Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About nvonkorff
nvonkorff
Path Finder
Member since:
04-27-2011
Wednesday
Community Statistics
| Posts | 26 |
| Solutions | 4 |
| Karma Given | 22 |
| Karma Received | 12 |
| Member Since | 04-27-2011 |
Activity Feed
- Karma Re: Is there a way to enable event sampling in a search? for jankowsr. Tuesday
- Karma Re: how to set max column length for jonuwz. 05-29-2024 11:03 PM
- Got Karma for Splunk Add-on Builder: Global Account settings. 02-15-2024 02:32 PM
- Karma Re: How to transpose a table to make the values in Column 1 the header labels? for javiergn. 07-30-2023 06:45 PM
- Karma Re: search is waiting for input error for renjith_nair. 08-15-2022 10:06 PM
- Got Karma for Splunk Add-on Builder: Global Account settings. 07-28-2022 09:02 AM
- Posted Re: data model - app mapping on Splunk Enterprise Security. 02-08-2022 07:24 PM
- Got Karma for Splunk Add-on Builder: Global Account settings. 11-11-2021 11:36 PM
- Posted Splunk Add-on Builder: Global Account settings on Getting Data In. 10-11-2021 11:21 PM
- Karma How to create multiple account with Apikey and secret key in Splunk add on builder for lksridhar. 10-11-2021 11:04 PM
- Posted Re: Is there a maximum size limitation for panels? on Dashboards & Visualizations. 08-20-2020 12:35 AM
- Posted Re: Is there a maximum size limitation for panels? on Dashboards & Visualizations. 08-16-2020 07:04 PM
- Karma Re: Is there a maximum size limitation for panels? for cdtrialsplunk. 08-16-2020 06:59 PM
- Karma Re: Dedup within a MV field for emiller42. 07-08-2020 10:44 PM
- Karma Re: When using "tstats count", how to display zero results if there are no counts to display? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: Automating the installation of the Splunk Add-on for Amazon Web Services, how do we encrypt the password in passwords.conf? for Jeremiah. 06-05-2020 12:48 AM
- Karma Re: Automating the installation of the Splunk Add-on for Amazon Web Services, how do we encrypt the password in passwords.conf? for Jeremiah. 06-05-2020 12:48 AM
- Karma Re: Automating the installation of the Splunk Add-on for Amazon Web Services, how do we encrypt the password in passwords.conf? for michaeloleary. 06-05-2020 12:48 AM
- Karma Re: Splunk Add-on for Microsoft SQL Server: The lookup table 'sqlserver_host_dbserver_lookup' does not exist. for kmanson. 06-05-2020 12:48 AM
- Got Karma for Re: Automating the installation of the Splunk Add-on for Amazon Web Services, how do we encrypt the password in passwords.conf?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 0 | |||
| 0 | |||
| 7 | |||
| 0 | |||
| 0 | |||
| 0 |
02-08-2022
07:24 PM
Hi @tmkunte I recently wrote an app (Data model wrangler) that helps with identifying indexes and sourcetypes that are mapped to data models and calculates two scores to determine an overall health-check of mapping: Mapping quality - Percent of recommended fields in the data model that are found in each index/sourcetype Data quality - Percent coverage of each field within the data, e.g. 25% of events have the 'src' field present It also provides a field-level view of mapped data to determine which fields are present/missing and which fields have a low data quality. This may help to give a better understanding of what is mapped to each data model. It is also useful when trying to map custom sourcetypes to data models.
... View more
10-11-2021
11:21 PM
3 Karma
Hi, Is it possible when using Global Account to customise the fields? i.e. add other fields than only Username and Password. Ideally, I would like to be able to specify an Account Name, API Key and Authorization header in the Account tab, so that when configuring each input, I can choose the Account Name from a drop-down and have it pull the API Key and Authorization Header fields. I can specify these as "Additional Parameters" for the add-on, but then I have no way of selecting these on a per-input basis when configuring each input.
... View more
Labels
- Labels:
-
modular input
-
other
08-20-2020
12:35 AM
Hi @niketn Thanks for the response. It did work, in that it made the panel larger, but didn't actually fix the issue I'm facing. I'm trying to use this add-on: https://splunkbase.splunk.com/app/4460/ and trying to get it to display correctly with around 170+ entries. After about 120 rows or so (and at the maximum panel height), the the legend text next to each row starts getting mushed together and the text and rows don't align correctly. When I added the CSS override you suggested, the panel height increased, but the visualisation height remained the same. Is there any CSS override that is specific to a visualisation that I could modify, or would that need to be done in the visualisation CSS? Thanks. Any advice would be very much appreciated.
... View more
08-16-2020
07:04 PM
I am also looking for an answer to this question. I believe it is 1000px, based on resizing a panel to the maximum allowable height, which sets the XML to: <option name="height">1000</option> I have tried extending the height beyond that limit by changing the option value above, e.g. 2000px, but it seems to have no effect beyond 1000px. Does anyone know if there is any way to override that 1000px limit for panel height? It would be very handy for certain visualisations and for different screen orientations (portrait) to be able to go beyond that limit.
... View more
05-13-2020
04:51 PM
@ColinJacksonPS Sorry about the late response on this one. Do you have the GSuite for Splunk Add-on installed on the HF as well? There is a dependency on that add-on for the authorization process.
@CSULeigh Yes, it definitely will. Hopefully by the end of the month.
... View more
07-30-2019
05:42 PM
To get around this issue, you can also specify the path of the module you wish to load, and load it using the 'imp' module:
import imp
modfile, pathname, description = imp.find_module('httplib2', ['/opt/splunk/etc/apps/TA-gmail-audit/bin/'])
httplib2 = imp.load_module('httplib2', modfile, pathname, description)
This is explained in the troubleshooting section of the Gmail Audit add-on
... View more
07-21-2019
06:28 PM
@nieyf Did you get a chance to try the add-on yet? Did this meet your needs? If so, please accept the answer. Cheers.
... View more
07-01-2019
03:32 PM
Hi @nieyf
I recently had a similar requirement at a customer. I couldn't find anything to do what I wanted, so I wrote some scripts to do this.
The scripts are now available through the Gmail Audit add-on on Splunkbase:
https://splunkbase.splunk.com/app/4560/
... View more
06-20-2019
10:19 PM
It's not ideal, bit I decided to simply rename the Python script in my app that was conflicting with the other Python script of the same name in the other app.
i.e. instead of having ga_authorize.py in both apps, I have gmail_authorize.py in my app, so that it doesn't conflict with ga_authorize.py in the GSuite for Splunk app.
It doesn't fix or explain the underlying problem, but works around it enough for my needs.
... View more
05-26-2019
08:53 PM
In the process of creating a new app, I found I was getting cross-app module imports if another app has Python modules with the same name.
For example:
app1/bin/test_script.py
app1/bin/test_module.py
app2/bin/test_script.py
app2/bin/test_module.py
If test_script.py does an "import test_module", and I execute "app2/bin/test_script.py", it actually imports/executes "app1/bin/test_module.py"
I am writing a new app to import mail headers from audited Gmail accounts, and I used some of the same modules for the credential auth process from the Gsuite for Splunk app.
I found when I tried to auth credentials in the Gsuite for Splunk app, it imported and executed the "ga_authorize.py" from my app directory, not the GSuiteForSplunk/bin directory.
I added some logging into my copy of the "ga_authorize.py" script to print the sys.path, PYTHONPATH and the path of the script being executed to prove this:
2019-05-27 13:36:07,277 log_level=INFO pid=57869 tid=MainThread file="ga_authorize.py" function="handle_GET" line_number="51" version="GSuiteForSplunk.v1.2.3.b220" operation=build_url
2019-05-27 13:36:07,277 log_level=INFO pid=57869 tid=MainThread file="ga_authorize.py" function="<module>" line_number="32" version="GSuiteForSplunk.v1.2.3.b220" sys.path=['/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle', '/opt/splunk/bin', '/opt/splunk/lib/python2.7/site-packages', '/opt/splunk/lib/python27.zip', '/opt/splunk/lib/python2.7', '/opt/splunk/lib/python2.7/plat-linux2', '/opt/splunk/lib/python2.7/lib-tk', '/opt/splunk/lib/python2.7/lib-old', '/opt/splunk/lib/python2.7/lib-dynload', '/opt/splunk/bin', '/opt/splunk/etc/apps/FitbitAddonforSplunk/bin', '/opt/splunk/etc/apps/GSuiteForSplunk/bin', '/opt/splunk/etc/apps/Splunk_SA_CIM/bin', '/opt/splunk/etc/apps/Splunk_Security_Essentials/bin', '/opt/splunk/etc/apps/Splunk_TA_aws/bin', '/opt/splunk/etc/apps/Splunk_TA_nix/bin', '/opt/splunk/etc/apps/TA-GMail-audit/bin', '/opt/splunk/etc/apps/TA-GMail-audit_PROD/bin', '/opt/splunk/etc/apps/TA-cyberchef/bin', '/opt/splunk/etc/apps/TA-fitbit/bin', '/opt/splunk/etc/apps/TA-gmail-audit/bin', '/opt/splunk/etc/apps/alert_logevent/bin', '/opt/splunk/etc/apps/alert_webhook/bin', '/opt/splunk/etc/apps/base64/bin', '/opt/splunk/etc/apps/cis-controls-app-for-splunk/bin', '/opt/splunk/etc/apps/introspection_generator_addon/bin', '/opt/splunk/etc/apps/kapsch_roadside/bin', '/opt/splunk/etc/apps/lookup_editor/bin', '/opt/splunk/etc/apps/rest-storage-passwords-manager/bin', '/opt/splunk/etc/apps/search/bin', '/opt/splunk/etc/apps/splunk_app_addon-builder/bin', '/opt/splunk/etc/apps/splunk_archiver/bin', '/opt/splunk/etc/apps/splunk_instrumentation/bin', '/opt/splunk/etc/apps/splunk_monitoring_console/bin', '/opt/splunk/etc/system/bin', '/opt/splunk/etc/apps/TA-gmail-audit/bin/lib']
2019-05-27 13:36:07,277 log_level=INFO pid=57869 tid=MainThread file="ga_authorize.py" function="<module>" line_number="31" version="GSuiteForSplunk.v1.2.3.b220" PYTHONPATH=/opt/splunk/lib/python2.7/site-packages
2019-05-27 13:36:07,274 INFO SCRIPTPATH=/opt/splunk/etc/apps/TA-gmail-audit/bin/ga_authorize.py
You can see that the 'app/bin' directory of all apps is included in the sys.path and the name of the script being executed is 'TA-gmail-audit/bin/ga_authorize.py' not 'GSuiteforSplunk/bin/ga_authorize.py'
Is this expected behaviour? Is there any way to force Splunk/Python to only import/execute modules under the current app directory, and not pick up the same named modules in other app directories?
Keen to hear if anyone else has run into this issue, and if so, what was done to fix/workaround the issue.
Thanks.
... View more
07-30-2017
08:32 PM
Thanks for this. It pointed me in the right direction. While not the exact cause of our issue, it is similar.
We had a user who couldn't load a dashboard from scheduled search results on a search head cluster. It seemed to only happen on one node of the cluster. Turned out it was alway the captain node. We had the captain configured to only run ad-hoc searches:
https://docs.splunk.com/Documentation/Splunk/6.6.2/DistSearch/Adhocclustermember#Configure_the_captain_to_run_ad_hoc_searches_only
This explains why there were no results from the scheduled search to load the dashboard on that one instance.
... View more
06-22-2017
06:22 PM
Hi kmason,
Same issue here.
Removing all other dimensions on ec2 CloudWatch input is the only way to get any metrics through. Using any other combination of dimensions results in: "No metric/dimension has been found for datainput="
This is true of RDS and WorkSpaces CloudWatch inputs as well, i.e. only keeping the Id dimension in the only way to get metrics in.
Interestingly, ELB CloudWatch input contains two dimensions by default and this works fine.
Anyone else having the same issue?
Splunk Enterprise
Splunk Version: 6.6.0
Splunk Build: 1c4f3bbe1aea
Splunk Add-on for AWS
App Version: 4.2.3
App Build: 48
... View more
01-22-2017
02:42 PM
FYI - you may want to add -i to the grep, as the version I am using does not return anything with the above command, as the output from the curl is mixed case:
<s:key name="kvStoreStatus">ready</s:key>
This works:
curl -k -s https://localhost:8089/services/server/info | grep -i kvstore
... View more
04-14-2016
10:39 PM
1 Karma
I've been bashing my head against this for a few days now and I think I have found the answer. Thanks to Jeremiah's previous response, pointing me to hunt for the right REST endpoint.
AWS Credentials:
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/storage/passwords -d name=Cr4zy4cc355k3y -d password=Cr4zyS3cr3tK3y -d realm=SplunkAWS -d title=SplunkAWS:Cr4zy4cc355k3y:
Proxy config (if required):
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/storage/passwords -d name=default -d password=:@proxy.server.address.com:3128 -d realm=_aws_proxy -d title=_aws_proxy:default:
... View more
12-03-2015
03:09 PM
Thanks hossyee. I actually opened a case with Splunk support and they got back to me with this answer. I should have come back and updated my question, but you beat me to it! 🙂
... View more
10-20-2015
10:50 PM
SSO with Splunk and PingFederate works well in terms of authenticating, but I can only get it working if "defaultRoleIfMissing" is configured in authentication.conf.
If I remove that setting, Splunk does not allow the login and displays: "No valid Splunk role is found in the local mapping or in the assertion."
I have confirmed that the Splunk role to SAML group mapping is definitely configured correctly, trying through both the config files and the web UI, but neither seems to work.
I turned on debugging and got the below XML from the idP response. What is strange is that the 'realName' and 'mail' attributes are being pulled correctly from the response, but not the 'role' section.
<saml:AttributeStatement>
<saml:Attribute Name="realName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SplunkUser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AllUsers</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Employee</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin2</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nick@example.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Has anyone else experienced this issue? Any pointers?
... View more
05-24-2015
03:44 PM
Hi Devin,
Running Splunk 6.2.0.
Here is the entire block of the search in question:
[Sybase Deadlocks - Alert]
action.email = 1
action.email.format = text
action.email.inline = 1
action.email.sendresults = 1
action.email.to = joe@example.com
alert.digest_mode = True
alert.severity = 4
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=sybase sourcetype="sybasease_errorlog" deadlock | transaction source startswith="Deadlock Id * detected" endswith="End of deadlock information" | fields + _time host _raw
vsid = *:4zdfqaho
... View more
05-03-2015
09:51 PM
OK. I think I figured it out. Find your saved "Alert" search in savedsearches.conf
Modify this line:
from:
action.email.format = raw
to:
action.email.format = text
I don't think that there is any way to do this from the user interface. The only options are "Table, Raw or CSV" and none of these seem to retain the original line breaks. My search includes the following at the end:
| fields + _time host _raw
I now have properly formatted (including original line breaks) alerts being sent by email. Yay!!!
... View more
05-28-2014
05:33 PM
7 Karma
Hi all,
I have tried modifying the scheduled alert email actions to use raw and table format for the emailed alert, but both seem to strip out all line breaks from the original _raw field, meaning it is far more difficult to read long, multiline events with deliberate line breaking for legibility.
Is there any way to force the emailed alerts to keep the original line breaking? Or any way to make the 'table' command keep the original line breaks?
Cheers,
Nick v K
... View more
05-21-2014
05:15 PM
This works great, however is there a way to do this split by a variable? What I mean is I have a set of events each with a common time, but for multiple servers. I want to get the latest set of events by server.
Something like:
... | streamstats dc(_time) as distinct_times by server | head (distinct_times == 1)
I have played around with various permutations of the above, but cannot get it to do what I want.
... View more
11-21-2012
05:15 PM
I had not tried again since I posted this message (probably on Splunk 4.3 at the time), but I have now tried again on Splunk 5, and no problem whatsoever. This works fine now.
... View more
08-20-2012
04:43 PM
Yep, just exclude the specific log directories from the rsync. Makes total sense. Thanks.
... View more
08-19-2012
09:02 PM
Background: Active and Standby server with key directories replicated periodically (every 5 mins) via rsync, including shell scripts and logs. The active server syncs changes to standby server. All scheduled scripts check for the existence of a 'live server flag file' e.g. /opt/LIVESERVER.txt, on the local filesystem and will not execute if the file does not exist. This way, crontab can be enabled on both systems but scripts will only execute on the live side, where the LIVERSERVER flag file exists.
I have a Splunk Universal Forwarder installed on each node. Any scripted inputs can simply have the flag file logic added to them, however I am struggling to work out a way that I can conditionally monitor a log file, i.e. only monitor if some file exists on the local filesystem.
At the moment, we manually stop the Splunk Forwarder on the standby side and only ever run the forwarder on the active node. Ideally, I want both forwarders running all the time, so that I can monitor other files/services on both sides, but I don't want to have the rsynced log files read at the live side, the re-read at the standby side. I only ever want the forwarder to monitor log files on the active node.
I know that a "monitor_if_exists" option doesn't exist, but something like below would be exactly what I am after:
[monitor:///apps/log/test.log]
index = test
sourcetype = TestLog
monitor_if_exists = /opt/LIVESERVER.txt
Anyone know of any way to achieve this?
... View more
03-18-2012
10:14 PM
Hi,
I am trying to get an Advanced XML Dashboard with Google Maps setup, and I have got almost everything working, except that I cannot figure out a way to have two Google Maps on the same row in the dashboard.
Each map seems to occupy an entire row. I specify "panel_row1_col1" on the first one, the "panel_row1_col2" on the next one, but they always appear on separate rows.
I also tried putting a normal Splunk chart next to a Google Map, but that does not work either.
Please let me know if there is any way around this. I cannot find one.
Thanks and regards,
Nick v K
... View more
02-16-2012
02:45 PM
One of the Splunk users today said to me "Wouldn't it be great if you could get a widget for your desktop that displayed Splunk information?"
I can certainly see that this would be handy, where users can subscribe to particular gauges and charts that they want to be able to readily see without even logging onto Splunk.
Is this possible, and has anyone already done anything like this with Splunk?
Cheers,
Nick v K
... View more
- Tags:
- desktop
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Wednesday
|
Karma from
