Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About PavelP
PavelP
Motivator
Member since:
12-03-2013
3 weeks ago
Community Statistics
| Posts | 389 |
| Solutions | 59 |
| Karma Given | 77 |
| Karma Received | 45 |
| Member Since | 12-03-2013 |
Activity Feed
- Karma Re: AWS TA - S3 Generic input. Insane Memory Usage! for nickhillscpl. 3 weeks ago
- Got Karma for Re: AWS TA - S3 Generic input. Insane Memory Usage!. 3 weeks ago
- Karma Re: List of users who searched data of an index for to4kawa. a month ago
- Karma Re: Splunk says bundle directory contains a large lookup file in .delta file but the .delta file does not contain a large lookup for harsmarvania57. a month ago
- Karma Re: Splunk web fails to start after upgrade to 8.0.1 - UnicodeDecodeError: 'ascii' codec can't decode for srauhala_splunk. a month ago
- Karma Re: Raspberry Pi Universal Forwarder Bug Report for splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz: for darrenfuller. a month ago
- Karma Re: can someone help improve the efficiency of this query for richgalloway. a month ago
- Karma Re: Frequent service outages for sylim_splunk. a month ago
- Karma Re: Investigating high IO on indexers for jarush. a month ago
- Karma Re: Is there SPL's worst practice? for gcusello. a month ago
- Karma Re: Parsing of events with fixed pattern for richgalloway. a month ago
- Karma Re: sizing cluster for richgalloway. a month ago
- Karma Re: How do I use tstats to extract data from a child data set? for andrewtrobec. a month ago
- Karma Re: Discrepancies between metadata and tstats latest time results for esix_splunk. a month ago
- Karma Re: Best Practice for Creating New Sourcetype - Splunk Cloud for richgalloway. a month ago
- Karma Re: Python 3 modular input on a universal forwarder version 8 for jthunnissen. a month ago
- Karma Re: How to set query memory usage for specific app? for richgalloway. a month ago
- Karma PROMOTION: Splunk Ideas - Help shape Splunk's future roadmap for nickhillscpl. a month ago
- Karma Re: Getting mutiple issues when enabling ssl on Splunk web with 3rd party certs with requiredClientCert = true for vtalanki. a month ago
- Karma Re: Fields vs table vs nothing? for richgalloway. a month ago
06-04-2020
04:29 AM
Hello @suzyd,
sar files are binary and cannot be read by Splunk as such. You need to use sar or sadf command to convert them into text.
You can convert sar raw files on the source system or push them on the universal or heavy forwarder via rsync/scp/etc. and process there.
I've tried various methods but ended with real time push using scripting input: https://splunkbase.splunk.com/app/1803/#/details
You can modify this app for your need as required.
... View more
06-02-2020
10:40 PM
Hello @joshnetwolf
what are the last lines in the output of ./splunk start?
what does the env variable $INSTANCE_ID contains?
After any environment variables are expanded, the server name
(if not an IPv6 address) can only contain letters, numbers, underscores,
dots, and dashes. The server name must start with a letter, number, or an
underscore.
... View more
05-31-2020
10:09 AM
@vrajshekar the second link is not available: The message you are trying to access is not available.
... View more
05-29-2020
09:08 AM
difficult to say without seeing your data, but seems to be not a splunk issue.
Have you tried ask on McAfee community forum:
ePO: https://community.mcafee.com/t5/ePolicy-Orchestrator/bd-p/epolicy-orchestrator
SIEM: https://community.mcafee.com/t5/Security-Information-and-Event/bd-p/siem
If you post there, please leave a link here, so everybody can benefit.
... View more
05-29-2020
06:41 AM
Hello @vrajshekar
is it possible you have 1512 different events in the DB? They cannot be duplicate because they have different AutoID values.
... View more
05-28-2020
06:24 PM
Hello @mvor
can you create a network capture with tcpdump/snoop on the Solaris itself? Don't filter by port, just filter out ssh
... View more
05-28-2020
02:54 PM
@socrates4rufio
is splunk running on windows or linux?
what happens if you click ignore/continue cert warning in Chrome? The same 500 Internal error?
can you post a full browser warning you get?
check also splunkdaccess.log and splunkdui_access.log for 500 error and post the matching lines here
try to find any lines in splunkd.log matching the time when you navigating to Settings > Data Input
if not logged as admin - try to relogin as admin and test again. Do you get the same 500 error?
... View more
05-28-2020
10:42 AM
Hello @socrates4rufio
do you see any errors in $SPLUNK_HOME/var/log/splunk/splunkd.log ?
... View more
05-28-2020
02:00 AM
@jadengoho
tags are not exclusive for data models and used generally to assign names to specific field and value combinations, so if you search for tag=windows or tag::windows you get windows-related (coming from) events.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttagsandaliases
... View more
05-27-2020
08:20 AM
@bijenderkhosya I think this will work if the cert verification is disabled. I think you cannot enable cert verification selectively.
The setup described in the pdf doesn't use mutual authenticated TLS, only DS' certificate is verified, the UF's certificate is not verified.
... View more
Hello @bijenderkhosya
as @gcusello mentioned, SSL is already enabled, but default certificates are used, which means the connection is not "secure" and can be MitM-ed.
Please follow these steps: https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf
... View more
05-27-2020
06:52 AM
Hello @conwaw,
it's a pity that there are no such section "security considerations" in a planing manual https://docs.splunk.com/Documentation/DBX/3.3.0/DeployDBX/Architectureandperformanceconsiderations, but there is an indication between the lines that DBConnect should be installed on a heavy forwarder,
... View more
05-27-2020
06:01 AM
Hello @jlongworth
you can find this information in the operating system's logs:
Windows - eventvwr.msc - installation
Linux - find the installation date and time in /var/log/yum*log or /var/log/dpgk*log and correlate it with output of last command
you can find it using splunk UI if these logs are indexed by splunk
... View more
05-27-2020
04:16 AM
I've just tested - splunk cron doesn't accept any special cron characters, except listed on the doc page (*,-/)
... View more
05-27-2020
01:19 AM
Hello @gpradeepkumarreddy,
not a response that you asking, but a suggestion anyway:
is switching to KVstore instead of
static lookup an option?
Please consider KV-Store vs CSV lookup:
https://dev.splunk.com/enterprise/docs/developapps/kvstore/#The-KV-Store-vs-CSV-files
https://dev.splunk.com/enterprise/docs/developapps/kvstore/migrateyourappfromusingcsv/
another options is to use gziped CSV files.
... View more
05-27-2020
12:42 AM
Hello @jadengoho
the tag "windows" doesn't belong to the default Splunk CIM and can be set by Splunk Add-on for Microsoft Windows, here is an excerpt from default/tags.conf:
###### Global Windows Eventtype ######
[eventtype=fs_notification]
endpoint = enabled
change = enabled
[eventtype=wineventlog_windows]
os = enabled
windows = enabled
[eventtype=wineventlog_application]
os = enabled
windows = enabled
[eventtype=wineventlog_system]
os = enabled
windows = enabled
[eventtype=wineventlog_security]
os = enabled
windows = enabled
[eventtype=perfmon_windows]
os = enabled
windows = enabled
[eventtype=perfmon_processorinformation]
process = enabled
report = enabled
performance = enabled
cpu = enabled
[eventtype=hostmon_windows]
os = enabled
windows = enabled
[eventtype=hostmon_os]
os = enabled
windows = enabled
memory = enabled
performance = enabled
oshost = enabled
you can run btool command to find out which add-on sets this tag:
splunk btool tags list --debug
... View more
05-27-2020
12:05 AM
Hello @pbalbasdtt,
try directly on the UF:
./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
do you see anything in the output related to the monitored files?
Additionally check $SPLUNK_HOME/var/log/splunk/splunkd.log for any WARN and ERROR.
If the internals logs are being send from the UF to the index layer and the REST API is accessable, then you can check both from the SH.
... View more
05-26-2020
02:54 AM
@marone, I think you asking about log file rotation and autodeletion, right? This is configured under log.cfg:
appender.rootAppender=ConsoleAppender
appender.rootAppender.layout=PatternLayout
appender.rootAppender.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
# if these log files are getting too big for your liking, turn down the maxFileSize.
# it's best to not make them too small, however, because these logs can be very
# useful in troubleshooting.
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=5
appender.A1.layout=PatternLayout
as you can see, for most log files that is max 5 log files x 25MB. More for license log.
Is this the info that you looked for?
... View more
05-26-2020
02:02 AM
Hello @marone,
which log files do you have in $SPLUNK_HOME/etc ? Most of logs are under $SPLUNK_HOME/var/log
... View more
05-26-2020
12:00 AM
@aagashe,
there are various scripts to install splunk on linux, also for an unattended install:
https://answers.splunk.com/search.html?f=&redirect=search%2Fsearch&sort=relevance&q=install+script+linux&type=question
Additionally check this: https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/StartSplunkforthefirsttime#Start_Splunk_Enterprise_without_prompting.2C_or_by_answering_.22yes.22_to_any_prompts
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma from
Karma given to
| User | Karma Count |
|---|---|
| 10 | |
| 1 | |
| 1 | |
| 1 | |
| 9 |
