Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Egyas
Egyas
Explorer
Member since:
12-27-2022
10-24-2024
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 2 |
| Member Since | 12-27-2022 |
Activity Feed
- Got Karma for Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package. 08-06-2024 12:26 PM
- Posted Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package on Installation. 07-25-2024 11:04 AM
- Karma Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package for burwell. 05-20-2024 12:35 PM
- Posted Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package on Installation. 04-29-2024 10:15 AM
- Got Karma for Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package. 04-24-2024 01:02 AM
- Posted Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package on Installation. 04-23-2024 09:23 AM
- Posted Re: Splunkforwarder 9.2.0.1 install fails with conflict with splunk package on Installation. 04-23-2024 06:41 AM
- Posted Splunkforwarder 9.2.0.1 install fails with conflict with splunk package on Installation. 04-22-2024 11:06 AM
- Karma Re: transforms.conf: Need to ignore specific events. for PickleRick. 03-05-2024 10:57 AM
- Posted Re: transforms.conf: Need to ignore specific events. on Getting Data In. 03-05-2024 10:56 AM
- Posted Re: transforms.conf: Need to ignore specific events. on Getting Data In. 03-05-2024 08:56 AM
- Karma Re: transforms.conf: Need to ignore specific events. for kiran_panchavat. 03-05-2024 08:56 AM
- Posted transforms.conf: Need to ignore specific events. on Getting Data In. 03-04-2024 12:38 PM
- Karma Re: How to check my Splunk License Limit? for kunalmao. 02-23-2023 10:16 AM
- Karma Re: When will Splunk Essentials for Cloud and Enterprise 9.0 be compatible with jQuery 3.5? for slicedtechsuppo. 01-09-2023 01:18 PM
- Posted Re: When will Splunk Essentials for Cloud and Enterprise 9.0 be compatible with jQuery 3.5? on Splunk Enterprise. 01-05-2023 02:46 PM
- Karma Re: Splunk Searches delayed for aberkow. 12-27-2022 12:14 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
07-25-2024
11:04 AM
1 Karma
Version 9.2.2 seems to have solved this issue. I know have Splunk Enterprise and Splunkforwarder running on the same server in three separate environments. 🙂
... View more
04-29-2024
10:15 AM
Still working on this one. II uninstalled SplunkForwarder form the Splunk Enterprise server, and that seems to have been a BAD move. Seems to have caused some config changes and permissions changes, and Splunk Enterprise segfaults when I try to start it now. Still trying to work out a fix.
... View more
04-23-2024
09:23 AM
1 Karma
Not yet. I'll be trying to work this out in the lab, If anyone else finds a solution other than the apparently painful process of removing the forwarder, please let me know! Thanks!
... View more
04-23-2024
06:41 AM
Huh. Guess I was just assuming that it needed both, and that's the way I've always done it. Now I'll have to play around in the lab and see what happens when I remove it. Thanks!
... View more
04-22-2024
11:06 AM
I have a current Splunk install in my production environment, all running RedHat Linux. I have a single server w/ Splunk Enterprise installed on it, as well as SplunkForwarder. I have 100+ other servers w/ SplunkForwarder installed on them all pushing logs to the Splunk Enterprise server. All servers had v9.1.2 of the forwarder installed, and the Enterprise server was also this version. I recently updated the Splunk Enterprise server, as well as the Splunk Forwarders on all servers, to version 9.2.0.1 successfully. With one exception. The forwarder installed on my Splunk Enterprise server (named "splunkenter1") fails. It displays the error listed below where it says that the splunkforwarder package is conflicting with the splunk install. I have another Splunk Enterprise install (using the same set-up) in another environment, and I did not run into this issue. That upgrade worked without issue. I've tried Google'ing the issue, but haven't found much. Anyone have any ideas on what could be causing this, or has anyone seen this before? [root@splunkenter1 ~]# dnf update splunkforwarder
Last metadata expiration check: 0:01:36 ago on Mon 22 Apr 2024 04:47:07 PM UTC.
Dependencies resolved.
========================================================================================================
Package Architecture Version Repository Size
========================================================================================================
Upgrading:
splunkforwarder x86_64 9.2.0.1-d8ae995bf219 splunk-repo 44 M
Transaction Summary
========================================================================================================
Upgrade 1 Package
Total download size: 44 M
Is this ok [y/N]: y
Downloading Packages:
splunkforwarder-9.2.0.1-d8ae995bf219.x86_64.rpm 41 MB/s | 44 MB 00:01
--------------------------------------------------------------------------------------------------------
Total 41 MB/s | 44 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
file /usr/lib/.build-id/03/f57acc2883000e6b54bf75c7e67d1a07446919 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/06/a82be30cc16ea5bea39f78f8056447e18beb15 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/1a/b0b8e873c6d668dcd3361470954d12004926cd from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/1e/8edb02a946c645cd20558aa8a6b420792f5541 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/35/e87a7fb154de7d5226e5a0a28c80ffd0c1be48 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/3a/3aac493bff5bb22e02b8726142dd67443dd03c from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/42/abc0f2a26bfb13b563104e87287312420c707e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/44/6a270f1de8d26f47bf9ff9ae778e1fd3332403 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/64/b2324ff715d30c8a91dee6a980d63c291648d8 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/65/274a42201dd21f83996ba7c8bd0ba0dc3894c8 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/6d/dd008477651e7c8febce4699a739aaf188b0ae from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/88/cbe6deabd44a4766207eebf7c5e74f7ed53120 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/8a/6ee8699fb74fb883874a1123d91acf0b0d98a6 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/94/ea2865a21761f062a2db312845c535d5429bfc from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/95/d5fe61c313d8a5616f8a45f6c7d05151283ab6 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/96/b9463c40fc6541345a4b87634e8517281f8d4d from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/99/93008fdae763af21c831956de21501bb09e197 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/9b/2a882e45910da32603baf28a13b1630987184e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/9f/b5fd366b32867d537caa84d4b2b521f5c21083 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/a0/1ae9032915dce67a58e8696c3c9fe195193d77 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/a1/616e140409dc54f0db2bf02ed7e114f07490af from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/b6/6dd3d33542916fff507849621dac5f763a98a2 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/b6/fd3c259a4c6e552d9b067f39e66c03cc134895 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/b7/e3d0b70694caa826df19d93b7341de0decdad3 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/bc/f1c9c6878bb887ef6869012b79c97546983b83 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/c8/d218675e02086588c28882c28b3533069d505c from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/d0/be01f291a5b978e02dcdd0069b82ce8a764dbf from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/d3/7dcf7bcf859ed048625d20139782517947e6e0 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/d7/30a0409850e89f806f3798ca99b378c335b7a5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/dc/259ac038741ecbd76f6052a9fa403bc5ab5ab3 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/de/294f4dd1fa80d590074161566f06b39b9230fb from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/e0/0ee3712cdbd590286c2b8da49724fdaf6dee15 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/e6/7f07efdda1fcfe82b6ceb170412f22e03d2ab5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/ec/dc3eeaba4750e657f5910fa2adb21365533f27 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/ee/6addfc324fb4bf57058df3adf7ea55dff4953f from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/f1/0b5a5bc3bcb996183924bd6029efba8290c71a from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/f2/c0dd88030fc9e343f6d9104a5015938cfe3503 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/f3/61ef732e036606eef3d78bb13f6d6165bcd927 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/f4/c1fc01304f2796efaabefd2a6350ba67cc9edc from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/f9/3cf5828d46fbdd6e82b2d18a4a5c650b84c185 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/fa/a370a95319b4a8ce1bd239652457843a09c15e from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
file /usr/lib/.build-id/fd/201b0799acb29720c90a6129be08800ce4b7e5 from install of splunkforwarder-9.2.0.1-d8ae995bf219.x86_64 conflicts with file from package splunk-9.2.0.1-d8ae995bf219.x86_64
... View more
Labels
- Labels:
-
Linux
-
splunkd
-
universal forwarder
-
upgrade
03-05-2024
10:56 AM
I just tested this and it works perfectly. I tweaked a few names and combined the file contents from @kiran_panchavat with the regex from @PickleRick and I'm good to go. Thanks guys! props.conf [source::auditd]
TRANSFORMS-set=setnull transforms.conf [setnull]
REGEX = acct=appuser.*exe=/usr/(sbin/crond|bin/crontab)
DEST_KEY = queue
FORMAT = nullQueue
... View more
03-05-2024
08:56 AM
@PickleRick & @kiran_panchavat , thank you guys so much for the assist. I really appreciate it. I'll give it a test and see if it works for me. Thanks agaion!
... View more
03-04-2024
12:38 PM
I have a simply Splunk set-up. about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the indexer, search head, etc. The problem I have is that the forwarders must feed the server's audit log into Splunk. That feed is actually working fine, but it's flooding the server, and causing me to go over my license limit. Specifically, the appliance app has an event in cron that runs very often, and it's flooding the audit log with file access, file mod, etc events, which is ballooning the amount of data I send to Splunk Enterprise. Data that IO simply do not need. What I want to do is filter out these specific events, but ONLY for this specific user. I believe this can be done using transforms.conf and props.conf on the indexer, but I'm having trouble getting the syntax and fields right. Can anyone assist with this? Here's the data I need to remove... sourcetype=auditd
acct=appuser
exe=/usr/sbin/crond
exe=/usr/bin/crontab So basically ANY events in the audit log for user "appuser" that reference either "/usr/bin/crontab" or "usr/bin/crontab" need to be dropped. Here are 2 examples of the events I want to drop. type=USER_END msg=audit(03/04/2024 15:58:02.701:5726) : pid=26919 uid=root auid=appuser ses=184 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=appuser exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(03/04/2024 15:58:02.488:5723) : pid=26947 uid=appuser auid=appuser ses=184 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct=appuser exe=/usr/bin/crontab hostname=? addr=? terminal=cron res=success' Can this be done?
... View more
Labels
- Labels:
-
indexer
-
Linux
-
props.conf
-
transforms.conf
01-05-2023
02:46 PM
Same here. I just upgraded to v 9.0.3 and had this pop-up. Any updates?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-24-2024
06:30 PM
|
Karma given to
