Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nunoaragao
nunoaragao
Explorer
Member since:
03-29-2017
yesterday
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 03-29-2017 |
Activity Feed
- Posted Re: How to resolve crash events in windows application log for App: splunk-winevtlog.exe (eventcode = 1000)? on Splunk Enterprise. yesterday
- Posted Re: How to resolve crash events in windows application log for App: splunk-winevtlog.exe (eventcode = 1000)? on Splunk Enterprise. 2 weeks ago
- Got Karma for Re: Using Local=true in Automatic Lookups. 12-13-2022 01:38 PM
- Posted Re: Using Local=true in Automatic Lookups on Splunk Search. 12-13-2022 04:22 AM
- Posted Re: Log showing when Diags were generated? on Monitoring Splunk. 07-21-2022 01:50 AM
- Posted Re: When will Chrony be supported? on All Apps and Add-ons. 01-27-2022 06:57 AM
- Posted Re: When will Chrony be supported? on All Apps and Add-ons. 01-26-2022 08:23 AM
- Posted Warn and Error messages below search bar on Splunk Search. 01-18-2022 05:57 AM
- Posted Re: Cannot Disable Health Report Features in 8.2.2 on Splunk Enterprise. 11-19-2021 08:29 AM
- Posted Re: Cannot Disable Health Report Features in 8.2.2 on Splunk Enterprise. 11-11-2021 04:16 AM
- Posted Re: Cannot Disable Health Report Features in 8.2.2 on Splunk Enterprise. 11-10-2021 07:39 AM
- Posted Re: Cannot Disable Health Report Features in 8.2.2 on Splunk Enterprise. 10-27-2021 02:31 AM
- Posted Re: Dokumentation for "Health of Splunk Deployment" calculation on Monitoring Splunk. 10-21-2021 08:45 AM
- Posted Re: Upgrade Splunk 8.0.0 to 8.2 on Splunk Enterprise. 10-08-2021 03:58 AM
- Posted distsearch.conf on Search Head cluster on Getting Data In. 10-04-2021 06:38 AM
- Posted Re: Splunk-Perfmon crash errors in forwarder 7.2.9 on Getting Data In. 05-26-2021 02:00 AM
- Posted Re: REGEX in transform.conf using "^" to specify the begining does not work on Splunk Search. 05-12-2021 04:30 AM
- Karma Re: Send journald logs to Splunk for alastor. 11-20-2020 08:09 AM
- Karma How do I configure Distributed Search Groups for a clustered Indexer environment? for fernandoandre. 06-05-2020 12:49 AM
- Karma Re: A user can outputlookup and overwrite existing lookups regardless of permissions for fernandoandre. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
yesterday
So, the result of our troubleshoot, was that all of the hundreds of crash events we were seeing related to winevtlog or perfmon, were not crashes happening but re-attempts of sending past crashes to Microsoft, and failing, because these were on an air-gaped subset of the estate. The clue was, apart from ceasing the activity by clearing all the WER folder, that Report_Id just kept repeating ... sourcetype="WinEventLog:Application" AppCrash | regex Message=".*(?<splunk>splunk[-\w]+)" | timechart span=30m dc(Report_Id) This search showed a constant value of 12 across several days Then we found there is a GPO that tells servers to log AppCrash events, but not send them to Microsoft
... View more
2 weeks ago
Hi ! We're having similar issue as well, with splunk-winevtlog and splunk-perfmon being the culprits, but Signature P4 is not KERNELBASE but the splunk process itself. It only affects Server 2019. Bursts of AppCrash show up every 5 minutes or so. We've tried version 9.0.6 and 9.1.1 We opened a support case, turned on DEBUG logging and sent them diags, etc .. the works .. What we've found was that, clearing the WER folder of AppCrash files C:\ProgramData\Microsoft\Windows\WER ( Settings > Storage > Free Space > Windows Error Report - check delete Files ) .. would cease the issue on that single server .. at least until the issue gets triggered again. Did you get your issue fixed with release version 9.0.6 @PeterBoard ? Thanks
... View more
12-13-2022
04:22 AM
1 Karma
To @potnuru and others that might fall here .. there is a setting on transforms.conf called replicate to: Indicates whether to replicate CSV lookups to indexers
... View more
07-21-2022
01:50 AM
Agree @chadmedeiros there is no event log for the export of a diag. The issue was made worse when Splunk replaced their Support Portal, and the new portal doesn't show customers their own uploaded files. They claim the old one never did, so, until I can prove them they'll just log that as a suggestion. Does anyone keep a screenshot of the old portal with the uploaded files section right below the description? Thanks.
... View more
01-27-2022
06:57 AM
.. and to make chrony output similar to ntpdate, replaced the final section like this (switching the last lines of code to ntpdate condition) ( ... )
else
CMD2="chronyc"
assertHaveCommand $CMD2
chronyc -n sources | awk -F"[] []+" '/\^/ {printf "server %s, stratum %d, offset %s, delay %s\n",$2,$3,$8,$10}' Attempted to also use variable $AWK like most of the other scripts but kept having double quotes escaping errors .. gave up. Maybe not efficient but does the trick
... View more
01-26-2022
08:23 AM
Regarding TA nix >8.1 with support for Chrony, I'm deflated that any recent version does not attempt at having similar log events from systems with Chrony or systems with ntpdate. As most other scripts do with smart awk expressions. Also, on systems with ntpdate BUT that run Chrony for time sync (hint: RHEL7), the script bypasses Chrony configuration. But this I managed to fix it myself by including lines 2 and 3: if [ $FOUND_NTPDATE -eq 0 ] ; then
echo "Found ntpdate command" >> $TEE_DEST
if [ -f /etc/chrony.conf ] ; then # Special
CONFIG=/etc/chrony.conf
elif [ -f /etc/ntp.conf ] ; then # Linux; FreeBSD; AIX; Mac OS X maybe
CONFIG=/etc/ntp.conf
elif [ -f /etc/inet/ntp.conf ] ; then # Solaris
CONFIG=/etc/inet/ntp.conf
elif [ -f /private/etc/ntp.conf ] ; then # Mac OS X
CONFIG=/private/etc/ntp.conf
else
CONFIG=
fi
... View more
01-18-2022
05:57 AM
While most Warn and Errors show up on the Job dropdown (1) some are also displayed in an area right below the search bar (2). Looking at HTML this placeholder is named search-searchflashmessages What's the name for this area ( to discuss this with Support ) ? Is it possible to config which messages to show/not show in here ? Looking at documentation this area is not detailed: https://docs.splunk.com/Documentation/Splunk/8.2.4/Search/WhatsinSplunkSearch
... View more
Labels
- Labels:
-
search job inspector
11-19-2021
08:29 AM
Hi @samjenk_2 , These are the events used to toggle health colours in Splunk's Health Report. So we get to know what are the typical values, and in which servers. index=_introspection sourcetype=splunk_resource_usage component=IOWait
... View more
11-11-2021
04:16 AM
Just got an answer from Splunk Support, @kisstian / @samjenk_2 / everyone Splunk have now updated their documentation regarding disable health report features. It states in a box: If distributed health reporting is enabled for your deployment, disabling a feature on the local instance will not be reflected in the health report. It seems, the workaround to disable a feature in +8.2 has just became a feature. The old behavior in +8.1 in which you could disable a single feature regardless of distributed health report has been "improved" If anyone submits an Idea to bring the old behavior back, let me know. You get my vote.
... View more
11-10-2021
07:39 AM
Hi @samjenk_2 , my case(s) with Splunk Support were #2733102 and #2737559 .. SPL-213405 is Splunk's internal JIRA to track this issue. It may, or not, then show up on Splunk's release notes as known issue. It's still being investigated. If you deal with Support you can ask to link with it. My issue is that Docs say "You can disable any feature (...) for example, if you want to exclude a feature's status from the health report". So we expect to be able to disable a specific feature (i.e. Buckets) without requiring to disable distributed_health_reporter, which would also disable/hide a lot of other features if we're on a typical topology where we have search head clusters and clustered indexers. In other words, tell the Search Head to gray out a Indexer peer feature even if that peer is reporting health. It matches your scenario ?
... View more
10-27-2021
02:31 AM
I also found this issue on 8.2.2.1, and Splunk is tracking this on SPL-213405. My issue is that I disable IOWait and Buckets health check on the Search Heads, but as long as search peers report issues with these features, they'll still show up. Except if we disable distributed health report, but then we lose visibility on a lot of other health checks. And apparently, the documentation now reports that distributed health report is enabled by default.
... View more
10-21-2021
08:45 AM
I created two Splunk Support cases related to another item on Splunk Health, and it would be simpler if these had better support documentation. The item was actually Buckets, which is listed on health.conf as feature:buckets stanza with two indicators. One of them percent_small_buckets_created_last_24h What I found was, on app splunk_instrumentation there is a savedsearch called [instrumentation.deployment.index] that writes these Metrics to _internal based on querying rest /services/data/indexes endpoint. 10-21-2021 12:02:06.956 +0100 INFO PeriodicHealthReporter - feature="Buckets" color=red indicator="percent_small_buckets_created_last_24h" And then there is a second savedsearch with stanza [instrumentation.usage.healthMonitor.currentState] that joins a table returned from rest endpoints with these logs read from _internal. The search returns a JSON structure with the overall Health Report stats. Is this structure used to populate the Health Report on the Web Interface ? Unsure. As I said .. two tickets ..
... View more
10-08-2021
03:58 AM
Where does the License Manager fit this picture ? Is License Manager 8.0 compatible with 8.2 Indexing layer ? Or does it need to be upgraded at the same time as Indexers ?
... View more
10-04-2021
06:38 AM
Hi Splunkers, Long time ago we setup a SH cluster, and added search peers using CLI Some time later we changed the setup and began setting the search peers via an App pushed from the deployer. All $SPLUNK/etc/system/local distsearch.conf files were purged, and the app contains some peers on distsearch.conf and clustered indexers on server.conf Recently we found one cluster member stubbornly kept re-creating a distsearch.conf on system/local that overrided the cluster's configs ( pushed via the App ). Removing the file and doing a rolling restart, the file showed up again. Cleaning the KV Store and adding that member to the cluster restored the rogue distsearch.conf again. We also deleted *bundle files on $SPLUNK/var/run. Following the steps described as "Add a member that was both removed and disabled" here: https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Addaclustermember We found when calling "splunk add shcluster-member" on the Captain, the "new" member's system/local path was purged from some files and re-created .. with the rogue distsearch.conf we were trying to get rid. And this event showed up on _internal ERROR ApplicationUpdater - Error reloading : handler for distsearch (access_endpoints /search/distributed/bundle-replication-files, /search/distributed/peers) Any ideas ? The final solution was to nuke the VM and re-create from scratch.
... View more
Labels
- Labels:
-
other
05-26-2021
02:00 AM
I can see the exact same issue with forwarders +8, but only on Win Servers 2019. Has anyone found a fix ?
... View more
05-12-2021
04:30 AM
Maybe not working because SOURCE_KEY = MetaData:Host will return host:: at the begging of the string. Maybe change REGEX to either REGEX = ^host\:\:8\.\d{1,3}\.\d{1,3}\.\d{1,3}
REGEX = (?<!\d)8\.\d{1,3}\.\d{1,3}\.\d{1,3}
... View more
12-24-2019
01:26 AM
I've hit the same snag on some AMI on AWS. Could not figure out an elegant solution, so I've resorted to:
DUPLEX= cat /sys/class/net/$iface/duplex 2>/dev/null | sed 's/./\u&/'
...
SPEED= cat /sys/class/net/$iface/speed 2>/dev/null
Which redirects the errors to dev null. That was Splunk's implementation back on version 5 of the add-on.
... View more
10-30-2019
10:02 AM
cat: /sys/class/net/eth7/speed: will return Invalid argument if the NIC is disconnected. Same for duplex.
The way I fixed this, was to previously check if the state is "Up", like this
if [ -r /sys/class/net/$iface/duplex ]; then
if grep -Fq "up" /sys/class/net/$iface/operstate; then
DUPLEX=`cat /sys/class/net/$iface/duplex | sed 's/./\u&/'`
[ .... more original code here .... ]
fi
Other lines of code might also do the trick
... View more
04-05-2019
07:38 AM
After trying dozens on Java SimpleDateFormat around, once I got confirmation on this Post here that this timestamp.format would be recognized
timestamp.format = yyyy-MM-dd'T'HH:mm:ss.SSSZ
Managed to get UTC dates properly indexed with this snipped on TSQL:
FORMAT(Time,'yyyy-MM-ddTHH:mm:ss.fff')+REPLACE(RIGHT(CONVERT(datetimeoffset,Time,26),6),':','')
I'm on DB Connect 3.1.3, we still can't trust props.conf ( DBX-4019 and DBX-4021 .... )
... View more
11-08-2018
03:15 AM
| tstats earliest(_time) as etime where index=* by index _indextime
| eval delta=(etime-_indextime)/60
| eval _time=_indextime
| timechart span=10m min(delta) by index limit=0
... View more
