Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ruiaires
ruiaires
Path Finder
Member since:
04-28-2010
08-24-2021
Community Statistics
| Posts | 41 |
| Solutions | 2 |
| Karma Given | 16 |
| Karma Received | 16 |
| Member Since | 04-28-2010 |
Activity Feed
- Karma Re: Why is the Splunk Web service not running after an upgrade to 6.2? for hexx. 06-05-2020 12:47 AM
- Karma Re: Resetting Remote Windows Event collection "starting point" for Richfez. 06-05-2020 12:47 AM
- Got Karma for Problems filtering results using lookup field. 06-05-2020 12:47 AM
- Karma Re: report acceleration besides existing job server for hexx. 06-05-2020 12:46 AM
- Karma Copying "Searches and reports" to the new search Head? Some of them are missing! for MarMoh. 06-05-2020 12:46 AM
- Karma Re: Using searchPostProcess with input tokens for bbingham. 06-05-2020 12:46 AM
- Karma how does splunk handle multiple indexes.conf files with volume definitions? for msarro. 06-05-2020 12:46 AM
- Karma How do Accelerated Searches work with retention policies? for Ricapar. 06-05-2020 12:46 AM
- Karma Re: Search Head - migrating apps, views and users from indexer for asetiawan. 06-05-2020 12:46 AM
- Karma Re: Database query into summary index counts as licensing usage ? for jcoates_splunk. 06-05-2020 12:46 AM
- Got Karma for Using searchPostProcess with input tokens. 06-05-2020 12:46 AM
- Got Karma for Problems with SSO on Windows - can't search. 06-05-2020 12:46 AM
- Got Karma for Re: User migration to Search Head. 06-05-2020 12:46 AM
- Got Karma for How to manage DataModel acceleration storage (tstatsHomePath) ?. 06-05-2020 12:46 AM
- Got Karma for Database query into summary index counts as licensing usage ?. 06-05-2020 12:46 AM
- Karma Re: Received event for unconfigured/disabled index... : When was this event received? for Lowell. 06-05-2020 12:45 AM
- Karma Re: Setting up SSO on Windows for JensT. 06-05-2020 12:45 AM
- Karma Unable to search for extracted substring if didn't start+end with word boundary in the string it was extracted from for IgorB. 06-05-2020 12:45 AM
- Karma Re: Unable to search for extracted substring if didn't start+end with word boundary in the string it was extracted from for twinspop. 06-05-2020 12:45 AM
- Karma Re: LDAP on AD not returning all groups - even with filtering for gkanapathy. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
06-21-2016
05:07 AM
Thanks,
console access is not an issue, so the scripted input suggestion does not help here 😉
So the challenge would be to convert the provided PowerSell script to a standard batch file:
http://download.splunk.com/products/certificates/renewcerts-2016-05-05.zip
... View more
06-21-2016
03:18 AM
Hi,
Following the root certificate expiration explained at:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html?elqTrackId=4f5861c90f7f4a75b297cee5d33506ec&elq=e309d0c8f1384115a2e523a45004dd5b&elqaid=7582&elqat=1&elqCampaignId=
Is there a way to update root certificates on a Splunk 4.2 Forwarder running on a "legacy" Windows 2000 server without PowerShell support?
Thanks
... View more
11-19-2014
09:07 AM
Sometimes, when troubleshooting inputs on large installations (deployment apps, several layers of forwarders, etc), it would be nice to know when a specific event was actually indexed on splunk... It would be also useful when adding historic data (old data on file) and get a notion that it was not indexed "as it was generated" or when the original source process (that writes on a log file) does this by "bursts" instead of "near-real-time"
It would be very simple just to store something like a "_indexedtime" field on every event.
Is there any debug setting to turn this on ?
... View more
09-12-2014
09:51 AM
Actually this issue was also clarified in this question: http://answers.splunk.com/answers/26571/unable-to-search-for-extracted-substring-if-didnt-startend-with-word-boundary-in-the-string-it-was-extracted-from
... View more
09-12-2014
09:34 AM
Well, I figured the problem and it was actually related to an field extraction that was used as the input field to the problematic lookup.
That field is extracted from a very long string in the raw data where only the first 800 chars are used, like this:
OriginalField:\s(?P .{800})
After extraction, this field is used for the lookup (and it works) but the actual field does not work for direct filtering results
index=A OriginalField=OriginalValue
That's because Splunk considers the "longer string" as the full value of the field and only returns results using
index=A OriginalField=OriginalValue*
SO, when using the field from the Automatic Lookup, using Job Inspection I saw that Splunk "under the covers" is actually doing this:
index=A LookupFiled=value ===> index=A OriginalField=OriginalValue AND LookupField=value
And that's why it produces no results 😞
The solution was to add a * to the end of lookup value in the Lookup Table and create a Calculated Field with the * to use as the lookup input 😉
Hope this can help somone 😉
... View more
09-12-2014
08:41 AM
1 Karma
I have an automatic lookup that works ok but when I try to filter results by selecting a field that comes from the lookup table, it only works using a piped search command, like this
index=A lookupfield=value (does not work)
index=A | search lookupfield=value (works!)
I have other similar lookups (other index, other CSV file, but similar configurations) that work with both searches...the advantage of the "direct" filtering is the use of the drilldown on the fields of the side bar.
Anyway, I feel something is wrong if both lookups have different behaviours.
What can be wrong with this ?
... View more
05-22-2014
04:11 AM
Thanks, that info was not present in the documentation for v6.0 but $click.name2$ worked 😉
Still not sure how to use the series attribute in the link tag but, for now the issue is solved!
... View more
05-22-2014
02:57 AM
I'm trying to configure a SimpleXML Chart Drilldown but I'm having problems using the
<link series="">
element.
The chart is a simple "timechart sum() by category" and the ideia is to open another form dashboard and pass the category that was clicked as an argument.
According to the documentation you can use the series attribute to get a value from the chart but when I provide the "series" attribute the tag just opens the standard drilldown (timeline search)... If i remove the attribute, it jumps to the correct dashboard but then I can only use the $click.value$ token.
I'm using this syntax:
<drilldown target="_blank">
<link>
<![CDATA[
/app/myapp/newform
]]>
</link>
</drilldown>
Questions
I can't find any sample on the documentation or here on answers on how to use with chart series, am I doing something wrong ?
I'm using Splunk 6.0, could it be a known issue ?
Does the $click$ token has other property instead of .value ?
... View more
05-20-2014
09:46 AM
1 Karma
Using DB_Connect with dbquery command, if the search results are stored in a summary index, will this count towards the license usage ?
From the documentation, it seems that If summary commands are used (sitop, sirare, sistats, sichart, sitimechart and collect) and the sourcetype is not renamed (stash) it does not count for licensing.
... View more
05-16-2014
10:42 AM
Hi,
I have Splunk for PaloAltoNetworks App installed on a Splunk system with one Indexer and one Search Head.
The indexer is where the PaloAlto App is configured to receive and index the events.
The search head is where the App should be used by the users.
To use DataModel acceleration, this should be configured in the Search Head.
Right now, we have the acceleration turned on in the SearchHead but it's in the indexer (on the tstatsHomePath) that the cache is being written.
Dashboards on both servers work but I think they are not using the accelerated data.
How can I check where the accelerated data from the Data Model is being written ?
... View more
05-16-2014
07:28 AM
1 Karma
Is there a way to manage the storage limits on the tstatsHomePath for an index that is using Data Model acceleration ?
I've installed the latest version of the Splunk for PaloAlto Networks that uses Splunk 6 DataModels instead of the TSCollect technique (which btw had the same problem) and right now I have 100GB in the datamodel_summary folder (and growing fast).
... View more
02-21-2014
07:55 AM
1 Karma
Ok, I just found the problem.
The copy of the user folders from the Indexer to the Search head resulted in invalid folder ownership and permissions on the Search Head. So, not even the admin could see the objects.
Actually, users were not even able to save new searches but that had not been reported until now.
The issue was happening in MOST of the folders, but not all, that's why some objects were being listed.
Then, somehow the Window Server was not allowing Ownership changing (folders had "unknown user") so we had to re-copy everything again but this time it worked 😉
... View more
02-21-2014
06:34 AM
We have migrated from a single Indexer system to a Search Head + Indexer.
All apps and users were copied to the Search Head.
Authentication is LDAP.
Users on the search head do not see their own private objects (searches, extractions, etc.) although that information is present in the user's folder .conf files.
Global and App level objects are shared and accessible.
From the documentation, I can't find any process to "refresh" or "rebuild" the knowledge of Splunk of there private objects (which I believe don't even need stanzas in the user's local.meta file). Nevertheless, everything was transfered from the original indexer.
In the old indexer, where all the objects still remain, it's possible (even with the admin) to see all the user's private objects.
... View more
12-02-2013
06:48 AM
this did not work for me... does Splunk need to be restarted ?
... View more
04-12-2013
08:30 AM
I'm going from a single server installation to a Search Head + Indexer setup.
I've managed to install and setup the Search Head but now I would like to migrate everything (except the indexes) to the search head, that is:
Users, Roles and Authentication config
Apps, Searches, Reports and Views
Macros, Extracted Fields and Lookups
Basically, the only thing that stays in the original server is the actual indexes (and indexes.conf of course) since the plan is to have users use JUST the Search Head.
All the documentation talks about is the knowledge bundle but, at this moment, all the "knowledge" is in the indexer...
It seems that I should copy (almost) the entire(?) $SPLUNK_HOME/etc to the search head but I can't find anything on the documentation about this.
... View more
02-26-2013
03:42 AM
I have the same problem! How do you detected the corrupted index ?
... View more
01-31-2013
10:36 AM
I also have this problem. Funny that it happens in Chrome and IE8 with some users/machines. But on IE8 it works with other machines/clients
... View more
09-10-2012
01:49 PM
Our problems seem to be performance related since we are using a network storage for the index.
After a little help from Splunk Support we found a few messages indicating the queues were blocked probably because of network performance issues. The message is "Stopping all listening ports. Queues blocked for more than 300 seconds".
We are still testing everything to make sure that's the correct diagnose. If we find something I will post here !
... View more
08-03-2012
02:21 AM
Thanks.
We run a scheduled search to monitor if data is not being received from the forwarders and caputres the most recent time entry (when the data stopped)
I was able to see that, at that time, all the forwarders were reporting Connection Failed (on TcpOutputProc)
It seems to be a problem at the receiving index... The indexer is still running but TCP data is just not allowed to pass (although UDP and local monitoring works)
Maybe it's some kind of firewall issue, any ideia on how to diagnose this further ?
... View more
07-31-2012
03:41 AM
We have a Splunk server that is receiving data from more than 10 forwarders. It also receives data directly via UDP and monitors files on network shares.
We have scheduled searches to monitor and alert if a host stops sending data.
Ocasionally, Splunk reports all the forwarders have stopped sending data. Diagnosing we find that:
- Splunk is running ok and all UPD and local monitor files are working and receiving data
- All forwarders are up and running but Splunk is not indexing any data from them
- Restarting Splunk does not solve the issue
- Restaring the server solves the problem
We can't find any server logs that indicate a network problem.
Any ideias on how to diagnose this ?
We're running 4.3.3 on Windows Server 2008 64bit.
... View more
