Hello guys, I wonder if there is any solution to prevent a simple DoS on a tcp input? We have a couple of TCP inputs defined on our forwarder. A buggy application was creating a new connection per second and leaved them open, after a while the forwarder was out of order. We've lost a lot of log messages. Most probably the forwarder's OS was still accepting connections but the application itself couldn't process the data because it was running out of file handles. We found in splunkd.log a lot of "too many open files". I discovered that one client has over 3700 opened connections to a one specific tcp input. So, simply increasing the max number of open files (ulimit) wouldn't help at all, because in this case it would only take a longer time until out of service occur without really preventing it. I'm looking for a possibility to prevent that in the future. How can I avoid forwarder going out of service and losing log information? I'm looking for an option which allows me to restrict the number of connections coming from one host or something like this. Any ideas? Regards, Peter ... View more

If i put something new (!) into the static folder of an app, the first access to it will fail, but if I try it again it will work, even if I remove the file from static folder. Then, the content is sometimes cut off by 8192 (file size was 9049). No HTTP proxies used, just simple a wget command line tool using the URL like that: https://splunk:8000/en-GB/static/app//item.txt ... View more

The dbquery commands seem to be working, but the status query of the java bridge doesn't work. We found out, that there is a REST call: /en-GB/custom/dbx/dbx/status?nocache=............ which fails with HTTP 401 error. We've tried out the call manually by typing it directly into the browser, we've got: 401 Unauthorized ... No permission -- see authorization schemes ... You are logged ino splunk:8000 as userA which is conected .... We found some ansers here and we've tried to follow all steps with reinstall of DBX from the scratch (after removing the dbx app) but we didn't have any success. We went through the splunk installation and removed also all other files and directories which looked like they were a part of the app (persistantstorage and others) and did it again. Nothing. The problem appears just right after a clean installation after confirming that the installation is successful, then one will be forwarded to the status page and the page keeps reloading again and again. I think the root cause seems to be the permission issue, but we cannot identify what that means. Do you have any further ideas? Thanks in advance! Peter ... View more

Hello, After a new installation of universal forwarder 6.1.2 on a new RHEL6 machine we have just copied the appropriate app directory to the new forwarder (a procedure which was working every time in the past) but now, we've got a problem because the input which was configured in the app (udp://514), was not created. Inside of splunkd.log I found: Error binding to socket in UDPInputProcessor: Permission Denied Splunk is running as splunk:splunk. What went wrong? Do you have any hints? Regards, Peter ... View more

Hello guys, I have a lookup script, which do not runs in splunk search (doing on the search head). I will only get a: [indexer] Script for lookup table 'lookupScript' returned error code 1. Results may be incorrect. Well, I would expect to see any error messages somewhere inside of the logs (/opt/splunk/var/log/splunk/). But I couldn't find anything. Do you have any Idea where I can look for it? Regards, Peter ... View more