Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About BryanBerry
BryanBerry
Path Finder
Member since:
01-16-2012
06-05-2020
Community Statistics
| Posts | 21 |
| Solutions | 2 |
| Karma Given | 33 |
| Karma Received | 12 |
| Member Since | 01-16-2012 |
Activity Feed
- Got Karma for Universal Forwarder can't connect to Deployment Server. 03-11-2021 08:57 AM
- Got Karma for Re: Universal Forwarder can't connect to Deployment Server. 03-11-2021 08:57 AM
- Karma Re: Peer Update Process with Clustering for piebob. 06-05-2020 12:46 AM
- Karma Re: Alert when a host exceeds a certain number of messages per minute for rturk. 06-05-2020 12:46 AM
- Karma Alert when a host exceeds a certain number of messages per minute for rgisrael. 06-05-2020 12:46 AM
- Karma Re: Universal forwarder monitor clean files for bosburn_splunk. 06-05-2020 12:46 AM
- Karma Re: Chart set range value for dwaddle. 06-05-2020 12:46 AM
- Karma Re: How to display index time in table? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Forwarder reconnect time after quarantined connection for bmacias84. 06-05-2020 12:46 AM
- Karma Re: Change hostname transform for Ayn. 06-05-2020 12:46 AM
- Karma encoded data over tcp for shangshin. 06-05-2020 12:46 AM
- Karma Re: Using regex in source stanzas (props.conf) for emiller42. 06-05-2020 12:46 AM
- Karma Re: Recommended permissions on /var/log for Splunk_TA_nix for dwaddle. 06-05-2020 12:46 AM
- Karma maildir indexing? for jtrucks. 06-05-2020 12:46 AM
- Karma Re: Syslog over TCP-TLS not linebreaking correctly for Ayn. 06-05-2020 12:46 AM
- Karma Re: Simplifying serverclass.conf? for hexx. 06-05-2020 12:46 AM
- Karma Re: Dotted Line Chart for bbingham. 06-05-2020 12:46 AM
- Karma Re: Splunk light weight forwarder failover capability for bosburn_splunk. 06-05-2020 12:46 AM
- Karma Re: Deployment Server: deploying in baby steps for Brandon_ganem1. 06-05-2020 12:46 AM
- Karma Re: Reduce time spent in regexreplacement queue? for hexx. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 3 | |||
| 4 | |||
| 0 | |||
| 1 |
10-01-2013
02:13 PM
Sorry, I wasn't clear. I mean to mask Splunk's access logs on the filesystem itself.
... View more
10-01-2013
10:47 AM
I'm wondering if it's possible to mask/scrub the Splunk access logs. If so, how?
It's for a security requirement. We have a search page that does a one-way hash of an input value and searches for the hash, but we don't want any written record of the input value. This value would appear in the Splunk access logs for a given request.
Edit:
I would like to do this for the Splunk access logs on the filesystem.
... View more
08-29-2013
10:14 AM
How can I find what $foo$ values are available?
I know the Sideview RuntimeDebugger shows keys from upstream and modified keys, but how can I see the full tree of keys?
This is to support something I'm trying to do using Redirector, but I feel like this question holds a good amount of value in and of itself. Once I have the answer, I can likely figure out my Redirector woes. If not, I'll just ask a separate question 🙂
... View more
08-16-2013
02:05 PM
Table instead of fields is what did it. Thanks!
... View more
08-12-2013
04:23 PM
1 Karma
Firstly, see my pastebin
Base search:
sourcetype=applog source!=*jboss-*GA/* | transaction transactionid keepevicted=t | fields _time, ResponseType, RequestType, PlatformName, ErrorMessage, exception, exception_message
PostProcess1:
search ResponseType="ERROR_SERVER" | table _time, RequestType, exception, exception_message, ErrorMessage
PostProcess2:
search ResponseType="ERROR_UNKNOWN" | table _time, ErrorMessage, PlatformName, exception
Neither Table module shows results for its respective PostProcess.
I know some questions are going to come up regarding why I'm doing it this way. I understand my method of accomplishing this may not be the best, so please offer suggestions for improvement.
Why am I just grabbing transaction'ed events for my base search? The data I need to display won't appear in the event that has ResponseType=ERROR_SERVER or ResponseType=ERROR_UNKNOWN. It will appear in another event with the same transactionid. If you can think of a better way to put the data together, please tell me.
Why am I using keepevicted=t? No clue. I don't get results when I don't have that in there. Educate me?
Why am I adding fields at the end of my base search? Per the PostProcess documentation in the Sideview app, Splunk will discard fields from the base search that it has deemed unimportant. By explicitly telling Splunk that I want those fields, I think that should bypass that problem. Maybe I'm wrong?
So yeah, no idea why I'm not getting results. Running the base search in combination with the PostProcess does yield results. Help?
... View more
07-02-2013
02:09 PM
You, sir, are kind of awesome. Using this with the UF actually shaves two weeks off my project by avoiding the heavy forwarder. Thank you!
... View more
07-02-2013
10:53 AM
Fixed the transform, thanks to http://splunk-base.splunk.com/answers/24769/host-override.
The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.
Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?
... View more
07-02-2013
10:45 AM
We have a host where logs are aggregated already. I want to Splunk these logs. The source host for the logs is in the file path. I attempted the below props/transforms as a PoC, but no luck. Can anyone catch what I'm doing wrong?
transforms.conf:
[foobar]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = ^/opt/splunk/v(ar)
FORMAT = host::bogus$1
props.conf:
[boguslog]
TRANSFORMS-foo=foobar
inputs.conf:
[monitor:///opt/splunk/var/log/splunk/splunkd.log]
sourcetype = boguslog
Also, would this sort of transformation work on a UF or only a HF? I was originally doing this to test for myself, but I can't get it to work on my HF in the first place.
... View more
04-04-2013
09:59 AM
Thanks piebob!
... View more
04-03-2013
04:06 PM
Checked out http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Outputsconf to confirm your findings. I don't see backoffOnFailure defined as a parameter - I only see it referenced by the secsInFailureInterval parameter.
I did just test manually; however, it appears it took 5 minutes and 10 seconds before attempting another connection.
If you change your 30sec to 300 sec / 5 minutes, I'll accept 😄
I also checked the outputs.conf in etc/system/default and say no reference to backoffOnFailure. Odd.
... View more
04-03-2013
03:28 PM
3 Karma
If a given forwarder has quarantined a connection to due too many failed connection attempts, will the forwarder reattempt a connection after a span of time? If so, what is the reattempt interval for a quarantined connection?
By quarantine, I mean the below:
03-16-2012 14:20:24.904 +1000 INFO TcpOutputProc - Connection to 10.1.2.3:9997 closed. Connection closed by server.
03-16-2012 14:20:24.904 +1000 WARN TcpOutputProc - Applying quarantine to idx=10.1.2.3:9997 numberOfFailures=3
(Example logs pulled from another question, but I know this is what they look like)
... View more
02-05-2013
02:13 PM
Huh, that is very odd. Was that in etc/system/local/transforms.conf or default? Did you find how that got in there? I'm curious about the cause as well.
... View more
02-04-2013
05:11 PM
Have any stray props.conf/transforms.conf on the indexer? Is this all of your forwarders or only some of them?
Try "splunk btool transforms list --debug > out.txt" on your indexer and grep for MetaData:Host in out.txt. It possible that there's a transform setting the host value to splunk
... View more
10-11-2012
05:41 PM
3 Karma
Changed the log.cfg on the Deployment Server to log debug messages and restarted Splunk... Hosts began reporting. Seems like Splunk just needed a restart 😕
... View more
10-11-2012
04:19 PM
Noticed the issue with [target-broker:devDeployServer]. Corrected it.
... View more
10-11-2012
04:00 PM
4 Karma
Spent a day on this and have been seeking help in Splunk IRC. Bout to lose it.
Deployment Server states no clients have contacted server. splunkd.log on the Universal Forwarder contains the following:
10-11-2012 15:47:43.879 -0700 WARN DeploymentClient - Phonehome thread is now started.
10-11-2012 15:47:43.879 -0700 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
Conf on forwarder is located at $SPLUNK_HOME/etc/apps/deployment/default.
deploymentclient.conf contains the following:
[deployment-client]
disabled = false
[target-broker:deploymentServer]
targetUri = 10.45.222.191:8089
App.conf in that same directory contains the following:
[install]
state = enabled
On the Deployment Server, $SPLUNK_HOME/etc/system/local/serverclass.conf looks like this:
[global]
[serverClass:all_dev_forwarder]
filterType = whitelist
#filterType = blacklist
repositoryLocation = /opt/splunk/etc/deployment-apps
restartSplunkd = true
whitelist.0 = 10.45.222.*
#blacklist.0 = 10.45.222.190
I've run ./splunk reload deploy-server on the Deployment Server and ./splunk restart on the Universal Forwarder multiple times.
I've confirmed that the Universal Forwarder can hit the Deployment Server on 8089.
I'm stumped and have spent a whole day with something I've done a dozen times before. Anyone have any ideas?
... View more
09-26-2012
01:57 PM
Jumped the gun on the selected answer...
The timeformat for syslog matches: %b %d %H:%M:%S
Any other ideas?
... View more
09-26-2012
12:02 PM
Hey guys,
I've setup our Linux hosts to send syslog using rsyslog over TCP encrypted with TLS. Data's being consumed, but the linebreaks aren't working. I have assigned syslog as the sourcetype for the input. I'd really like to avoid altering the syslog sourcetype, but it's fine if I have to. Any idea what might be causing this behavior and how to fix it?
My inputs looks like this:
[tcp-ssl:8514]
sourcetype=syslog
Current event:
84 <86>Sep 26 11:45:40 *censored* sshd[8218]: Invalid user bryan.berry from *censored* <86>Sep 26 11:45:40 *censored* sshd[8219]: input_userauth_request: invalid user bryan.berry86 <84>Sep 26 11:45:44 *censored* sshd[8218]: pam_unix(sshd:auth): check pass; user unknown143 <85>Sep 26 11:45:44 *censored* sshd[8218]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=*censored* <82>Sep 26 11:45:44 *censored* sshd[8218]: pam_succeed_if(sshd:auth): error retrieving information about user bryan.berry120 <86>Sep 26 11:45:47 *censored* sshd[8218]: Failed password for invalid user bryan.berry from *censored* port 57820 ssh275 <86>Sep 26 11:45:50 *censored* sshd[8219]: Connection closed by *censored*
Should be:
Sep 26 11:45:40 *censored* sshd[8218]: Invalid user bryan.berry from *censored*
Sep 26 11:45:40 *censored* sshd[8219]: input_userauth_request: invalid user bryan.berry
Sep 26 11:45:44 *censored* sshd[8218]: pam_unix(sshd:auth): check pass; user unknown
Sep 26 11:45:44 *censored* sshd[8218]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=*censored*
Sep 26 11:45:44 *censored* sshd[8218]: pam_succeed_if(sshd:auth): error retrieving information about user bryan.berry
Sep 26 11:45:47 *censored* sshd[8218]: Failed password for invalid user bryan.berry from *censored* port 57820 ssh
Sep 26 11:45:50 *censored* sshd[8219]: Connection closed by *censored*
Thanks!
... View more
05-31-2012
02:19 PM
@cphair The first transaction was just messing around. I found it made no difference - I should have removed it before posting.
I have not tried that with the eval. That may be a viable option. Any suggestions on how to accomplish the formatting, i.e. have them delimited from one another clearly and show a title for each piece?
Thanks for taking a look
... View more
05-21-2012
02:49 PM
1 Karma
This is really tricky to explain, so please bear with me. I'm open to different display approaches, so if you disagree with how I want to show this data, please feel free to propose a better design.
I'm working on a TIBCO app to show events for a service run, the job it runs as, and the child jobs running under it. I'm having difficulty is displaying the child jobs in relation to the parent job that represents the whole execution of the service. I have a search like this:
index=test-tibco parent_job_id=80353 | transaction service_name, parent_job_id, child_job_id | eval event_time=_time | convert ctime(event_time) | transaction service_name, parent_job_id | eval newtime=_time | convert ctime(newtime) | table newtime, service_name, parent_job_id, job_status, event_time, child_job_id, MessageText
parent_job_id is only for my testing purposes - I'm more concerned about the formatting.
The results look like this:
newtime
service_name
parent_job_id
event_time
child_job_id
MessageText
04/12/2012 13:27:56.907
DetermineFeatureEligibility
80353
04/12/2012 13:27:56.907
1
Sending Request to BB Service
04/12/2012 13:27:56.909
2
Received response from BB Service
3
4
I want them to look like this:
newtime
service_name
parent_job_id
event_time
child_job_id
MessageText
04/12/2012 13:27:56.907
DetermineFeatureEligibility
80353
04/12/2012 13:27:56.907
1
Sending Request to BB Service
04/12/2012 13:27:56.907
2
<No Message>
04/12/2012 13:27:56.909
3
Received response from BB Service
04/12/2012 13:27:56.909
4
<No Message>
EDIT for additional info: Essentially, my goal is to have a table within my end table to show the child job' info and bubble up into the parent job.
Is this possible? If so, how? (I know the data seems junky, but some of these really are 1-millisecond requests of container jobs and whatnot.)
I'm also curious if anyone has figured out a low-effort manner to achieve the design described in http://splunk-base.splunk.com/answers/40142/how-can-i-compute-durations-of-nested-method-calls.
... View more
