Has memory requirements changed from Splunk version 7.3.3 in the case of Master Node? Now  when running 7.3.3: MemTotal: 3880788 kB MemFree: 995200 kB MemAvailable: 3000696 kB   ... View more

Hi,   If there is some who could help I upload splunkd.log with debug logs.. Feel free to check it out 🙂   https://www.dropbox.com/s/5w7hnfx65bk3f4k/splunkd.log.gz?dl=0 ... View more

Now I have tried to upgrade Splunk 4-5 times and everytime same thing...  I have tried "Splunk Platform Upgrade Readiness App" but as I do not have any special apps in Master node that doesn't help anything.. I have tried to start splunk using --debug flag (splunk start --debug") but those millions of lines don't tell me where the problem is. For me, this seems to some kind of bug in Splunk. The upgrade seems to be so simple that it's difficult to make a mistake there. I have no clue what to do next??    ... View more

Hi,   I have now tried to upgrade 3 times and always the same result. I can't access Web UI. Can I attach logs somewhere?   This kind of erros seen in log file:   10-05-2020 19:39:59.015 +0300 ERROR UiPythonFallback - Couldn't start appserver process on port 8065: Appserver at http://127.0.0.1:8065 never started up. Set `appServerProcessLogStderr` to "true" under [settings] in web.conf. Restart, try the operation again, and review splunkd.log for any messages that contain "UiAppServer - From appserver". 10-05-2020 19:39:59.015 +0300 ERROR UiPythonFallback - Couldn't start any appserver processes, UI will probably not function correctly! 10-05-2020 19:39:59.015 +0300 ERROR UiHttpListener - No app server is running, stop initializing http server 10-05-2020 19:40:56.949 +0300 WARN GetRemoteAuthToken - Unable to get auth token from peer: https://10.90.136.65:8089 due to: Connection refused   I I grep UiAppServer from splunkd.log:   grep UiAppServer splunkd.log 10-05-2020 19:39:59.015 +0300 ERROR UiPythonFallback - Couldn't start appserver process on port 8065: Appserver at http://127.0.0.1:8065 never started up. Set `appServerProcessLogStderr` to "true" under [settings] in web.conf. Restart, try the operation again, and review splunkd.log for any messages that contain "UiAppServer - From appserver". 10-05-2020 19:46:46.324 +0300 INFO UiAppServer - Starting stderr collecting thread 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: Traceback (most recent call last): 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py", line 10, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: from cherrypy import expose 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/site-packages/cherrypy/__init__.py", line 76, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: from . import _cprequest, _cpserver, _cptree, _cplogging, _cpconfig 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpserver.py", line 6, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: from cherrypy.process.servers import ServerAdapter 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/site-packages/cherrypy/process/__init__.py", line 13, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: from .wspbus import bus 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/site-packages/cherrypy/process/wspbus.py", line 66, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: import ctypes 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/ctypes/__init__.py", line 551, in <module> 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: _reset_cache() 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: File "/opt/splunk/lib/python3.7/ctypes/__init__.py", line 273, in _reset_cache 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: CFUNCTYPE(c_int)(lambda: None) 10-05-2020 19:46:46.626 +0300 INFO UiAppServer - From appserver: MemoryError       ... View more

Hi, I noticed later on that mvexpand command shows "dublicate" events on search results on the table when searching using wildcards (*). Is is possible to prevent that or can we make query without mvexpand? ... View more

The result of that query is so confusing 🙂 I would like to have one event per row in table so that users can see the results... ... View more

successful comes from Calculated Fields: if(isnotnull(ErrorCode), 0, 1) - so it's 1 or 0 ... View more

Even with a bit simpler query I get the same results... index=<my_index> | rex "(?<json>\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition | search field="*" value="*" service_id="*" request_id="*" | table index event_timestamp request_id myservice_id Palvelut system_id successful error{}.code error{}.message _raw ... View more

"Do you need | eval kohteet = fieldValue ?" Maybe not, but I just saved that value for later use.. I got it working like that 🙂 ... View more

JSON is here: { "event_timestamp" : "2020-03-03 T 12:56:54 +0200", "file_timestamp" : "", "username" : "xxxx", "session_id" : "F23AA957F1A494C12F2B21B5A7533FF3", "request_id" : "74b9cf97-934c-41cb-b81e-1152f51e28b7", "register_id" : [ ], "system_id" : "ASDFG", "environment" : "LINUX", "service_id" : "12355", "parameters" : [ { "field" : "xxx", "value" : "xx-123", "search" : false, "securityProhibition" : false }, { "field" : "yyy", "value" : "yy-564", "search" : false, "securityProhibition" : false }, { "field" : "zzz", "value" : "1234433222", "search" : false, "securityProhibition" : false }, { "field" : "vvv", "value" : "www.google.com", "search" : false, "securityProhibition" : false }, { "field" : "qqq", "value" : "qwert", "search" : false, "securityProhibition" : false } ], "info" : null, "error" : [ { "code" : "202", "message" : "General Error" } ], "schema_version" : "1.0" }; ... View more

Example JSON can be found from my earlier post - url is above: <search> <query>$systems$ | rex "(?&lt;json&gt;\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) |eval kohteet=fieldValue | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition | search field="$dest$" value="$dest_value$" $status$ service_id="$service$" request_id="$reqid$" |eval myservice_id=service_id | lookup omatrafi_qa.csv service_id AS service_id OUTPUT service_id Palvelut | table event_timestamp request_id myservice_id Palvelut system_id kohteet successful error{}.code error{}.message _raw session_id | rename event_timestamp as "Tapahtuman aikaleima" request_id as "Kutsutunnus" myservice_id as "Palvelutunnus" Palvelut as "Palvelutunnuksen selite" system_id as "Järjestelmätunnus" kohteet as "Kohteet" successful as "Kutsu onnistunut" error{}.code as "Error_Koodi" error{}.message as "Error_Viesti" _raw as "Raaka_data" session_id as "sessio" </query> ... View more

As "mvexpand" Expands the values of a multivalue field into separate events.. When users fill the input search fields only matching event(s) is seen, but when searching with the asterisk we can see as many duplicate events as there is different fields. That's confusing... ... View more

I meant event as whole JSON message what is seen. ... View more

Or I added that myValue=fieldValue which solved my case :) Thanks I'' accept this answer!! index=myindex | rex "(?<json>\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) **|eval myValue=fieldValue** | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition ... View more

Thanks for this! ... View more

I'm near to get this working as I want 🙂 index=myindex | rex "(?<json>\{.+)" | spath input=json | fields - json | rename parameters{}.* as * | eval fieldValue=mvzip(field,value) | mvexpand fieldValue | eval fieldValue=split(fieldValue,",") | eval field=mvindex(fieldValue,0) | eval value=mvindex(fieldValue,1) | fields - fieldValue search securityProhibition | search field="*" value="*" | table event_timestamp request_id service_id system_id parameters{}.field parameters{}.value _raw The only thing here is that earlier "parameters{}.field and parameters{}.value" populated table with all values. Now that part is empty. How I "print" all field names and values to table from that certain event? Did you get the point 🙂 ... View more

Or maybe like this - populating new search after that: | search field="yyy" value="yy-564" ? Am I right? ... View more

Thanks for this also. Can you also show how to search events where field yyy has value "yy-564".. I'm a bit newbie here 🙂 ... View more

Thanks for this. Still wondering how to search from that table 🙂 ... View more

Hi, This question came from Our customer.. I need to find out what they are trying to solve with this setup 🙂 ... View more