Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About shashank9
shashank9
Explorer
Member since:
02-04-2020
03-06-2025
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 02-04-2020 |
Activity Feed
- Karma Re: Parameters must be in the form '-parameter value' error when trying to sign certificate. for jc01480. 02-27-2025 03:23 PM
- Posted Re: Trying to filter and route logs/events using a Splunk Heavy Forwarder on Getting Data In. 02-21-2025 04:37 PM
- Karma Re: Trying to filter and route logs/events using a Splunk Heavy Forwarder for kiran_panchavat. 02-21-2025 04:37 PM
- Posted Re: Trying to filter and route logs/events using a Splunk Heavy Forwarder on Getting Data In. 02-18-2025 11:03 PM
- Posted Trying to filter and route logs/events using a Splunk Heavy Forwarder on Getting Data In. 02-18-2025 08:47 PM
- Posted Re: How to compare the field values from last 48 hours with field values from today on Splunk Search. 08-29-2024 12:20 PM
- Posted How to compare the field values from last 48 hours with field values from today on Splunk Search. 08-27-2024 09:51 AM
Topics I've Started
02-21-2025
04:37 PM
Hi @kiran_panchavat actually I accidentally terminated my ec2 instances in AWS and had to re launch them and re-install Splunk from scratch on all those instances and once I set them up and configured the event routing to different Splunk receivers from my Heavy Forwarder I was able to see a specifc group of logs/events are sent to one of my Splunk receivers which is expected. I still could not see the data in my other Splunk receiver but I guess I just need to double check my configuration since it is working fine with one of the servers. Also, thank you for your time in guiding me through those steps to troubleshoot the issue.
... View more
02-18-2025
11:03 PM
@kiran_panchavat Thank you for those steps and suggestions: I tried those steps and below are the details: Can you check this on the heavy forwarder? netstat -tulnp | grep 9997 OR ss -tulnp | grep 9997 Ran the above command in on my HF: 1. First it said: grep: invalid option -- 't' Usage: grep [OPTION]... PATTERN [FILE]... Try 'grep --help' for more information. 2. Then when I tried to only grep for 9997 (netstat -tulnp | grep 9997) I did not see any output. Check the metrics.log if any queues are getting blocked. tail -f /opt/splunk/var/log/splunk/metrics.log | grep -i "blocked=true" Verify that outputs.conf the HF is correctly configured. Ensure there are no typos in the IP addresses or port numbers. I verified that both my indexers IPs mentioned in the HF's outputs.conf file are correct. Can you please confirm if the below stanza name tcpout is correct or if there is any typo with it? [tcpout:errorGroup] server = indexr_1_ip_addr:9997 [tcpout:successGroup] server = indexer_2_ip_addr:9997 File permission issues could be a possible reason why Splunk HF is not reading test.log. If the Heavy Forwarder (HF) process does not have the required permissions to read the file, it won't be able to forward logs to the indexers. On the HF the file /opt/splunk/var/log/splunk/test.log I changed the user and group ec2-user: -rw-r--r-- 1 ec2-user ec2-user 1133 Feb 19 00:53 test.log I restarted the HF and checked my indexers for logs/events from the HF under main index. But, no luck ☹️
... View more
02-18-2025
08:47 PM
Hi Everyone, I've installed and configured a Splunk Heavy Forwarder on an EC2 instance in AWS and configured two Splunk Indexers on EC2 instances in AWS. I created a test.log file on my HF with sample log events to forward them to my Splunk indexers. I'm trying to forward the logs/events with keyword "success" to indexer_1 and forward logs/events with keyword "error" to indexer_2. But, for some reason the logs/events from the HF are not visible in both Indexers. Just for the context, I have installed and configured a UF on another EC2 Instance in AWS and sending data to Indexer_1 and I can see the data successfully forwarded with no issues. Below are the .conf files and setup on my HF and two indexers. HF: inputs.conf: [monitor:///opt/splunk/var/log/splunk/test.log] disabled = false sourcetype = test outputs.conf: [tcpout:errorGroup] server = indexr_1_ip_addr:9997 [tcpout:successGroup] server = indexer_2_ip_addr:9997 props.conf: [test] TRANSFORMS-routing=errorRouting,successRouting transforms.conf: [errorRouting] REGEX=error DEST_KEY=_TCP_ROUTING FORMAT=errorGroup [successRouting] REGEX=success DEST_KEY=_TCP_ROUTING FORMAT=successGroup Indexer_1 & Indexer_2: Configured the port 9997 on both indexers. Note: I tried below steps to troubleshoot or identify the issue, but no luck so far: 1. Checked if the forwarder has any inactive forwards or receivers through CLI: Active forwards: indexr_1_ip_addr:9997 indexr_2_ip_addr:9997 Configured but inactive forwards: None 2. Check the splunkd.log on the forwarder to see if there are any errors related to data forwarding: No errors 3. Checked the Security Group rules (Inbound and Outbound) in AWS console: Port 9997 is enabled for both Inbound and Outbound traffic. 4. All EC2 Instances running Splunk are on the same Security Group in AWS. 5. Tried to Ping both Indexers from HF. But, no response. Can someone please help me with this issue as I'm stuck and unable to figure out what is the root cause of the issue. Also, I'm using the same security group for both HF and UF with same Inbound and Outbound rules, but I can only see the logs sent from UF and not seeing the logs/events from my HF. I'm not sure what I am missing here to resolve or fix the issue to see the logs/events from HF in my Indexers. Thank you!
... View more
Labels
08-29-2024
12:20 PM
@ITWhisperer @richgalloway Thank you for those suggestions. Actually, the requirement has just changed and we want to see if the policy_name status changed from X(A) to X. So, I tried the following query to get the results from Today and Last 48 hours to compare and see how many of them changed from X(A) to X. index=xyz sourcetype=abc earliest=-48h@h latest=@d-1m
| search (policy_name="*-X" OR policy_name="*-X(A)")
| rex field=policy_name "(?<namePattern>([^-]+\-){5})(?<State>[^-]+)"
| rename namePattern as oldPattern
| stats count by _time, policy_name, oldPattern, State
| append
[search index=xyz sourcetype=abc earliest=@d latest=now
| search (policy_name="*-X" OR policy_name="*-X(A)")
| rex field=policy_name "(?<namePattern>([^-]+\-){5})(?<State>[^-]+)"
| rename namePattern as newPattern
| stats count by _time, policy_name, newPattern, State ]
| table _time, policy_name, newPatternm oldPattern, State Now the results from this query are in the below format. I'm trying to compare the State field values based on newPattern and oldPattern of the policy_name field values to see which of them are changed from X(A) to X and get the list of changed policies ending in state X. But, as they are on different rows, I'm unable to compare them or I'm not sure how to compare them. Ex: _time policy_name newPattern oldPattern State 2024-08-27 13:00:06.827 policy_1_X(A) policy_1_ X(A) 2024-08-27 13:00:06.827 policy_2_X(A) policy_2_ X(A) 2024-08-28 06:31:24.775 policy_1_X policy_1_ X 2024-08-28 06:31:24.775 policy_2_X policy_2_ X 2024-08-29 10:57:25.000 policy_3_X(A) policy_3_ X(A) 2024-08-29 10:57:25.000 policy_4_X(A) policy_4_ X(A) 2024-08-29 11:57:25.000 policy_3_X policy_3_ X 2024-08-29 11:57:25.000 policy_4_X policy_4_ X changed_policies policy_1_X policy_2_X policy_3_X policy_4_X
... View more
08-27-2024
09:51 AM
Hi Splunkers, I'm trying to compare the policy names from Today with policy names from past 48 hours to see if there is any change in policy names. I tried using append as well as join to compare the results from last 48 hours with Today's timeframe. But, I'm unable to get the expected output or result. Ex: In the below table I'm trying to see if there are any changes in policy names from last 48 hours. So, policy_3_sf's name is changed to policy_3_sk. Similarly, policy_4_sg and policy_5_gh names are changed to policy_4_sp and policy_5_gk respectively and are the new names I would like to list through my query as per the requirement. Last_48_Hours_Policy_Names Today_Policy_Names New_Policy_Names policy_1_xx policy_1_xx policy_2_xs policy_2_xs policy_3_sf policy_3_sk policy_3_sk policy_4_sg policy_4_sp policy_4_sp policy_5_gh policy_5_gk policy_5_gk Could you please let me know if my approach is correct or if something is missing in my queries? Thanks,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-06-2025
12:48 AM
|
