Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About andreasz
andreasz
Path Finder
Member since:
04-29-2013
06-05-2020
Community Statistics
| Posts | 23 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 6 |
| Member Since | 04-29-2013 |
Activity Feed
- Karma Re: How do I limit the fields returned by Splunk's REST handlers? for LukeMurphey. 06-05-2020 12:50 AM
- Karma No matching visualization found (DB Connect) for julio19. 06-05-2020 12:50 AM
- Karma AssumeRole for CloudWatch Logs input for joeydenbroeder. 06-05-2020 12:50 AM
- Karma Re: What is the distinction between "events" versus "results"? for LukeMurphey. 06-05-2020 12:49 AM
- Karma Should Metrics Indexes support overwriting events instead of duplicating events for rjthibod. 06-05-2020 12:49 AM
- Karma What are some of the Best Practices Recommendation for Data Model Acceleration vs Metrics? for pramaswamy. 06-05-2020 12:49 AM
- Karma Re: Where should the kvstore be deployed in a distributed Splunk environment for jwelch_splunk. 06-05-2020 12:49 AM
- Karma Provide hyperlink in Email alert body for anantdeshpande. 06-05-2020 12:48 AM
- Karma Re: Dashboard Assistant: Is there a plan to support Splunk version 6.5.x in future releases of this app? for Simon. 06-05-2020 12:48 AM
- Got Karma for Re: How to enable IAM roles for Cloudtrail app and Splunk Add-on for Amazon Web Services?. 06-05-2020 12:48 AM
- Karma Splunk DB Connect 2: What is the proper syntax for dbxquery? for kbecker. 06-05-2020 12:47 AM
- Got Karma for Re: After upgrading to Splunk 6.3.0, why am I getting the following Mongod errors?. 06-05-2020 12:47 AM
- Got Karma for Re: After upgrading to Splunk 6.3.0, why am I getting the following Mongod errors?. 06-05-2020 12:47 AM
- Karma Splunk App for Windows Infrastructure - LDAPSearch performance for dstaulcu. 06-05-2020 12:46 AM
- Karma Re: How do I apply a new linemerge rule to historical data? for lguinn2. 06-05-2020 12:46 AM
- Karma New App Site - Sorting by Newest Doesnt Work for cramasta. 06-05-2020 12:46 AM
- Got Karma for Re: Last indexed event is in the future. 06-05-2020 12:46 AM
- Got Karma for Re: Last indexed event is in the future. 06-05-2020 12:46 AM
- Got Karma for Re: WinEventMon::processLogChannel unable to checkpoint. 06-05-2020 12:46 AM
- Karma Export Views To Only One Specific App for David. 06-05-2020 12:45 AM
04-03-2020
12:56 AM
interval = 60
... View more
03-29-2020
03:12 AM
Hello,
I get the following error:
2020-03-20 23:04:24,291 ERROR Execution failed
...
..., line 373, in run
if last_entry_date_retrieved is not None and last_entry_date_retrieved > last_entry_date:
TypeError: '>' not supported between instances of 'time.struct_time' and 'NoneType'
In syndication.py line 343 lastentrydate can be set to None. I suppose this is happening here and later in the code the comparison fails.
Thanks in Advance
... View more
02-21-2020
08:13 AM
1 Karma
I have version 8.0.2 installed and get the same error on my Search Head:
Unable to initialize modular input "splunktaawssqs" defined in the app "SplunkTAaws": Introspecting scheme=splunktaawssqs: script running failed (exited with code 1)
For some reasons I don't get this error on my Heavy Forwarder (8.0.2 as well)
... View more
02-21-2020
06:53 AM
My Heavy Forwarders and Indexers are at version 8.0.2 and I still get the error. Why should we set the negotiateProtocolLevel to 0, if both servers (HF & Indexer) are already at the newest version?
... View more
03-25-2019
04:17 AM
On SUSE Linux Splunk 7.2.5 crashes too:
[build 088f49762779] 2019-03-25 11:19:56
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 4302 running under UID 0.
Crashing thread: Main Thread
Registers:
RIP: [0x00007FA7BA97BF67] gsignal + 55 (libc.so.6 + 0x34F67)
RDI: [0x00000000000010CE]
RSI: [0x00000000000010CE]
RBP: [0x00007FA7BACE76D8]
RSP: [0x00007FFF638DDE18]
RAX: [0x0000000000000000]
RBX: [0x00007FA7BA11ACE0]
RCX: [0x00007FA7BA97BF67]
RDX: [0x0000000000000006]
R8: [0x000000000000000A]
R9: [0x00007FA7BBE387C0]
R10: [0x0000000000000008]
R11: [0x0000000000000202]
R12: [0x00007FA7BA4C56A0]
R13: [0x00007FA7BA11AC90]
R14: [0x0000562779FDC920]
R15: [0x0000000000000000]
EFL: [0x0000000000000202]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace (PIC build):
[0x00007FA7BA97BF67] gsignal + 55 (libc.so.6 + 0x34F67)
[0x00007FA7BA97D33A] abort + 314 (libc.so.6 + 0x3633A)
[0x00005627796467AD] ZN9gnucxx27verboseterminatehandlerEv + 349 (search-launcher + 0x25107AD)
[0x00005627795CC1D6] _ZN10cxxabiv111_terminateEPFvvE + 6 (search-launcher + 0x24961D6)
[0x00005627795CC221] ? (search-launcher + 0x2496221)
[0x00005627795CC5E8] ? (search-launcher + 0x24965E8)
[0x0000562777BA78B9] ? (search-launcher + 0xA718B9)
[0x0000562778816BD8] _Z17ProcessRunnerInitRK8Pathname + 808 (search-launcher + 0x16E0BD8)
[0x0000562778E933AA] ? (search-launcher + 0x1D5D3AA)
[0x0000562778817253] _ZN32ProcessRunnerChildCommandHandler19handlecommandforkEPK18protoforkcommandPKv + 803 (search-launcher + 0x16E1253)
[0x00005627788175D4] _ZN32ProcessRunnerChildCommandHandler11consumeDataERK3Str + 356 (search-launcher + 0x16E15D4)
[0x000056277879494B] _ZN21SocketCommandConsumer13whenreadableE18PollableDescriptor + 219 (search-launcher + 0x165E94B)
[0x0000562778795D25] ZN12PolledSocket3Pfd11wheneventsE18PollableDescriptor + 85 (search-launcher + 0x165FD25)
[0x0000562778796246] ZN8PolledFd8doeventEv + 134 (search-launcher + 0x1660246)
[0x000056277879721B] ZN9EventLoop3runEv + 651 (search-launcher + 0x166121B)
[0x00005627788166AC] _ZN20ExternalProcessGroup20processrunnerchildERK8PathnameR14PolledReadPipe + 1084 (search-launcher + 0x16E06AC)
[0x0000562778816BC5] _Z17ProcessRunnerInitRK8Pathname + 789 (search-launcher + 0x16E0BC5)
[0x00005627782FBBD8] _ZN16SplunkMainThreadC1ERK8Pathnameb + 1064 (search-launcher + 0x11C5BD8)
[0x0000562777BBE7D1] main + 17937 (search-launcher + 0xA887D1)
[0x00007FA7BA967725] _libcstartmain + 245 (libc.so.6 + 0x20725)
[0x0000562777C909A2] ? (search-launcher + 0xB5A9A2)
Linux / zbm-sl-muc-0099 / 4.4.155-94.50-default / #1 SMP Tue Sep 11 13:04:00 UTC 2018 (bc8c7c0) / x8664
/etc/SuSE-release: SUSE Linux Enterprise Server 12 (x8664)
glibc version: 2.22
glibc release: stable
Last errno: 11
Threads running: 1
Runtime: 176.912315s
argv: [splunkd --under-systemd --systemd-delegate=yes -p 8089 internallaunchundersystemd]
Process renamed: [splunkd pid=1567] splunkd --under-systemd --systemd-delegate=yes -p 8089 internallaunchundersystemd [process-runner]
Process renamed: [splunkd pid=1567] [search-launcher]
Regex JIT enabled
using CLOCKMONOTONIC
Preforked process=0/20: processruntimemsec=12, completedsearches=0, userchanges=0, cacherotations=0
First 512 bytes of PolledFd object @0x7fff638dec90:
00000000 e0 8c fd 79 27 56 00 00 00 00 00 00 da dd 42 65 |...y'V........Be|
00000010 00 8f 08 7a 27 56 00 00 00 00 00 00 00 00 00 00 |...z'V..........|
00000020 80 ef 8d 63 ff 7f 00 00 00 00 00 00 00 00 00 00 |...c............|
00000030 00 00 00 00 00 00 f0 3f 08 00 00 00 03 00 00 00 |.......?........|
00000040 40 b5 0b ba a7 7f 00 00 1b 20 00 00 ff 7f 00 00 |@........ ......|
00000050 00 00 00 00 00 00 00 00 7f 03 8d 63 ff 7f 00 00 |...........c....|
00000060 80 ec 8d 63 ff 7f 00 00 08 ed 8d 63 ff 7f 00 00 |...c.......c....|
00000070 00 00 00 00 00 00 00 00 00 f2 8d 63 ff 7f 00 00 |...........c....|
00000080 01 00 00 00 00 00 00 00 70 ee 8d 63 ff 7f 00 00 |........p..c....|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 01 00 00 00 00 00 00 00 00 a0 12 ba a7 7f 00 00 |................|
000000f0 65 00 00 00 00 00 00 00 30 0b 00 00 00 00 00 00 |e.......0.......|
00000100 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 70 8d 12 ba a7 7f 00 00 |........p.......|
00000120 d0 87 12 ba a7 7f 00 00 30 9a 12 ba a7 7f 00 00 |........0.......|
00000130 12 00 00 00 00 00 00 00 08 7e 02 bc a7 7f 00 00 |.........~......|
00000140 00 00 00 00 ff 7f 00 00 e0 8c 12 ba a7 7f 00 00 |................|
00000150 60 88 12 ba a7 7f 00 00 a0 99 12 ba a7 7f 00 00 |`...............|
00000160 12 00 00 00 00 00 00 00 00 ec 8d 63 ff 7f 00 00 |...........c....|
00000170 70 ee 8d 63 ff 7f 00 00 b0 07 16 ba a7 7f 00 00 |p..c............|
00000180 26 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 |&.......&.......|
00000190 00 00 00 00 00 00 00 00 10 5d 0a ba a7 7f 00 00 |.........]......|
000001a0 2a 00 00 00 00 00 00 00 2a 00 00 00 00 00 00 00 |..............|
000001b0 00 00 00 00 00 00 00 00 1f 06 00 00 54 07 00 00 |............T...|
000001c0 d0 e5 4e ba a7 7f 00 00 d0 e5 4e ba a7 7f 00 00 |..N.......N.....|
000001d0 e0 e5 4e ba a7 7f 00 00 00 00 00 00 00 00 00 00 |..N.............|
000001e0 fe 22 b8 39 c1 c8 57 3f c6 00 00 00 00 00 00 00 |.".9..W?........|
000001f0 af 71 59 03 00 00 00 00 01 70 72 6f 63 2f 73 65 |.qY......proc/se|
00000200
x86 CPUID registers:
0: 0000000D 756E6547 6C65746E 49656E69
1: 000406F0 0E010800 FFFA3203 0FABFBFF
2: 76036301 00F0B5FF 00000000 00C30000
3: 00000000 00000000 00000000 00000000
4: 00000000 00000000 00000000 00000000
5: 00000000 00000000 00000000 00000000
6: 00000004 00000000 00000000 00000000
7: 00000000 00000000 00000000 00000000
8: 00000000 00000000 00000000 00000000
9: 00000000 00000000 00000000 00000000
A: 07300401 0000007F 00000000 00000000
B: 00000000 00000000 00000070 0000000E
C: 00000000 00000000 00000000 00000000
😧 00000000 00000000 00000000 00000000
80000000: 80000008 00000000 00000000 00000000
80000001: 00000000 00000000 00000121 2C100800
80000002: 65746E49 2952286C 6F655820 2952286E
80000003: 55504320 2D354520 30393632 20347620
80000004: 2E322040 48473036 0000007A 00000000
80000005: 00000000 00000000 00000000 00000000
80000006: 00000000 00000000 01006040 00000000
80000007: 00000000 00000000 00000000 00000100
80000008: 0000302B 00000000 00000000 00000000
terminating...
... View more
01-05-2018
09:02 AM
To accomplish this, I would have to "hack" the splunk-perfmon.exe 😉
... View more
01-05-2018
09:00 AM
Good point. I'm currently using the multikv mode and the data volume is really small
... View more
01-05-2018
06:29 AM
@ddrillic: thanks for the answer, but I already know this document. I'm talking about the new Splunk 7 feature: metrics index.
... View more
01-05-2018
05:47 AM
I would like to collect my windows perfmon data into a metrics index. Is this feature planned for the near future?
The reason: I've had very good experience with the new metrics index. Great performance and very powerfull mstats command (no extra data model plus acceleration jobs)
Thanks for your help in advance,
Andreas
... View more
06-10-2017
06:31 AM
All you need is the Machine Learning Toolkit and to use the Panda Correlation Matrix Algorithm:
http://docs.splunk.com/Documentation/MLApp/2.2.0/API/CorrelationMatrix
Simply copy&paste the code and than:
index=_internal sourcetype=splunkd group=* | timechart usenull=f useother=f count by group | fields -
_time | fit CorrelationMatrix * | table index,*
Here is the description of the available methods:
https://pandas.pydata.org/pandas-docs/stable/generated/pandas.DataFrame.corr.html
... View more
01-05-2017
02:14 AM
It works. Thank you very much!
... View more
01-03-2017
08:28 AM
After Upgrade to Version 6.5. the information message button disappeared.
Is there a plan to support Splunk version 6.5 in future releases?
... View more
10-21-2015
01:28 AM
@dgladkikh
I discovered the problem directly after the upgrade and went back to version 6.2 (thanks to Vmware snapshot)
I didn't create a diag and could only sent the log files (splunkd.log, mongod.log, etc)
The problem appears only on our production system, so I have to wait for a maintenance window (probably Wednesday next week) to upgrade again and create a diag (Splunk support is waiting for that)
... View more
I have exactly the same problem and an open ticket at Splunk Support.
I tried to upgrade from version 6.2.5 and 6.3 (OS: Windows Server 2008R2)
After the upgrade I get the following errors in mongod.log
2015-09-23T19:30:11.390Z W CONTROL No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
2015-09-23T19:30:11.452Z I CONTROL Hotfix KB2731284 or later update is installed, no need to zero-out data files
2015-09-23T19:30:11.764Z I CONTROL dbexit: The provided SSL certificate is expired or not yet valid. rc: 2
What I found is a similar known issue with Mongodb Version 3.0.4
https://jira.mongodb.org/browse/SERVER-19538
It was fixed in Version 3.0.6.
I don't get this error on my Deployment Server (same operating system: Windows Server 2008R2)
kind regards
... View more
04-02-2015
08:20 AM
Hi nyp_kwyc,
Did you find a solution?
I have exactly the same problem. Experimented a lot (CDATA,urldecode,ltrim,replace...), but failed to find a solution. It's a very frustrating experience.
best regards
Andreas
... View more
"...seems that filtering in not supported on Universal Forwarder"
It's only supported for Windows EventLogs as described in the input.conf documentation:
Filtering in input.conf on the indexer wouldn't make any sense. You could only filter the Windows EventLogs on the indexer. It works for UF.
# Windows Event Log Monitor
blacklist = << list >>
Tells Splunk which event IDs and/or event ID ranges that incoming events must NOT have
in order to be indexed.
Optional. This parameter can be left empty.
A comma separated list of event ID and event ID ranges to exclude (example: 4,5,7,100-200).
If no value is present, then there is no effect.
If you specify both the "whitelist" and "blacklist" attributes, the input ignores the
"blacklist" attribute.
whitelist = << list >>
Tells Splunk which event IDs and/or event ID ranges that incoming events must have
in order to be indexed.
Optional. This parameter can be left empty.
A comma-separated list of event ID and event ID ranges to include (example: 4,5,7,100-200).
If no value is present, defaults to include all event IDs.
If you specify both the "whitelist" and "blacklist" attributes, the input ignores the
"blacklist" attribute.
... View more
04-01-2014
06:20 AM
"...I have found that changing inputs.conf on a Universal Forwarder is not an option on Splunk 6.0.2."
Is this a known bug?
According to the documentation it's still valid
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
And here is a blog from Adrian Hall
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
"I included two techniques – firstly, filtering by event code so that you didn’t include the events you didn’t want; and secondly, filtering the explanatory text on the end of each event."
"Let’s say you don’t want firewall events. From the previous blog post, event ID 5156 and 5157 detail the firewall connection accept and deny messages. Let’s say those are not relevant to us. Previously, we had to add a props.conf stanza to initiate a filtering action that was done in transforms.conf – it was complicated. In Splunk 6, everything is done in inputs.conf."
... View more
04-01-2014
04:32 AM
Hello,
same here.
I'm using the blacklist option instead.
Regards
Andreas
... View more
10-15-2013
03:14 AM
Apparently the source and sourcetype names changed in UF 6.0.
Old name: WinEventLog:Application
New name: WinEventLog:application
The same applies to System and Security Logs.
According to props.conf.spec: "By default, [source:: ] and [ ] stanzas match in a case-sensitive manner"
All the props.conf stanzas (Event filtering) don't match any more.
Here my input.conf definition on the forwarder:
default:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evtresolvead_obj = 1
checkpointInterval = 5
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
UF Version: splunkforwarder-6.0-182611-x86-release.msi
Regards,
Andreas
UPDATE
My Workaround
On Indexer:
transform.conf
[renamesourcetypeWinEventLog:application]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::WinEventLog:application
FORMAT = sourcetype::WinEventLog:Application
[renamesourcetypeWinEventLog:security]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::WinEventLog:security
FORMAT = sourcetype::WinEventLog:Security
[renamesourcetypeWinEventLog:system]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::WinEventLog:system
FORMAT = sourcetype::WinEventLog:System
[renamesourceWinEventLog:application]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Source
REGEX = source::WinEventLog:application
FORMAT = source::WinEventLog:Application
[renamesourceWinEventLog:security]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Source
REGEX = source::WinEventLog:security
FORMAT = source::WinEventLog:Security
[renamesourceWinEventLog:system]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Source
REGEX = source::WinEventLog:system
FORMAT = source::WinEventLog:System
props.conf:
[WinEventLog:security]
TRANSFORMS-renamesource = renamesource_WinEventLog:security
TRANSFORMS-renamesourcetype = renamesourcetype_WinEventLog:security
[WinEventLog:application]
TRANSFORMS-renamesource = renamesource_WinEventLog:application
TRANSFORMS-renamesourcetype = renamesourcetype_WinEventLog:application
[WinEventLog:system]
TRANSFORMS-renamesource = renamesource_WinEventLog:system
TRANSFORMS-renamesourcetype = renamesourcetype_WinEventLog:system
Update 30.10.2013:
the problem occurs on Windows Server 2003 SP2 x86.
I could not recreate it on Windows Server 2008R2
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
Karma given to
