qu on All Apps and Add-ons. 06-13-2023 01:51 AM
- Posted AWS GuardDuty Events are not Parsed Consistently (some events are wrapped inside a nested JSON field "detail") on All Apps and Add-ons. 06-13-2023 01:44 AM
- Posted Re: AWS Guardduty - Splunk Integration on All Apps and Add-ons. 06-13-2023 01:25 AM
- Posted Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? on Splunk Enterprise. 05-26-2023 06:17 AM
- Karma Re: index.conf- Can anyone explain me tsidxWritingLevel variables from 1 to 4? for schose. 05-26-2023 06:10 AM
- Karma Re: Can you help me use a webhook to send alerts to HP Operation Manager? for pranay_adla. 08-24-2022 10:18 AM
- Karma splunk webhook with credentials/authentication for palemmahesh. 08-24-2022 10:15 AM
- Karma Resolve AWS Error:ClientError: An error occurred (UnsupportedArgument) when calling the GetBucketAccelerateConfiguration for javaboy. 08-05-2022 01:17 PM
- Got Karma for Re: Splunk Health Alerts after upgrade to 8.2. 07-27-2022 08:08 AM
- Posted Why is IOWait status yellow post splunk upgrade? on Splunk Enterprise. 07-21-2022 05:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-03-2025
01:49 PM
Hi @greentemplar, How did you determine the conflict (or figure out which ones were conflicting)? Any idea what the root cause is/was? Thanks!
... View more
06-13-2023
02:25 AM
1 Karma
@schose, apologies, I'm just seeing your reply. To test for high cardinality, I'm thinking the following would work: Packing an Index: Put a bunch of source/sourcetypes all into one index. Multiplying sources: If file based, use the filename, or transform the source by appending values. Multiplying sourcetypes/Packing a Source: Set the sourcetype by appending values (frequency appropriate) like day and hour. I'd imagine the above can be done with access to a large syslog server or some programmatic manipulation.
... View more
06-13-2023
02:11 AM
@splunkmaguYeah, I believe increasing the LOOKAHEAD is probably better since the extraction is already in use, and wouldn't impact the events less than 4k. For data already ingested, the Coalesce function can be used to resolve events to a common view during search time if needed. An example with a few fields: index=<aws_index> sourcetype=aws:cloudwatch:guardduty | eval TITLE =coalesce('detail.title',title), ACCOUNT_ID = coalesce('detail.accountId',accountId), FINDING_TYPE = coalesce(findingType,'detail.type') | table _time, TITLE, ACCOUNT_ID, FINDING_TYPE NOTE: The single quotes for json fields matter in the coalesce function.
... View more
06-13-2023
01:51 AM
The problem is with the props/transforms. There's an extraction in the Splunk Add-On for AWS' default transforms.conf: [extract_detail_from_cloudwatch_events] DEST_KEY = _raw REGEX = ^{[^{]+"detail":(.*)}$ FORMAT = $1 PROBLEM: What's happening is that all the events are formatted the same in the raw source from AWS, however the transform which is rewriting _raw is not being applied 100% to extract the nested "detail" JSON field and replace _raw (i.e. remove the outer wrapper). This is because some of the GuardDuty events can be large in size (up to 20k characters), and the parsing is using the default LOOKAHEAD of 4k (4096). You can see this by using the btool command: ./splunk btool transforms list --debug extract_detail_from_cloudwatch_events SOLUTION: If you create a transforms.conf in a local folder for the add-on, you can add the following stanza: [extract_detail_from_cloudwatch_events] LOOKAHEAD = 20480 This will tell Splunk to read an event up to the LOOKAHEAD length (20k in this case) to apply the transformation, which it needs to do or the end of the "detail" JSON field won't be read in full for large events and the extraction won't happen. You can verify the longest guardduty event in your events by searching for your guardduty data and appending the search: | eval raw_length = len(_raw) | stats max(raw_length) Or if you're curious to see the event distribution, use a visualization to see the distribution in size of events: index=<YOUR_aws_index> sourcetype=<YOUR_guardduty sourcetype> version=* OR schemaVersion=* | eval raw_length_kb=ceil(len(_raw)/1024) | stats count by raw_length_kb | sort raw_length_kb I'd classify this as a bug, where the Splunk Add-On should have the LOOKAHEAD value defined with an appropriate value. The largest event I've seen in a recent 90 day search is around 20k (used a value of 20480). Thanks to @ashajambagi for figuring out this issue together.
... View more
06-13-2023
01:44 AM
When using the Splunk Add-On for AWS, we're observing that events for sourcetype aws:cloudwatch:guardduty are not all parsed the same. There are events that have _raw begin with {"version":"0",... and others that begin with {"schemaVersion":"2.0",... . For the ones that begin with version, they seem to have the other same event data as the schemaVersion events, however the data is nested in a JSON field "detail". How to fix this?
... View more
Labels
06-13-2023
01:25 AM
@splunkmaguIn case you haven't resolved this yet, the problem is with the props/transforms. There's an extraction in the Add-On's default transforms.conf: [extract_detail_from_cloudwatch_events] DEST_KEY = _raw REGEX = ^{[^{]+"detail":(.*)}$ FORMAT = $1 PROBLEM: what's happening is that all the events are formatted the same from AWS, however the transform is not being applied 100% to extract the nested details JSON field and replace _raw (i.e. remove the outer wrapper). This is because some of the GuardDuty events can be large in size (up to 20k characters), and the parsing is using the default LOOKAHEAD of 4k (4096). You can see this by using the btool command: ./splunk btool transforms list --debug extract_detail_from_cloudwatch_events SOLUTION: If you create a transforms.conf in a local folder for the add-on, you can add the following stanza: [extract_detail_from_cloudwatch_events] LOOKAHEAD = 20480 This will tell Splunk to read an event up to the LOOKAHEAD length (20k in this case) to apply the transformation, which it needs to do or the end of the "detail" JSON field won't be read in full for large events and the extraction won't happen. You can verify the longest guardduty event in your events by searching for your guardduty data and appending the search: | eval raw_length = len(_raw) | stats max(raw_length) Or if you're curious to see the event distribution, use a visualization to see the distribution in size of events: index=<YOUR_aws_index> sourcetype=<YOUR_guardduty sourcetype> version=* OR schemaVersion=* | eval raw_length_kb=ceil(len(_raw)/1024) | stats count by raw_length_kb | sort raw_length_kb I'd classify this as a bug, where the Splunk Add-On should have the LOOKAHEAD value defined with an appropriate value. The largest event I've seen in a recent 90 day search is around 20k (used a value of 20480).
... View more
05-26-2023
06:17 AM
@schoseThis is a really nice blog on the topic, well done! Any plans to update with Splunk 9.x as a test? From a data perspective, comparing bucket complexity (number of source/sourcetypes) might be interesting too (there was a bug a while back with a corner case where high cardinality data perverted the compression optimizations in level 3, this has long been addressed, especially since it's the default in 9.x). Thanks, will be sharing your blog to explain tsidxWritingLevel to folks.
... View more
07-21-2022
05:00 AM
In case you haven't figured this out yet, you can check the following Splunk Answer for more details: https://community.splunk.com/t5/Splunk-Enterprise/Why-is-the-health-status-of-IOWait-red/m-p/565904 In addition, if you believe this to be beyond tuning in your environment, then for attempting to disable, you can review the following Splunk Answer: https://community.splunk.com/t5/Splunk-Enterprise/Cannot-Disable-Health-Report-Features-in-8-2-2/m-p... (we've created a Support ticket and will be awaiting updates on the open SPL).
... View more
07-19-2022
02:40 AM
1 Karma
For more details on this issue, go to the following Splunk Answer: https://community.splunk.com/t5/Splunk-Enterprise/Cannot-Disable-Health-Report-Features-in-8-2-2/m-p/564366 From @nunoaragao: Splunk have now updated their documentation regarding disable health report features. It states in a box: "If distributed health reporting is enabled for your deployment, disabling a feature on the local instance will not be reflected in the health report." It seems, the workaround to disable a feature in +8.2 has just became a feature. The old behavior in +8.1 in which you could disable a single feature regardless of distributed health report has been "improved"/ My case(s) with Splunk Support were #2733102 and #2737559 .. SPL-213405 is Splunk's internal JIRA to track this issue. It may, or not, then show up on Splunk's release notes as known issue. It's still being investigated. If you deal with Support you can ask to link with it. My issue is that Docs say "You can disable any feature (...) for example, if you want to exclude a feature's status from the health report". So we expect to be able to disable a specific feature (i.e. Buckets) without requiring to disable distributed_health_reporter, which would also disable/hide a lot of other features if we're on a typical topology where we have search head clusters and clustered indexers. In other words, tell the Search Head to gray out a Indexer peer feature even if that peer is reporting health.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-28-2025
06:40 PM
|
Karma given to
