Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About atat23
atat23
Path Finder
Member since:
11-12-2013
06-05-2020
Community Statistics
| Posts | 19 |
| Solutions | 1 |
| Karma Given | 16 |
| Karma Received | 2 |
| Member Since | 11-12-2013 |
Activity Feed
- Karma Re: Any tips to quickly learn an existing Splunk setup? for martin_mueller. 06-05-2020 12:48 AM
- Got Karma for Re: Mail refuses to send to anything other than localhost. 06-05-2020 12:48 AM
- Karma Re: PDF Reports: How to make cells "top-aligned" instead of bottom in Splunk 6.1.3? for grundsch. 06-05-2020 12:47 AM
- Karma OPSEC LEA SIC ERROR 301 for Chubbybunny. 06-05-2020 12:47 AM
- Karma Re: Table visualisation of events with extra metadata fields for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Should a deployment server delete an application? for bwooden. 06-05-2020 12:47 AM
- Karma DB Connect 2 & Splunk Add-on for McAfee: Connection is successful, but why is data not being updated in the index? for svenolensky. 06-05-2020 12:47 AM
- Karma Re: DB Connect 2 & Splunk Add-on for McAfee: Connection is successful, but why is data not being updated in the index? for svenolensky. 06-05-2020 12:47 AM
- Karma Why does Splunk Light 6.3.1 always try to send scheduled report emails to localhost, regardless of Mail Server Settings? for secomba. 06-05-2020 12:47 AM
- Karma Re: Line breaking two different time prefixes for rphillips_splk. 06-05-2020 12:47 AM
- Karma Re: Line breaking two different time prefixes for somesoni2. 06-05-2020 12:47 AM
- Karma Re: rc=-1 err=-96 Connection error with Check Point OSPEC LEA app 2.0.2 for Chubbybunny. 06-05-2020 12:46 AM
- Karma Re: Including SSL Certificates in a Splunk App for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Listing forwarders for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Problem in setting up forwarder and reciever ( Received unexpected 369295360 byte message) for gethyn85. 06-05-2020 12:46 AM
- Karma Re: Seemingly false license alert for bpaul_splunk. 06-05-2020 12:46 AM
- Got Karma for Seemingly false license alert. 06-05-2020 12:46 AM
- Karma Re: Autostart Splunk on boot for the_wolverine. 06-05-2020 12:45 AM
- Posted Re: Mail refuses to send to anything other than localhost on Reporting. 10-04-2016 01:46 AM
- Posted Re: Mail refuses to send to anything other than localhost on Reporting. 10-03-2016 05:27 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
I was trying to run this search from a custom app, the report I had setup within the app created a savedsearches.conf and this conf file was automatically populated with default mail settings, so it had the mail server as localhost and the default mail footer, these default values were overriding the custom settings I had setup in server settings > email settings.
... View more
09-29-2016
03:32 AM
I am trying to setup an existing instance of Splunk (6.2) to send a scheduled report. In the splunk_python log I am getting:
2016-09-29 11:10:02,417 +0100 ERROR sendemail:356 - [Errno 111] Connection refused while sending mail to: bilbo@theshire.com
2016-09-29 11:10:02,416 +0100 ERROR sendemail:114 - Sending email. subject="Old Toby", results_link="https://splunk:8000/app/hobbits/@go?sid=scheduler__samwise__hobbits__RMD56e9ec5d3df4dd8f4_at_1475143800_7259", recipients="[u'bilbo@theshire.com']", server="localhost"
Issue is the above server value, it should not be localhost, I have changed the email settings to be a local mail server IP and I also tried changing the localhost in sendemail.py script to the IP of the mail server but, according to the log, no matter what I try the automated report is being sent to "localhost".
I've confirmed mail can actually be sent using:
... | sendemail server=10.10.10.10 to=bilbo@theshire.com
And I have successfully received mail without any problems.
... View more
09-28-2016
09:45 AM
I downvoted this post because not helpful, offer suggestions rather than saying you can't replicate it
... View more
10-12-2015
04:47 AM
@somsoni2: have tried the below and it looks like it's basically just changed the groupings on the events, the events are being broken more often but I still see the odd event like this, where the linebreaking is just being ignored:
12/10/2015 12:33:18,779 INFO fileupload - sessionDestroyedListener running for USER04
12/10/2015 12:33:18,785 INFO fileupload - null has got session timeout page
@rphillips: The setup is basically a two node cluster on Splunk 6.2.5, _cluster/local/props.conf is updated in master-apps, I then use the GUI to distribute the bundle to the cluster peers, make sure the slave-apps has been updated on the indexer and check to see if the linebreaking is applied.
Have also tried the regex you provided and the linebreaking show no change to somesoni's.
... View more
10-09-2015
09:21 AM
Think I may have tried everything in props at this stage, Splunk does not seem to be paying much attention to anything I change though as the linebreaking was working to a degree and is now questionable.
The main issue is the log file is a bit of a mess, it contains various forms of xml and also normal looking events.
This is my default that is needed to detect the difference between the day and month (otherwise 07/10 is picked up as 10/07):
[messy_log]
TIME_FORMAT=%d/%m/%Y %H:%M:%S,%3N
TIME_PREFIX=(^\s)|(^.{8}\s)
MAX_TIMESTAMP_LOOKAHEAD=35
NO_BINARY_CHECK=true
# 07/10/2015 15:21:07,413 INFO
# BLAAH771 18/08/2015 14:59:40,052
The default BREAK_ONLY_BEFORE_DATE = True is being applied (confirmed via btools)
I have also tried things with the various Break before/don't break before/break after settings:
BREAK_ONLY_BEFORE = \s\d\d\/\d\d\/\d\d\d\d\s\d\d\:\d\d\:\d\d\,\d\d\d\s
Still not cooperating.
In a Splunk search, there are some single lines being broken into single line events, but others that look like this:
09/10/2015 16:49:15,502 INFO host.log - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
09/10/2015 16:49:16,343 INFO host.log - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
09/10/2015 16:49:16,388 INFO host.log - <Request>snipped</Request>
<Response>snipped</Response></channel_log_entry>
BLAAH678 09/10/2015 16:49:16,508 INFO host.log - blahblahblahyakkitysmakkity
BLEEH876 09/10/2015 17:08:10,445 INFO host.log - user has logged off
Above is a single event seen in Splunk, 5 separate events being caught as one. The xml request and responses are on different lines which may be complicating things further and possibly the space between the start of the event and the timestamp in some events.
To make it more interesting, if I try and put the data through the data preview/sourcetype builder in "Data Inputs" with the same settings as the above props, everything is picked up perfectly.
... View more
09-02-2015
05:01 AM
Just ran into the same issue using the provided TA inputs template for EPOv5, removing TOP from inputs fixed it, thanks.
... View more
06-05-2015
10:49 AM
Trying to setup the app and can see the following in the log:
[CRITICAL] [rpcstart.py] RPC server has been terminated abnormally with error [Error: dl failure on line 883].
inputs.conf
[rpcstart://default]
javahome = /opt/splunk/jdk1.8.0_45/jre
port = 9083
useSSL = 0
proc_pid = 27305
Exception = 0
Based on existing answers I assumed it may be related to the javahome setting but If I change the javahome value I get errors saying the directory does not exist, if I have the above value I get the terminated abnormally error.
It doesn't really tell me a lot though, anyone able to offer any guidance or ideas on how I can get to the bottom of this.
I've uninstalled and reinstalled the app a number of times at this stage 😕
... View more
03-24-2015
06:27 AM
Old topic but the need for this has come up for me recently, did you ever carry this procedure out? would be very interested in the result.
To me it seems like it may not be an issue based on:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Whathappenswhenamasternodegoesdown
If CM02 is removed and the configurations of the two separate clusters are merged (in my case the clusters are already have the same configuration for inputs/indexes etc), the Peers are then pointed to the CM01 and they will report their replication statuses back to their new CM.
Again, in my case the SF and RF factor should already be met so there shouldn't be any remediation needed.
There is also:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Handlemasternodefailure
So as long as nothing in the server.conf and master-apps config that is overlooked I'm thinking that a merge won't be an issue.
... View more
06-30-2014
09:17 AM
Still wouldn't work till I upgraded till the latest version of Splunk.
Can confirm that "checkbox" works now as well, so it does need 6.1
... View more
06-30-2014
07:14 AM
Had to use input type="radio" as the template for uri checkbox input couldn't be found, but I guess it will work with a few different type of input elements depending on how it's tweaked.
Then with just a and b I get that the search isn't fully resolved but it works when the radio box is checked for all four columns.....
Will continue to play with it but I think this is a pretty neat way of doing it compared to what I was trying to do. Thanks Martin!
... View more
06-30-2014
05:04 AM
I'm currently trying to get a dashboard to show a simple overview table of 4 or 5 keys fields. Then instead of using a drill down to view the event in a search I simply want the user to be able to click the table to view a larger list of all the related fields.
From Splunk 6 dashboard examples it looks like I can do this using the event visualisation which lets you define what fields should be listed in the metadata view.
The issue I have with this seems to be that you can only pass fields that are already displayed in your table in the metadata, not sure how I get extra fields in here that aren't already in the table.
So the example given is:
<event>
<title>Logins in the last week</title>
<searchString>index=_internal action=login user=*</searchString>
<earliestTime>-7d@d</earliestTime>
<earliestTime>now</earliestTime>
<fields>user, action</fields>
<option name="type">table</option>
</event>
Any fields I specify appear in both the table and the metadata, is there anyway to make all fields appear in the metadata and also specify exactly which ones appear in the table?
... View more
01-07-2014
05:28 AM
1 Karma
Seems my license master was down over the holiday period, not really a big deal as it's mostly for testing atm. However when I started it back up I immediately got a license alert telling me we had indexed 180GB in the last day. My license is currently 100GB.
If I use the following search: index=_internal source=*metrics.log group=per_index_thruput series!=_* | eval totalGB = (kb/1024)/1024 | timechart span=1d sum(totalGB)
it returns:
_time sum(totalGB)
1 31/12/2013 00:00:00.000 12.2209665475012
2 01/01/2014 00:00:00.000 25.0286318313375
3 02/01/2014 00:00:00.000 31.1994889654078
4 03/01/2014 00:00:00.000 33.0460035013612
5 04/01/2014 00:00:00.000 25.8918191486529
6 05/01/2014 00:00:00.000 21.8476761363130
7 06/01/2014 00:00:00.000 33.3480448879797
8 07/01/2014 00:00:00.000 14.9539859788464
looking at a few of the Splunk apps like SOS it also shows my usage at 180GB under license usage, although looking at what has actually been indexed using status > indexer activity > indexer activity overview or indexing and forwarding view in SOS it shows me similar results to the above search.
So it seems to be some kind of mismatch between the ways the licensing is being seen by splunk, Anyone have any suggestion on what may be going on here or how I would go about getting to the bottom of this?
... View more
12-03-2013
10:33 AM
so length seems to be an issue (hur hur), I'm trying to extract 35 fields, so the line in props is pretty long.
When I test it using only the first five fields, it works and extracts these fields as it should.
Is there a limit to the number of fields to be extracted in props....? am I reaching a character limit meaning the whole line is ignored?
... View more
12-03-2013
08:19 AM
I was restarting after every change. Using rex the fields seem to extract fine, not in props though, so:
rex "ASM:.(?<field1>[^,]*).,.(?<field2>[^,]*).
props
EXTRACT-fieldval = ASM:.(?<field1>[^,]*).,.(?<field2>[^,]*).
so maybe the problem lies with the fact my fields do have literal quotes around them, and I'm trying to match everything between the quotes.
Above I match the quotation marks with . instead of matching the literal quotation marks. I also tried the two suggested regexes, work with rex, not props.
permissions seem to be fine on the files as well.
... View more
12-02-2013
11:09 AM
I tired this, both with the field surrounded by quotes and without as that's the way they are in the log, although using this method it doesn't seem to be extracting any fields.
edit: should also mention, i also tried to name the stanza as [source_log] in props, which is my sourcetype I want this applied to.
... View more
12-02-2013
08:34 AM
Hi all,
I'm using props and transforms to extract fields, all the fields are extracted properly, except the first one.
This is mainly because my transforms is currently:
[extract_fields]
DELIMS = ","
FIELDS = "field1", "field2", "field3", etc
The first line of the event itself is as follows:
Dec 2 15:47:55 foo.bar.ie IRL:"field1","field2","field3"
So it extracts Dec 2 15:47:55 foo.bar.ie IRL:"field1" as the first field.
How would I go about ignoring that first part, so the field extraction starts after IRL:?
I was looking for some kind of field extraction parameter similar to TIME_PREFIX but for field extractions, but there doesn't seem to be one or I'm just not understanding the docs correctly.
... View more
11-22-2013
04:57 AM
thanks for the reply. although as stated at the start of my question I was trying to ask if it was possible in versions below version 6, re-reading it, maybe it wasn't clear.
To simplify, the internal requirement was to be able to search a pair of v6 clustered indexers from a v5 search head.
From trawling the docs I was already pretty sure the answer was no, but you never know what this community can come up with 🙂
... View more
11-12-2013
09:43 AM
So in versions below 6, you can't add non-clustered search peers to a clustered SH, what about the other way around...?
I can't see a mention of it in the docs, but are there any problems with adding clustered indexers as search peers to a non clustered Splunk instance (stand alone search head/indexer in this case).
I was looking at this previous case were it seems to be possible as the question asker suggest he's done it:
http://answers.splunk.com/answers/101782
I also set up a test scenario with a a clustered test index that I could search from my non clustered instance to my clustered peers, it seemed fine if I searched by index, but had a problem when I tried to search by host (I made sure each of the cluster peers had different data in their test index). So I'm thinking there may be problems with what I'm trying to do that I'm obviously missing.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
