Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About NK
NK
Explorer
Member since:
06-10-2010
12-19-2024
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 06-10-2010 |
Activity Feed
- Posted Re: Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.co on Splunk Enterprise. 12-19-2024 07:35 AM
- Karma Re: Need Linux equivalent query for network traffic stats for gcusello. 08-22-2024 09:56 AM
- Posted Re: Need Linux equivalent query for network traffic stats on All Apps and Add-ons. 08-21-2024 04:12 PM
- Posted Need Linux equivalent query for network traffic stats on All Apps and Add-ons. 08-20-2024 02:28 PM
- Tagged Need Linux equivalent query for network traffic stats on All Apps and Add-ons. 08-20-2024 02:28 PM
- Tagged Need Linux equivalent query for network traffic stats on All Apps and Add-ons. 08-20-2024 02:28 PM
- Tagged Re: Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.co on Splunk Enterprise. 08-15-2024 04:26 PM
- Posted Re: Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.co on Splunk Enterprise. 08-15-2024 04:23 PM
- Tagged Re: Why are we getting an error "SCRAM-SHA-1 authentication failed" on kvstore? on Getting Data In. 07-19-2023 09:11 AM
- Tagged Re: Why are we getting an error "SCRAM-SHA-1 authentication failed" on kvstore? on Getting Data In. 07-19-2023 09:11 AM
- Posted Re: Why are we getting an error "SCRAM-SHA-1 authentication failed" on kvstore? on Getting Data In. 07-19-2023 09:08 AM
- Karma Re: Renewing server.pem certificate for vishaltaneja070. 07-19-2023 08:57 AM
- Karma Why are we getting an error "SCRAM-SHA-1 authentication failed" on kvstore? for tokio13. 07-19-2023 08:50 AM
- Posted Re: Troubleshooting: Invalid Key Stanza alert_actions.conf on Splunk Enterprise. 06-22-2023 05:26 PM
- Tagged Re: Troubleshooting: Invalid Key Stanza alert_actions.conf on Splunk Enterprise. 06-22-2023 05:26 PM
- Tagged Re: Troubleshooting: Invalid Key Stanza alert_actions.conf on Splunk Enterprise. 06-22-2023 05:26 PM
- Posted How does one restart just the KV Store process on a Windows system? on Monitoring Splunk. 06-12-2023 07:43 AM
- Tagged How does one restart just the KV Store process on a Windows system? on Monitoring Splunk. 06-12-2023 07:43 AM
- Tagged How does one restart just the KV Store process on a Windows system? on Monitoring Splunk. 06-12-2023 07:43 AM
- Tagged How does one restart just the KV Store process on a Windows system? on Monitoring Splunk. 06-12-2023 07:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-19-2024
07:35 AM
Happens in Splunk Enterprise v9.4.0 for Windows too.
... View more
08-21-2024
04:12 PM
I enabled netstsat in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf I see Send_Q and Recv_Q (from "netstat -a"?) , but those look like the corresponding queue sizes in bytes. I think the Windows/wmi equivalent reports traffic (bytes/sec) through the network adapter.
... View more
08-20-2024
02:28 PM
Using Splunk Add-on for Microsoft Windows, Splunk Add-on for Unix and Linux on Splunk Enterprise v9.3.0
What are the Linux (RHEL 8 ) equivalents for these Splunk Windows queries?
e.g. Network Traffic:
Windows:
index=wmi host=MyWindowsHost sourcetype="Perfmon:Network Interface" counter=Bytes* | timechart span=15m max(Value) as "Bytes/sec" by counter
Linux: ?
e.g. CPU:
Windows:
index=wmi host=MyWindowsHost sourcetype="Perfmon:CPU Load" | timechart span=15m max(Value) as "CPU Load" by counter
Linux:
index=os host=MyLinuxHost source=cpu CPU="all" | timechart span=15m max(pctSystem),max(pctUser) by CPU
... View more
Labels
- Labels:
-
configuration
-
development
08-15-2024
04:23 PM
8/2024: I get this message with Linux Splunk v9.3.0 It started appearing after I relocated $SPLUNK_DB and freed up the space under $SPLUNK_HOME/var/lib/splunk/ Update: The message stopped after splunkd re-created all the 2-byte index .dat files under the old location $SPLUNK_HOME/var/lib/splunk/ Maybe I should have used a symbolic link to relocate the index DB instead of defining a new DB location in splunk-launch.conf
... View more
07-19-2023
09:08 AM
I'm seeing the same message logged in mongod.log with Splunk v8.2.10 running on Windows Server. It is logged as Info ("I ACCESS") instead of Error ("E ACCESS"), so maybe it can be ignored? Not sure which location "storedKey" it is referring to: The expired Splunk local certificate was renewed a few months ago (server.pem), but there was still an old copy residing in Windows' certlm.msc repository. Updating the latter doesn't appear to fix the issue. Environment Variable SSL_CERT_FILE pointing to server.pem doesn't help either.
... View more
06-22-2023
05:26 PM
Splunk Windows 8.2.10 (upgraded from 8.2.6) - Who/What would put that in alert_actions.conf? [email] show_password = True Should I: a. delete the alert_actions.conf file (nothing else is in the file) ? b. Change it to False? c. delete the file contents, but leave the empty file there?
... View more
06-12-2023
07:43 AM
Using Splunk Enterprise for Windows, v8.2.10
When the KV Store process terminates abnormally, the "Health Status of Splunkd" window still indicates green for everything. 😕
How does one restart just the KV Store process on a Windows system?
KV Store process terminated abnormally
... View more
Labels
- Labels:
-
KV Store
06-09-2023
03:43 PM
@inventsekar wrote: the path was configured mistakenly i think. Where is that path configured in a Windows Splunk Enterprise installation? Update: Looks like @rbreton answered it here in 2017! I need another Windows environment variable: OPENSSL_CONF = %SPLUNK_HOME%\openssl.cnf
... View more
06-09-2023
07:46 AM
Discovered when I was doing the following: C:\Splunk>%SPLUNK_HOME%\bin\openssl x509 -enddate -noout -in %SPLUNK_HOME%\etc\auth\server.pem
WARNING: can't open config file: C:\\gitlab_runner\\builds\\build_home\\splunk/ssl/openssl.cnf
notAfter=May 17 23:44:06 2026 GMT
... View more
06-09-2023
07:41 AM
WARNING: can't open config file: C:\\gitlab_runner\\builds\\build_home\\splunk/ssl/openssl.cnf
So why is the default location of openssl.cnf not %SPLUNK_HOME% ?
C:\Splunk>%SPLUNK_HOME%\bin\openssl version -d
OPENSSLDIR: "C:\\gitlab_runner\\builds\\build_home\\splunk/ssl"
Do I need to create the above "gitlab_runner" directory structure to suppress the warnings?
(Using Splunk Enterprise Windows v8.2.10)
... View more
Labels
- Labels:
-
SSL
02-20-2023
09:28 AM
@PickleRick , it's a small system (mostly for dev work): everything on 1 Wintel Splunk Server; not distributed/clustered. A couple of remote machines that use a UF.
... View more
02-20-2023
09:22 AM
For the record, remote UF inputs.conf: [monitor://C:\pathname\xyz.log]
sourcetype = XYZ
index = xyz
disabled = 0 and Splunk Server props.conf: [source::...\\xyz.log]
sourcetype = XYZ doesn't do it; the data from remote UF gets the right sourcetype, but still gets indexed into main not xyz. (The local xyz.log data coming from the Splunk Server directory gets the right sourcetype and goes into index xyz) Something on the Splunk Server is over-riding the explicit index specification on the remote UF? Going to try the other recommendation for props.conf and transforms.conf
... View more
02-19-2023
08:22 AM
@gcusello , that looks like a setup for local files. (I have that set up via Splunk's "Data inputs" --> "Files & directories") It does not seem to work for remote files coming in via the Splunk Universal Forwarder. They may have different drive letters and pathnames, but the same filename (xyz.log).
... View more
02-17-2023
05:23 PM
I want any logfile (local, or remote via a UniversalForwarder) with the filename "xyz.log" to have a sourcetype of XYZ, and get indexed in my xyz index (not the main index). What do I need to put in props.conf? Do I also need to configure transforms.conf?
I'm using Splunk Enterprise v8 on Windows.
current props.conf:
[source::...\\xyz.log] sourcetype = XYZ
... View more
Labels
- Labels:
-
index
-
sourcetype
