Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About verbal_666
verbal_666
Contributor
Member since:
03-15-2017
4 weeks ago
Community Statistics
| Posts | 100 |
| Solutions | 5 |
| Karma Given | 16 |
| Karma Received | 7 |
| Member Since | 03-15-2017 |
Activity Feed
- Posted Why License Usage has empty fields? on Getting Data In. a month ago
- Karma Re: default.xml color option in Splunk 7.1 different then 7.0 for lqiao2. 11-24-2022 06:40 AM
- Karma Re: delete events from _internal index for gcusello. 11-22-2022 01:18 AM
- Posted DROP and GET events by pattern filters? on Getting Data In. 11-21-2022 02:52 AM
- Posted Re: Blacklist using props.conf and transforms.conf on Getting Data In. 11-21-2022 02:46 AM
- Karma Re: UPGRADE? for richgalloway. 11-20-2022 10:02 PM
- Posted Re: Why are we receiving this ingestion latency error after updating to 8.2.1? on Splunk Enterprise. 11-20-2022 09:59 PM
- Posted Re: Remove "Latest Resources" from Dashboards page on Dashboards & Visualizations. 11-18-2022 04:31 AM
- Posted Re: Blacklist using props.conf and transforms.conf on Getting Data In. 11-17-2022 06:20 AM
- Posted Is there a way to remove WARNING Banner? on Splunk Enterprise. 10-19-2022 04:27 AM
- Posted Re: UPGRADE? on Splunk Enterprise. 10-16-2022 10:58 PM
- Posted Re: UPGRADE? on Splunk Enterprise. 10-11-2022 06:54 AM
- Posted Is it unsafe to upgrade from 7.0.x to 8.2.x? on Splunk Enterprise. 10-11-2022 04:55 AM
- Posted Re: SPLUNK CLEAN ALL? on Splunk Enterprise Security. 10-11-2022 04:48 AM
- Posted Does Splunk "Clean All" make itself a backup of auth data for logging into the instance? on Splunk Enterprise Security. 10-08-2022 10:59 PM
- Karma Re: Drill down to absolute URL using click.value for johnmvang. 10-07-2022 04:22 AM
- Karma Re: How to click on table cell to go to a URL referenced in event field (not in row data)? for vnravikumar. 10-07-2022 04:03 AM
- Posted Re: NMON ADDON: permissions on Getting Data In. 09-06-2022 05:13 AM
- Posted Re: NMON ADDON: permissions on Getting Data In. 09-06-2022 04:41 AM
- Posted Re: NMON ADDON: permissions on Getting Data In. 09-06-2022 04:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a month ago
Hi guys. I was asking why my reports, using license_usage.log from LicenseMaster, for "LicenseUsage" sometimes do not log the "h" or "s" field (alias from host or from source). Doing so, i can have a full report for Indexers or Sourcetypes usage, but not for Host or Sources. INFO LicenseUsage - type=Usage s="" st="MY_ST" h="" o="" idx="MY_IDX" i="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" pool="auto_generated_pool_enterprise" b=51331 poolsz=214748364800 May it be the origin forwarder version? I have forwarders from 6.x.x to 8.x.x version running. Any clue? Thanks.
... View more
Labels
- Labels:
-
universal forwarder
11-21-2022
02:52 AM
Hi. I'm trying to apply a rule for dropping and, meanwhile, get only some events in Indexers.
Here we are,
props.conf
[mysourcetype]
TRANSFORMS-filter = drop
transforms.conf
[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue
This is the standard way for dropping. And it works!
But, at the same time, i can't get a way to make both work with drop and get transformation,
props.conf
[mysourcetype]
TRANSFORMS-filter = drop,filter
transforms.conf
[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue
[filter]
REGEX = get_event1|get_event2|get_eventX
DEST_KEY = queue
FORMAT = indexQueue
I would like to explain Splunk 8,
FIRST: drop all events containing pattern regex "drop_event1|drop_event2|drop_eventX"
SECOND: get only events containing pattern regex "get_event1|get_event2|get_eventX"
It does not work! Splunk, after correctly dropping, gets all (".*"), except as said "drop_event1|drop_event2|drop_eventX" 😪
Any suggestion?
... View more
- Tags:
- Splunk Enterprise
Labels
- Labels:
-
Linux
11-21-2022
02:46 AM
I resolved this issue with 2 (or more) transformations, dropping all unuseful events... props.conf [mysourcetype]
TRANSFORMS-filter = drop transforms.conf [drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue I think it's the best way. Maybe the only one 🤔 But, at the same time, there's is no way to make both work with drop and get transformation, props.conf [mysourcetype]
TRANSFORMS-filter = drop,filter transforms.conf [drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue
[filter]
REGEX = get_event1|get_event2|get_eventX
DEST_KEY = queue
FORMAT = indexQueue I would like to explain Splunk 8, FIRST: drop all events containing pattern regex "drop_event1|drop_event2|drop_eventX" SECOND: get only events containing pattern regex "get_event1|get_event2|get_eventX" Splunk, after dropping, get all (".*") except "drop_event1|drop_event2|drop_eventX" 😪 Any suggestion?
... View more
11-20-2022
09:59 PM
I got this same bahaviour on my updated Splunk 8.2.6. I encountered the problem was an inputs.conf with a stanza with [monitor://$SPLUNK_HOME/var/run] I really do not remember why i had this inputs, maybe in older 7.x.x i usedit for some "special" ingestion. Removing the inputs in 8.2.6, removed the error in ui and tracker.log was regular in splunkd.log by default. 👨🔧
... View more
11-18-2022
04:31 AM
Did you find a way to remove the banners?
... View more
11-17-2022
06:20 AM
Hi. This is a simple "positive/included" regex. OK! Is there a way, in reverse, to do a "negative/exclude" way to filter data? As an example, as for the log of the user, I DO NOT WANT " notice" PATTERN to be indexed, but all the rest, something like REGEX != notice Is there a simple way inside props/transforms?
... View more
10-19-2022
04:27 AM
Hi all. Is there an easy and fast way to disable, at all or by some filters, the WARNING BANNERS i get sometimes in SPL Search form panel?
The same Warnings are inside the Jobs detail, so i do not want to display them as "banner" inside the page.
How? 🤔
Thanks.
... View more
Labels
- Labels:
-
administration
10-16-2022
10:58 PM
Thanks a lot. To avoid problems, i'll then do a 7.0.x --> 8.1.x --> 8.2.x 👍 I prefer to avoid any kind of data corruption or so 😬
... View more
10-11-2022
06:54 AM
Thanks a lot. To avoid problems, i'll then do a 7.0.x --> 8.1.x --> 8.2.x 👍 I prefer to avoid any kind of data corruption or so 😬
... View more
10-11-2022
04:55 AM
I'm reading the official Documentation ( https://docs.splunk.com/Documentation/Splunk/8.2.0/Installation/HowtoupgradeSplunk ), which warn not to update Splunk from 7.0.x to 8.2.6 directly,
7.0.x
8.0.x or 8.1.x
8.2.x
Documentation suggests to make a middle update to 8.0.x/8.1.x, and then 8.2.x.
Why? Is it so unsafe to make 7.0.x to 8.2.x?
Asking since i'll soon need to replace my very old 7.0.x with 8.2.x.
Thanks 👍
... View more
Labels
- Labels:
-
upgrade
10-11-2022
04:48 AM
I can agree with the automatic backup. But, IMHO, it's a big trouble for a normal user to loose completely access to his instance, without an explicit WARNING (which asks to backup his passwd!!! And that after that his instance will be without admin control!!!). IMO 😕
... View more
10-08-2022
10:59 PM
In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command
splunk clean all
OK. But, doing so, we reset also the passwd file, so from now on we have no more access to Splunk instance, unless we did previously a backup restoring it after the "clean all" did its job. So, considering this aspect, this type of documentation seems very dangerous to me, without specifying this case.
An example: i need to remove completely an instance from a SH Cluster 1) i follow the "clean all" Documentation, and i come in the case of an unuseful intsance 2) i follow, by myself, a "clean kvstore --cluster" or "clean kvstore --all", and the instance was there still running and operative, without the cluster db data registered
So, do a "splunk clean all" should make by itself a backup of auth data for logging into the instance or reassign the original "changeme"?
... View more
Labels
- Labels:
-
administration
09-06-2022
05:13 AM
Still have read for all users for the App. I solved the issue with metadata editing. For some reason i got a []
owner = admin
access = read : [ admin ], write : [ admin ] And many other objects with same grants. I simply deleted all the single grants for single objects and gave full general access with, []
owner = admin
access = read : [ * ], write : [ admin ] Restarted all Splunk SearchHead daemons (clustered) and things now are OK!!! I can query with User.Role and get all fields extracted by NMON conf 😇
... View more
09-06-2022
04:41 AM
Another method is to schedule an admin alert and log the data inside a public access index or a metric index, and then get nmon data from there, where "user role" can query... but i then need to extract all nmon data in field, since the original ones are only admin 😣
... View more
09-06-2022
04:38 AM
Role still has "nmon" index access... i can query "nmon", but can't get all eventtypes and metrics... i think the first install of NMON ADDON gave all nmon objects only "admin" rights... 🙄 ... maybe i can see inside metadata path and correct all the "access =" parameter 😔
... View more
09-06-2022
04:16 AM
🤔 ... i'm using only 1 index for NMON, index=*nmon* | dedup index | table index
nmon 🤔 🤔 🤔
... View more
09-06-2022
01:42 AM
Hi there. As in subject, how to make NMON aggregated data available NOT ONLY TO ADMIN users? I can query alla data from NMON since i'm admin in System, but i would like to make some metrics available to public normal users Dashboards, all query from normal users returns no data... how to? I tried to give read grant to ALL in all nmon eventtypes, but with no success. Should i have to edit ALL NMON objects??? 😢 😢 😢 Thanks 👍
... View more
- Tags:
- nmon addon
Labels
- Labels:
-
Linux
06-20-2022
11:20 PM
ATTENTION!!! With this method you risk losing all the searches that have linefeed... Ex. [XXX]
...
search = index = _internal\
source = * splunkd\
"ERROR" Will be ALL truncated to [XXX]
...
search = index = _internal Also the description field has linefeed... description = Be warned. 👍 👍 👍
... View more
05-28-2022
10:05 PM
1 Karma
If someone is interested, this is a simple addon to index all the Instance/UFs value for maxKBps, and get it from Splunk directly, to manage paths and the value, and build Reports/Alarms/Dashboards. maxKBps/bin/maxKBps.sh printf "$(date +'%Y-%m-%d %T') [$(hostname)] ";[ -z "$SPLUNK_HOME" ] && printf "NO SPLUNK_HOME" || $SPLUNK_HOME/bin/splunk btool limits list --debug|grep "maxKBps" maxKBps/default/inputs.conf [script://./bin/maxKBps.sh] index=YOUR_INDEX sourcetype=maxKBps interval=0 * * * * After the run, you get the field maxKBps from all your Instances/UFs, index=* sourcetype=maxKBps earliest=-1h | rex ".*\]\s(?<path>.*)\smaxKBps" | table _time host path maxKBps | sort 0 + maxKBps host Enjoy 👍
... View more
05-28-2022
08:41 AM
Yet done. Almost ALL Forwarders get their limit (256 is the default, not 512, inside app Splunkforwarder/default/limits.conf), and got queues full. For this I decided without if to set the maximum value (=0), monitoring the situation. And it's here that i found, from my Monitoring Dashboards, often absurd peaks (greater than TB), which created sudden bottlenecks on the Indexers, which for several minutes no longer sent back the correct ACKs. This is because several users, to whom I have configured RESTORE path, throw in tons of data, and here THEIR SPECIFIC Forwarder is filed. The question was: 0 could be actually "dangerous" (a bit like intervening with TRUNCATE=0, if you are not careful), for the reasons explained above, put it for other Applications running and for bandwidth saturation. So i was wondering what an "average" value could be, based on your experiences. From mine, a 10240 is enough in 90% of cases, allowing the UF to send inputs and metrics, without blocking the latter. I'll try to find a compromise by monitoring 👍 Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
4 weeks ago
|
Karma given to
