Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About raziasaduddin
raziasaduddin
Path Finder
Member since:
08-16-2012
06-05-2020
Community Statistics
| Posts | 40 |
| Solutions | 0 |
| Karma Given | 16 |
| Karma Received | 17 |
| Member Since | 08-16-2012 |
Activity Feed
- Karma Re: FireEye XML to Universal Forwarder for monzy. 06-05-2020 12:46 AM
- Karma Re: Distributed Search Knowledge Bundle Regex for Splunker. 06-05-2020 12:46 AM
- Karma Re: How to limit mgmt port access to localhost only on Universal Forwarder or Heavy Forwarder for redoracle. 06-05-2020 12:46 AM
- Karma Role of the following Queues for lpolo. 06-05-2020 12:46 AM
- Karma Re: Role of the following Queues for romantercero. 06-05-2020 12:46 AM
- Karma Re: Search on an eval variable - find filenames with yesterday's date for martin_mueller. 06-05-2020 12:46 AM
- Karma Specifying class while reloading deploy-server not working in Splunk 6 for caseypike. 06-05-2020 12:46 AM
- Karma Re: "Unable to distribute to peer" -- adjustable timeout? for drrushi_splunk. 06-05-2020 12:46 AM
- Karma Re: Dashboard of Jobs for LukeMurphey. 06-05-2020 12:46 AM
- Karma Re: Join Statment for jonuwz. 06-05-2020 12:46 AM
- Karma Using props/transforms to assign sourcetype and extract fields? for gowen. 06-05-2020 12:46 AM
- Karma Re: Can't set permissions for the navigation menu for ecambra_splunk. 06-05-2020 12:46 AM
- Karma Re: PROPS issue - Doing an EXTRACT from a REPORT field for Ayn. 06-05-2020 12:46 AM
- Karma Re: Serverclass.conf - Using the same app name under different classes and repositoryLocations now appears broken in v6.0 for Lucas_K. 06-05-2020 12:46 AM
- Karma LDAP Size Limit for maciep. 06-05-2020 12:46 AM
- Karma Re: LDAP Size Limit for my_splunk. 06-05-2020 12:46 AM
- Got Karma for A user can outputlookup and overwrite existing lookups regardless of permissions. 06-05-2020 12:46 AM
- Got Karma for SA LDAP Search password in base 64. 06-05-2020 12:46 AM
- Got Karma for SA LDAP Search password in base 64. 06-05-2020 12:46 AM
- Got Karma for SA LDAP Search password in base 64. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 7 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-19-2015
07:30 AM
You can set the LDAP related logging to debug and see what it does to confirm it is capped at 1500.
... View more
08-19-2015
07:29 AM
Been there and i think there still is no fix.
They need to LDAP support for setting for the page size when doing such queries so you can enumerate through the whole list. The upper bound for a single query currently is 1500 users per LDAP group because of that.
... View more
04-17-2014
12:07 PM
I have the same issue in Splunk 6.0.3 on Windows. Once all the global default.xml navs were set to app-only. everything worked. I will submit a bug to Splunk
... View more
04-01-2014
09:11 AM
Splunk support basically told me to increase the limit on our AD servers, which is not an option for a large enterprise. Besides, that just introduces extra load on the AD servers for all the other queries.
We are still having the same problem. I tried manually editing the authentication.conf to add the group mapping for the 8000 user group, but users are still unable to login. Debugging the LDAP logging did not help.
That pageSize option needs to be reintroduced back into Splunk. Most other apps have that to accommodate for this.
... View more
03-10-2014
01:15 PM
You can increase the TTL in limits.conf and savedsearches.conf
... View more
03-10-2014
10:14 AM
Once you confirm the file is being read and tagged, try to search for all-time or all-time-real-time when indexing the next file. Perhaps there is also a timestamping issue.
... View more
03-10-2014
10:12 AM
1) Does that sep_bit9 index exist on the indexer?
2) Was the file read?
index=_internal WatchedFile filepath
index=_internal TailingProcessor [filepath]
3) Turn on debug logging for TailingProcessor and WatchedFile
... View more
03-10-2014
10:03 AM
[queue=tcpin_queue]
maxSize = 100MB
... View more
11-21-2013
12:39 PM
Also, If I enter a password in as base 64, it does not work, but if I do it in plaintext, it does. Thanks for the assistance!
... View more
11-21-2013
10:27 AM
3 Karma
I downloaded the SA LDAP Search and noticed that the password for the account that I use to search my domains is stored in base64. Are there any plans to make it more secure like the authentication.conf LDAP strategies? We were able to get the designers of the Cisco IPS app to pass the authentication through the app instead of storing passowrds in conf files.
[spl.com]
server = host1;host2;host3
port = 636
ssl = true
basedn = DC=spl,DC=com
binddn = cn=Splunk Searcher,OU=Managed Service Accounts,DC=spl,DC=com
password = {64}fohhiuehgihgri
alternatedomain = SPL
... View more
11-21-2013
08:45 AM
I still see these other queues in the splunkd logs and do not know the correct camel case for them so I can't set the queue size higher:
I am most interested in udpin.
[queue=AEQ]
[queue=aggQueue]
[queue=auditQueue]
[queue=exec]
[queue=fschangemanager_queue]
[queue=indexQueue]
[queue=nullQueue]
[queue=parsingQueue]
[queue=stashParsing]
[queue=tcpin_queue]
[queue=typingQueue]
[queue=udpIn]
[queue=wel_queue]
[queue=WEVT]
[queue=winParsing]
... View more
11-21-2013
08:17 AM
1 Karma
I keep getting this message every few minutes for the a specific app that I haven't changed in months.
"WARN BundleArchiver - Filtered nothing out of Splunk\etc\apps\myapp\metadata\local.meta, but size still changed: original_size=122, filtered_size=117, cosmetic_bytes=0"
How can I get rid of this error?
... View more
10-22-2013
09:54 AM
Where else would we see these authToken related messages in the log? The indexers are still intermittently down and I cannot figure out why.
I tried:
[distributedSearch]
authTokenConnectionTimeout = 20
authTokenReceiveTimeout = 30
authTokenSendTimeout = 30
I still see this error after a monute or so:
Unable to distribute to peer named BLAH at uri https://BLAH:8089 because replication was unsuccessful. replicationStatus Failed
... View more
09-13-2013
10:34 AM
Did you ever solve this?
... View more
08-27-2013
05:33 AM
1 Karma
From Damien:
A single backslash should work :
Make sure that the command name and command arguments are in separate fields.
Command name : c:\tools\mycommand.exe
Command arguments : c:\logs\stuff\ -d 3 -n 11 -o c:\output\output.txt
Also look in splunkd.log for any errors.
... View more
08-26-2013
01:49 PM
1 Karma
Does it require "\" to be escaped if I also have to put paths in CLI parameters? I can't save my command:
c:\tools\command.exe c:\logs\stuff\ -d 3 -n 11 -o "c:\output\output.txt"
How would I write this / add this to the Command Modular Input?
... View more
07-16-2013
09:37 AM
Some of my large searches show a status of "Running(100%)" for 3 hours. My latest, for example, has 97 million events and takes 3GB on disk. Why is it in the running(100%) status for so long? Can I speed this up?
Example Search:
index=test sourcetype=test (host=A OR host=B OR host=C OR host=D OR host=E OR host=F OR host=G ) | fields _raw | table _raw | outputcsv test.csv
... View more
07-01-2013
10:49 AM
The macro worked well!
... View more
06-28-2013
01:02 PM
I got it to work so far:
| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday
I will create a macro soon.
To be clear, you are saying that the eval does this yesterday calculation for every event, whereas, the macro, will expand once per search?
... View more
06-28-2013
01:01 PM
it worked with WHERE:
| eval yesterday=strftime(relative_time(time(), "-d"), "%Y%m%d")
| where filedate=yesterday
... View more
06-28-2013
12:53 PM
This did not work. The today variable did not get expanded.
... View more
06-28-2013
10:48 AM
Actually, in this case, it is not. It is in the event data and I rex it out.
index=_internal WatchedFile z:\logs ("Reached EOF" OR "off=0")
| rex "(? z:.+?)\s"
... View more
06-28-2013
08:20 AM
1 Karma
I used eval to create a field with the yesterday's date:
| eval today=strftime(now(),"%Y%m%d")
I want to search on events where the filename field contains that today variable / yesterday's date. The last 8 characters of a filename will contain the file date (ex: file20130628.csv).
... View more
06-28-2013
08:12 AM
Yes I did.
... View more
