Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About devinmclean
devinmclean
Path Finder
Member since:
08-04-2014
09-23-2024
Community Statistics
| Posts | 16 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 08-04-2014 |
Activity Feed
- Got Karma for How do I ingest the details tab in Windows Forwarded Events?. 06-05-2020 12:48 AM
- Karma Re: How do you reload a file? for glennpierce. 06-05-2020 12:47 AM
- Posted Re: How do I ingest the details tab in Windows Forwarded Events? on Getting Data In. 09-29-2017 05:52 PM
- Posted Re: License Server Out of Wack After Storage Issues on Installation. 09-29-2017 05:50 PM
- Posted How to resolve overreporting of license usage after temporary storage issue? on Installation. 09-29-2017 12:03 PM
- Tagged How to resolve overreporting of license usage after temporary storage issue? on Installation. 09-29-2017 12:03 PM
- Tagged How to resolve overreporting of license usage after temporary storage issue? on Installation. 09-29-2017 12:03 PM
- Tagged How to resolve overreporting of license usage after temporary storage issue? on Installation. 09-29-2017 12:03 PM
- Tagged How to resolve overreporting of license usage after temporary storage issue? on Installation. 09-29-2017 12:03 PM
- Posted Re: How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:56 AM
- Posted How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Tagged How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Tagged How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Tagged How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Tagged How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Tagged How can you restrict a role or user from creating field extractions? on Splunk Search. 03-09-2017 09:43 AM
- Posted How do I ingest the details tab in Windows Forwarded Events? on Getting Data In. 02-28-2017 08:46 AM
- Tagged How do I ingest the details tab in Windows Forwarded Events? on Getting Data In. 02-28-2017 08:46 AM
- Tagged How do I ingest the details tab in Windows Forwarded Events? on Getting Data In. 02-28-2017 08:46 AM
- Tagged How do I ingest the details tab in Windows Forwarded Events? on Getting Data In. 02-28-2017 08:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
09-29-2017
05:52 PM
It turns out the issue was that our forwarders were version 6.1. We needed to upgrade to at least 6.2 to take full advantage of the render XML feature on the universal forwarder.
... View more
09-29-2017
05:50 PM
Hey @rafamss,
The license is not actually being exceeded. The license server is displaying incorrect information due to it shutting down and not indexing data (caused by the HD on the server being full). I'm wondering if anyone else has seen this kind of behavior and how to fix it.
... View more
09-29-2017
12:03 PM
Our license server ran into a space issue where we ran under 1,000 MB of space available. Therefore, it stopped indexing. This went unnoticed for a few days, and it fixed itself for a day or two, and then went back under 1,000 MB again. This causes the license measurements to go completely off the charts. For example, our indexers are only consuming about 500 GB all together right now, but the license server things we're at 4.5TB. Is there a way to correct the license server's values?
... View more
Labels
- Labels:
-
license
03-09-2017
09:56 AM
I couldn't find one in the docs, which is what I'm afraid of. It's surprising that there isn't a defined capability for this, because field extractions have CPU overhead.
... View more
03-09-2017
09:43 AM
How do you restrict a role from creating field extractions? There's event actions drop down for search results where they can define even types and field extractions. We have all of our data well defined and parsed already, and do not want this feature enabled for normal users.
... View more
02-28-2017
08:46 AM
1 Karma
I have a server that received forwarded event logs from clients within my Enterprise. The event logs are simple to retrieve via the below standard inputs.conf stanza:
[WinEventLog://ForwardedEvents]
index = redacted
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0
When the event logs come into Splunk, they only show EventCode, EventType, ComputerName, User, Sid, SidType, TaskCategory, OpCode, RecordNumber, Keywords, and Message (which is blank). The meat of the log that I need to see is in the details tab (if you're viewing it from Event Viewer in Windows). There's a friendly view and an XML view. Either one of the two detailed views I'd be fine with ingesting. However, Splunk is not ingesting these details. When looking in the XML view, there are two tags within : and . It appears Splunk is only capturing the data and not the that has the meat and potatoes of the log that I need. How do I get this data? I've been doing some searching and found a possible solution using scripted inputs with Wevtutil, but no documentation on how to use that within inputs.conf. I was hoping for an easier solution.
Any help would be greatly appreciated.
... View more
10-28-2016
10:15 AM
I am having the same issue, and I do not quite understand what jmallorquin is suggesting. Does anyone else have the same issue or another solution?
... View more
08-10-2015
10:13 AM
Turned on debug logging for TcpOutputFd and am now see these errors:
08-10-2015 13:12:55.904 -0400 ERROR TcpOutputFd - Read error. Connection reset by peer
08-10-2015 13:12:55.904 -0400 DEBUG TcpOutputFd - after_eof detected
... View more
08-06-2015
06:20 AM
This is the most confusing part. I am having no problems with my original Indexers receiving data from forwarders. The only difference between the indexers are that the original ones were installed last year on version 6.1, then upgraded to 6.2.1, and then finally to 6.2.3 recently. The new ones were installed initially with 6.2.3. Maybe there's a key difference since one set had an upgrade path to 6.2 an the others were installed with 6.2.
... View more
08-04-2015
07:46 PM
I am using [splunktcp-ssl://9997]
... View more
08-04-2015
07:18 PM
thanks for the research. I don't think this is the reason, because this forwarder is sending successfully to three other indexers, which would indicate that the default values are set and are working as intended. i've recently purchased four new indexers and am trying to configure them for receiving data, which is when i've run into this issue.
... View more
08-04-2015
06:45 PM
I didn't supply a useClientSSLCompression option in either configuration file, so I'm hoping that they're using the default options. Should I try and set this field? Do you know of any other reason why this error could be happening?
... View more
08-04-2015
05:53 PM
I read that the compressed flag has no effect on SSL-enabled data transfer between forwarders and indexers. Either way: yes, I have checked for enabling compressed = true on indexer and forwarder.
... View more
08-04-2015
02:34 PM
I'm getting the following error when trying to receive data from a universal forwarder on my indexer:
(log from indexer's splunkd.log, replaced IP with 192.168.1.10's):
08-04-2015 17:20:13.046 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.168.1.10:37735. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
(log from UF's splunkd.log):
08-04-2015 17:18:09.453 -0400 DEBUG TcpOutputProc - Connector::runCookedStateMachine in state=eInit for 192.168.1.10:9997
08-04-2015 17:18:09.453 -0400 DEBUG TcpOutputProc - tcpConnect to 192.168.1.10:9997
08-04-2015 17:18:09.453 -0400 DEBUG TcpOutputProc - ConnectionSuccessful. _rawConnectionState=eRawTcpConnectInProgress
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - ConnectionSuccessful. _cookedVersionNegState=eV3TcpConnectInProgress
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - Connector::runCookedStateMachine in state=eV3ConnectInit for 192.168.1.10:9997
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - v3Connect to 192.168.1.10:9997
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - AsyncV3Connector::getData for eSendSignature
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - write Successful for eSendSignatureInProgress
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - AsyncV3Connector::getData for eSendCapability
08-04-2015 17:18:09.454 -0400 DEBUG TcpOutputProc - Connector::connectionFailed
08-04-2015 17:18:09.455 -0400 DEBUG TcpOutputProc - Connector::cookedConnectionFailed
08-04-2015 17:18:09.455 -0400 DEBUG TcpOutputProc - Connector::runCookedStateMachine in state=eFailed for 192.168.1.10:9997
... View more
08-04-2015
02:28 PM
We had an internal issue with auto mounter. For some odd reason, Splunk touches /home/build/ when you issue any command to it (e.g., ./splunk --help or ./splunk restart). This directory didn't exist, and instead of throwing an error, the process hung for upwards of 10-15 minutes. I corrected our issue by just creating an empty directory at /home/build/. Now Splunk restarts on a dime!
... View more
07-24-2015
08:13 AM
I've got a newly installed Indexer on RHEL 6.6. It isn't indexing any data. When I restart the Splunk instance with "./splunk restart", it takes approximately 10-15 minutes to start up. It shuts down quickly, but once it begins the starting process, it displays this much data and then after 10 minutes it finishes:
Splunk> See your world. Maybe wish you hadn't.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-23-2024
12:46 PM
|
