Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About darrend
darrend
Path Finder
Member since:
04-15-2011
06-05-2020
Community Statistics
| Posts | 30 |
| Solutions | 2 |
| Karma Given | 0 |
| Karma Received | 24 |
| Member Since | 04-15-2011 |
Activity Feed
- Got Karma for Re: Search for oldest event in splunk by _indextime to test data retention.. 11-12-2020 05:13 PM
- Got Karma for Re: Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Re: Why am I getting a scheduled search "datetime strftime() error", and some panels fail to render in the scheduled PDF email?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
- Got Karma for Splunk DB Connect 2: Identities and Connections not synchronized between SHC members and encrypted passwords in db_connections.conf are not hashed using splunk.secret. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 8 | |||
| 6 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-10-2016
05:45 AM
1 Karma
I had the same issue on a customers site this morning.
This was just after an upgrade from 6.2.x to 6.3.x, it appears that if the _time field is present on some results then it cannot be null value(or possibly non-date value) on other results. This empty/null value was caused by the addtotals command for us.
This only appears to affect the pdf generation, the screen rendered fine.
... View more
03-10-2016
05:40 AM
Hi
Stylesheets are not supported on PDF's, i've had this frustration before too so i understand your pain. i know of no work around i'm afraid.
Thanks
Darren
... View more
11-11-2015
03:59 AM
Hi
I have found my problem with this, i am not sure if it is the same as yours.
I was unable to collect scan results for scans that were not created under the same user that i was connecting to Nessus from Splunk with, as soon as i created and ran a network scan under the user that i was connecting from Splunk with it worked fine.
Thanks
Darren
... View more
11-11-2015
03:45 AM
Did you manage to solve this?
I have the same error, but exactly the opposite way around, i have plugin information, but cannot get the scan data to execute without python errors similar to the ones you have included.
... View more
10-15-2015
01:14 AM
So i did some more debugging on this one, and eventhough the connection test failed in the setup screen, once i pushed the app to the indexers as well i was able to do an ldap search to generate my assets list, i did still get an error message moaning, but it did work.
It's good to see that this has been captured though and will be resolved in the upcoming 2.1.2 release of SA-ldapsearch.
Thanks
Darren
... View more
09-28-2015
06:51 AM
Further debugging reveals that the passwords.conf and the ldap.conf do not appear to be being replicated to the indexers in the config bundle that is pushed to the indexers, but at this stage i cannot work out why(the default and local versions of the files are not pushed to the indexers)
3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
External search command 'ldapsearch' returned error code 1. Script output = " ERROR Cannot find the configuration stanza for domain=xxxx in ldap.conf. "
[xxxx-i1] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""C:\Program Files\Splunk\var\run\searchpeers\xxxx-sh1-1443441409\apps\SA-ldapsearch\bin\packages\splunklib\client.py"", line 1653 : u'ldap'" "
[xxxx-i2] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""C:\Program Files\Splunk\var\run\searchpeers\xxxx-sh1-1443441409\apps\SA-ldapsearch\bin\packages\splunklib\client.py"", line 1653 : u'ldap'" "
... View more
09-28-2015
04:54 AM
anonymised ldap.conf:
[default]
alternatedomain = xxxx.xxx
basedn = DC=xxxx,DC=local
binddn = CN=splunk,OU=Service Account,OU=xxxx,OU=xxxxDC=xxxx,DC=xxx
port = 636
server = xxxx1.xxxx.local,xxxx2.xxxx.local
ssl = 1
... View more
09-28-2015
04:51 AM
8 Karma
Hi All
I had Splunk Support for Active Directory (SA-ldapsearch) configured and working in 6.2. I upgraded to 6.3 and it no longer functioned. I kept getting an error in the connection test saying "the default configuration stanza for ldap.conf is missing."
This was version 2.1. I have upgraded to the latest 2.1.1 and it still has not helped.
I have also completely removed SA-ldapsearch, restarted, reinstalled and re-keyed the configuration. We are still seeing the error above.
Has anyone else experienced this issue? How have you resolved it?
Thanks
Darren
... View more
09-11-2015
12:13 AM
5 Karma
Solution to Issue 1:
On the deployer we added the following configuration to the local\server.conf that was pushed from the deployer in the splunk_app_for_dbconnect app.
[shclustering]
conf_replication_include.identities = true
conf_replication_include.db_connections = true
These two configuration items control the synchronisation of custom config items and are not enabled by default, there is a reference in the apps default\server.conf to a conf_replication_include.* parameter, but this does not seem to work as intended so we explicitly defined the files.
We then redeployed the app from the deployer.
Once it had pushed the app we created a new identity and connection in the UI and that was successfully synchronised to the other member nodes, but it highlighted the second issue below.
Solution to Issue 2:
After some investigation it became apparent that the Splunk App For DB Connect V2 does not use the splunk.secret to encrypt the passwords in db_connections.conf
We found that DBXv2 actually uses a seed file inside the certs folder of the app called identity.dat
To solve the password issue we copied the identity.dat file from 1 of our SHC members to the same location on the app to be deployed from the deployer, we then redeployed the app.
Once the app had been redeployed successfully we checked the identity.dat on each node to ensure it was the same, this essentially makes the identity.dat behave the same as a shared splunk.secret
From here all we needed to do is edit the identities on any of the SHC member nodes and retyped the password, and select save.
Success you can now access the database from any member node and only have to manage the identities and connections on which ever member node you happen to be connected to.
... View more
09-10-2015
03:00 AM
Thanks for the feedback Jaleh 🙂
... View more
09-10-2015
12:18 AM
6 Karma
Hi Guys
Issue and Resolution
We recently encountered an interesting issue with Search Head Clustering when using it with Splunk DB Connect version 2.
We wanted to push the DBXv2 app from our deployer to our cluster members, but we wanted to manage the identities and connections using 1 of the SHC members and have them sync to the other members rather than either managing the connections from the deployer instance, or having to configure the settings on each member node.
In our scenario we are also sharing a common splunk.secret across our SHC members.
Issue 1 - The identities and connections were not synchronized between cluster members.
Firstly we deployed the app as per the instructions, and attempted to configure an identity and connection via an SHC member. This worked on the first node, but did not sync the content to the other members.
Solution:
On the deployer we added the following configuration to the local\server.conf that was pushed from the deployer in the splunk_app_for_dbconnect app.
[shclustering]
conf_replication_include.identities = true
conf_replication_include.db_connections = true
These two configuration items control the synchronisation of custom config items and are not enabled by default, there is a reference in the apps default\server.conf to a conf_replication_include.* parameter, but this does not seem to work as intended so we explicitly defined the files.
We then redeployed the app from the deployer.
Once it had pushed the app we created a new identity and connection in the UI and that was successfully synchronised to the other member nodes, but it highlighted the second issue below.
Issue 2 - the encrypted passwords in db_connections.conf are not hashed using splunk.secret as the seed
After the db_connections.conf was synced between nodes we noticed that the password hash was the same in each file as we would expect with a shared splunk.secret , however the authentication to the database server only seemed to function on the node that we originally configured the identity. This behaviour did not meet our requirements so we investigated further.
Solution:
After some investigation it became apparent that the Splunk App For DB Connect V2 does not use the splunk.secret to encrypt the passwords in db_connections.conf
We found that DBXv2 actually uses a seed file inside the certs folder of the app called identity.dat
To solve the password issue we copied the identity.dat file from 1 of our SHC members to the same location on the app to be deployed from the deployer, we then redeployed the app.
Once the app had been redeployed successfully we checked the identity.dat on each node to ensure it was the same, this essentially makes the identity.dat behave the same as a shared splunk.secret
From here all we needed to do is edit the identities on any of the SHC member nodes and retyped the password, and select save.
Success you can now access the database from any member node and only have to manage the identities and connections on which ever member node you happen to be connected to.
Thanks
Darren
... View more
05-05-2015
10:43 AM
Hi
Try this guide, it helped me when i was hunting for a bonnie++ equivalent for windows.
http://www.function1.com/2013/12/measuring-splunk-indexer-performance-with-iometer
Thanks
Darren
... View more
05-05-2015
10:43 AM
Hi
Try this guide, it helped me when i was hunting for a bonnie++ equivalent for windows.
http://www.function1.com/2013/12/measuring-splunk-indexer-performance-with-iometer
Thanks
Darren
... View more
03-31-2015
11:16 PM
1 Karma
Hi
I don't know if this helps, but we are doing exactly the same for a customer at the moment, but have ruled out the database connection using DBX, instead we are setting up something to receive the radius logs, IAS in this customers scenario. The Direct access server is then sending it's logs via radius logging. We are then writing the logs to disk using IAS and reading them in with a simple file monitor in the UF.
I hope this helps you.
Thanks
Darren
... View more
03-31-2015
11:15 PM
Hi
I don't know if this helps, but we are doing exactly the same for a customer at the moment, but have ruled out the database connection using DBX, instead we are setting up something to receive the radius logs, IAS in this customers scenario. The Direct access server is then sending it's logs via radius logging. We are then writing the logs to disk using IAS and reading them in with a simple file monitor in the UF.
I hope this helps you.
Thanks
Darren
... View more
08-12-2014
07:58 AM
Philip,
That's awsome, will check out 6.1.3 myself.
Thanks
Darren
... View more
08-11-2014
11:51 PM
Dave,
I have used it extensively in v6 with a distributed environment to great success, but in 6.1 using your suggested work arounds, i cannot. I have never had to push the TA-browscap app to my cluster as a deployed app previously, but in 6.1 i get:
[indexer1] Script for lookup table 'browscap_lookup' returned error code 1. Results may be incorrect.
I thought i would try and push the app to all of my indexers incase that resolved the issue, but still received the same error using both of your workarounds.
However if i leave the setup as it was working in 6.0 and before, and implement your work arounds, it functions when i have all the result set on the search head prior to performing the lookup, but not if i try to perform the lookup at the indexing layer(as my dashboards had been configured to do previously).
I am using it as a normal lookup and not an automatic lookup.
Thanks
Darren.
... View more
08-11-2014
07:04 AM
Dave,
These work arounds do not appear to work when you are using a distributed infrastructure. I have got them working on a search head, that is part of a search head pool as long as i mangle my search to bring the data to my search head prior to performing the lookup, this is of course highly inefficient.
I have tried both of your work arounds on a clustered index environment, both by pushing into the slave-apps folder from the cluster master's master-apps, and updating the python script to point to the full path of the browscap.csv and also to push the app to each indexer manually. Neither approaches worked.
How's your bug report going? Have you filed it with Splunk support?
Thanks
Darren.
... View more
06-23-2014
02:52 AM
3 Karma
This gave me what i needed:
| dbinspect [eventcount summarize="false" index=* | dedup index | fields index] | stats min(startEpoch) AS startEpoch,min(modTime) AS modTime by index,splunk_server | convert ctime(startEpoch) AS startEpoch | sort index,splunk_server,modTime | rename modTime AS "Oldest Bucket Closed For Writing",startEpoch AS "Earliest timestamp of Event in index"
... View more
04-08-2014
02:56 AM
Hi
i know this is an old question, but i have a solution that worked for me, it is a bit hacky, but if your conscience allows you to live with that, here it is.
rex mode=sed field=myfieldwithanasterisk "s/\*/ASTERISK/g"
This will change the * to the word ASTERISK in the field myfieldwithanasterisk allowing you to then manipulate the field in anyway you want.
Thanks
Darren
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 2 | |
| 1 | |
| 2 | |
| 1 |
