Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gn694
gn694
Communicator
Member since:
01-25-2012
06-05-2020
Community Statistics
| Posts | 57 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 14 |
| Member Since | 01-25-2012 |
Activity Feed
- Got Karma for Field alias Status AS Error_Code is wiping out the contents of the Error_Code field on Event ID 4776. 06-05-2020 12:50 AM
- Got Karma for Re: How to configure time in Splunk DB Connect and the Add-on for Oracle Database?. 06-05-2020 12:49 AM
- Got Karma for Making all of an App's contents global using default.meta. 06-05-2020 12:49 AM
- Got Karma for Splunk Add-on for Oracle Database: What role/permissions are required from Oracle dba to use this add-on?. 06-05-2020 12:49 AM
- Got Karma for CSV and TSV File Inputs on Universal Forwarder - Do I need to configure both INDEXED_EXTRACTIONS and FIELD_DELIMITER?. 06-05-2020 12:48 AM
- Got Karma for Is there a way to prevent users from saving knowledge objects in the Searching and Reporting app?. 06-05-2020 12:48 AM
- Got Karma for Is there a way to prevent users from saving knowledge objects in the Searching and Reporting app?. 06-05-2020 12:48 AM
- Karma Re: Why search with postprocessing returns no results in dashboard, but the actual search does? for dmaislin_splunk. 06-05-2020 12:47 AM
- Got Karma for Why is log data still present in an Index well after the frozenTimePeriodInSecs retention period?. 06-05-2020 12:47 AM
- Got Karma for How to configure universal forwarder to forward events from a specific log file in a monitored directory to a separate index?. 06-05-2020 12:47 AM
- Got Karma for How to configure universal forwarder to forward events from a specific log file in a monitored directory to a separate index?. 06-05-2020 12:47 AM
- Karma Re: Splunk Universal Forwarder getting behind forwarding events for martin_mueller. 06-05-2020 12:46 AM
- Got Karma for Count By Date. 06-05-2020 12:46 AM
- Got Karma for Count By Date. 06-05-2020 12:46 AM
- Got Karma for Setting Write Permission on an Index - to be used as a Summary Index. 06-05-2020 12:46 AM
- Got Karma for Setting Write Permission on an Index - to be used as a Summary Index. 06-05-2020 12:46 AM
- Posted Problems with Field Extraction where Source has a Forward Slash in it on Splunk Search. 03-18-2020 10:47 AM
- Posted Re: Unable to initialize modular input "WinEventLog" after server restart on Getting Data In. 03-12-2020 02:20 PM
- Posted Re: SSL Forwarding: Why does a Splunk forwarder need its own certificate? on Getting Data In. 12-02-2019 03:28 PM
- Posted Re: Field alias Status AS Error_Code is wiping out the contents of the Error_Code field on Event ID 4776 on All Apps and Add-ons. 07-30-2019 02:20 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 |
03-18-2020
10:47 AM
I am trying to create a field extraction for events from the source:
WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational
I am able to save it, but when I go to set permissions on it (or edit/move it), I get the following in Splunk web:
Splunk could not perform action for resource data/props/extractions (404, u'Splunk cannot find "data/props/extractions/source::WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG". [HTTP 404] https://127.0.0.1:8089/servicesNS//search/data/props/extractions/source%253A%253AWinEventLog%253AMicrosoft-Windows-TerminalServices-Gateway%252FOperational%20%3A%20EXTRACT-TestRDG?safe_encoding=1; [{\'type\': \'ERROR\', \'text\': \'Could not find object id=source%3A%3AWinEventLog%3AMicrosoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG\', \'code\': None}]')
I am able to delete it though.
It looks like the forward slash in the source is the problem.
Has anyone encountered this before or know of a work around for it?
... View more
03-12-2020
02:20 PM
Did you ever get this problem resolved? I just encountered the same issue on Server 2016.
... View more
12-02-2019
03:28 PM
From watching the recording of your presentation I understand how using the default certificates can lead to authentication issues because of the root CA certificate being the same with every instance of Splunk.
If I do am not concerned with authentication, but want to ensure everything is encrypted, are the default certificates ok to use? Or would using our private CA (with one certificate shared used on all Universal Forwarders) provide some added benefit in terms of data encryption over the default certificates?
... View more
07-30-2019
02:20 PM
Update for anyone with this problem:
Go to the alias and uncheck the box labelled"Overwrite field values"
This will prevent Splunk from overwriting the existing Error_Code field.
... View more
06-21-2019
02:43 PM
1 Karma
We recently migrated to a Splunk Environment where the Add-on for Microsoft Windows is installed and now have problems with some of our existing (migrated) dashboards and searches.
Events of EventCode 4776 now all had an ErrorCode value of "-". Normally the ErrorCode in this type of event would be something like 0x0 for a successful authentication or C000006A for a wrong password.
I looked at the contents of the Add-on and found a calculated field for Error_Code:
EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)
So, if the ErrorCode is null it makes the value "-". BUT even though the ErrorCode in these events is NOT null, the calculated field is still kicking in.....
Further looking into the contents of the Add-on revealed the field alias:
FIELDALIAS-Status_as_Error_Code = Status AS Error_Code
So, since EventCode 4776 does not have a Status field (so it is null), the alias is making the Error_Code field value null, which then gets adjusted to "-" by the calculated field.
A different type of event - EventCode 4625 does have a Status field. There is no native field named ErrorCode for it. But with the Add-on there is a Status field and an ErrorCode field with the same value. Is that really needed?
Is there any reason why they decided to "clobber" the ErrorCode field? For EventCode 4776, the ErrorCode field is very useful for identifying successful vs unsuccessful authentications and determining the reason for the failed authentications. I can create a field extraction to get the value out but I really don't think I should have to in this case because it seems like this has to be some kind of a bug / undesired outcome.
I'm thinking of submitting a support request to Splunk but was curious as to other people's thoughts on this first.
... View more
08-01-2018
02:13 PM
I was intending to make everything global (this app's purpose is to curate global objects among different groups using Splunk - most will be field extractions but there may be a few other types of objects.)
In order to get the field extraction working I had already tried adding the following to default.meta:
[props]
export=system
(It is just an inline field extraction, so there is no transforms.conf in the app)
I am curious about your last statement "will be global (other than ones specifically set to a lower sharing level)" The field extraction I am testing is not configured as global itself, I am trying to make it global along with everything else in the app without explicitly setting each object as global.
If I am understanding things correctly, with this config in place, none of the field extractions effectively have a "lower sharing level" / should be not global (private or shared only within the app.)
... View more
08-01-2018
01:23 PM
I gave it a try just now but that did not get it working. I added it to the app's metadata.local and restarted Splunk. The extracted field still only shows up in the app it was created in.
... View more
I am trying to make a shared app where its knowledge objects available to everyone from all apps.
I edited shared_app/metadata/default.meta so it contains the following:
[]
access = read : [ * ], write : [ admin, power ]
export = system
From what I have read, this should allow ANY user to read/see ANY type of knowledge object saved there from ANY app.
When I went to test this with a field extraction in the shared app I ran a search from the Search app, but the extracted field does not show up.
So I went to the permissions for the field extraction and changed it from private to this app only thinking that maybe it just had to be moved out from my user directory into the app's directory. I still could not see it from the Search app. So I set it to global and then it showed up in the Search app. I am trying to avoid having to explicitly set each object as global (to reduce the time/effort when creating a new object but more importantly because non-admins will have write access to the app and this is how they will make objects global without being an admin.)
I thought export = system in default.meta would have been good enough to make it effectively global. But in my testing it is not the case. What am I doing wrong?
... View more
05-15-2018
01:39 PM
1 Karma
OK, thankx for the confirmation.
I have updated the query so it now creates a new field without the TZ specified (which is OK in my case, as everything (Oracle servers, Splunk servers) are in the same time zone.
For anyone else who might have this problem reading this....
I modified the query for the orcle:audit:unified template from
SELECT *
FROM (
SELECT CAST((eventtimestamp at TIME zone 'UTC') AS TIMESTAMP) EVENTTIMESTAMPUTC,u.*
FROM UNIFIEDAUDITTRAIL u)
WHERE EVENTTIMESTAMPUTC > ?
ORDER BY EVENTTIMESTAMP_UTC ASC
to
SELECT *
FROM (
SELECT CAST((eventtimestamp at TIME zone 'UTC') AS TIMESTAMP) EVENTTIMESTAMPUTC,CAST((eventtimestamp) AS TIMESTAMP) EVENTTIMESTAMP2,u.*
FROM UNIFIEDAUDITTRAIL u)
WHERE EVENTTIMESTAMPUTC > ?
ORDER BY EVENTTIMESTAMPUTC ASC
And set the Timestamp field to EVENTTIMESTAMP2.
... View more
05-15-2018
10:31 AM
I have Splunk DB Connect and the Add-on for Oracle Database installed and configured using the oracle:audit:unified template.
Initial configuration was done keeping the Timestamp column the default (EVENTTIMESTAMPUTC.)
This worked great.
Then in order to get the indexed timestamp to be local time I changed the Timestamp column to EVENT_TIMESTAMP. Doing this resulted in being prompted for the Datetime format (Java SimpleDateTimeFormat.)
I have tried entering in a few different formats, none of which work. No matter what I have tried, things are not working and I do not get any events indexed.
An example of this field's value is:
2018-05-14 11:24:33.349604 America/Chicago
The current Datetime formats that I am trying unsuccessfully are:
yyyy-MM-dd HH:mm:ss.SSSSSS Z
yyyy-MM-dd HH:mm:ss.SSSSSS z
yyyy-MM-dd HH:mm:ss.SSSSSS
yyyy-MM-dd HH:mm:ss.SSSSSS VV
I keep getting the following in splunkappdbconnectserver.log:
java.time.format.DateTimeParseException: Text '2018-05-14 11:24:33.3928 America/Chicago' could not be parsed at index 20
Does anyone have any tips to troubleshoot or see what I am doing wrong?
... View more
03-22-2018
11:54 AM
Update: I forgot to also delete the details for the dashboard in the metadata file on the Deployer. Once that was also removed I was able to delete the local copy.
... View more
03-22-2018
07:25 AM
I just tried this but it did not work for me:
1. Deleted dashbaord (xml file) on deployer
2. Applied the shcluster-bundle
3. Went to delete the dashboard on a Search Head but the delete option is still not available.
4. Verified on each SHCluster member in the app's default directory that the dashboard (xml file) is no longer present. It is now only in the local directory.
5. I restarted Splunk on one of the Search heads and still can not delete the (now local only) dashboard there.
... View more
10-11-2017
02:37 PM
1 Karma
When creating an Identity in Splunk DB Connect to be used with the Splunk Add-on for Oracle database, what role/permissions within Oracle are required for the Oracle user provided? I need to let my Oracle DBAs know how to configure the user I am asking for.
... View more
07-20-2017
10:57 AM
I added the transforms to the Universal Forwarder to send the unwanted stuff to the nullQueue and it is now working as I need it to. I didn't think that would work (even on structured data) but it seems that it does.
thank you!
... View more
07-19-2017
04:05 PM
I have some TSV files that I am forwarding with a Universal Forwarder.
I have props.conf configured on the UF with the following for the sourcetype:
FIELDDELIMITER = \t
HEADERFIELDLINENUMBER = 1
That has worked great. But now I have a need to drop some events so they do not get indexed.
On the Indexer I have configured the following for the sourcetype in props.conf:
[]
TRANSFORMS-null = dropbatchrequests
...and in transforms.conf:
[dropbatchrequests]
REGEX = batchRequest
DEST_KEY = queue
FORMAT = nullQueue
At first it was not working, I was still getting events that contain batchRequest. So I temporarily removed the structured data configuration on the Universal Forwarder (shown above) and the transform worked as desired - batchRequest events were no longer indexed.... But now the tsv format and field recognition was not there...
So I tried to configure everything in one place. On the Indexer I specified the structured data config in props.conf using FIELDDELIMITER and FIELDNAMES (since I can't use HEADERFIELDLINE_NUMBER on the Inedxer.) The result of that was the batchRequests events were not indexed, but the fields (from the header row) still were not extracted.
Am I doing something wrong? Or is there some reason why these configurations (TSV/structured data field recognition and dropping certain events to the nullQueue) on the same sourcetype will not work together? I can get each to work independently - but not together.
... View more
04-05-2017
12:10 PM
Thankx. This is certainly a confusing topic. Before last month I would have said that this type of thing had to be done on the indexer, and we have done it that way many times in the past. I just happened to come across the Forwarder configurations. I'm not sure when this functionality got added to the forwarder, but it does help offload some of the work from me / the Splunk infrastructure team and allows server/service admins the capability of adding these types of inputs on their own. Thank you @woodcock and @richgalloway for taking the time to answer and help me with this.
... View more
04-05-2017
10:21 AM
I think that may have been the case in previous Forwarder versions, but you can now configure this on the Forwarder. "If you have Splunk Enterprise, you can edit the settings on indexer machines or machines where you are running the Splunk universal forwarder." http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata
I already the CSV files being forwarded to Splunk, with props.conf configured on the Forwarder - I tested and verified that last month. It was just today when I went to add the TSV files that I asked myself why I was using both INDEXEDEXTRACTIONS and FIELDDELIMITER for the CSV files and whether or not I actually needed to.
... View more
04-05-2017
09:34 AM
1 Karma
I am going to be forwarding CSV and TSV files, and was wondering if I need to configure both INDEXEDEXTRACTIONS and FIELDDELIMITER in props.conf for the sourcetype on the Universal Forwarder.
It seems redundant to tell it
INDEXEDEXTRACTIONS= csv and FIELDDELIMITER= ,
and
INDEXEDEXTRACTIONS= tsv and FIELDDELIMITER= \t
If it is a csv it should be obvious the field delimiter is a comma.
And if it is a tsv it should be obvious the field delimiter is a tab.
Is there a reason to configure both? Or if only one is needed is there a reason to use one over the other?
... View more
01-17-2017
11:43 AM
I am in the process of working on a standard way to create new HEC tokens, and have them automatically configured on all Heavy Forwarders (I use a Deployment Server and, like you, my own custom app for Heavy Forwarder configs.)
So if I understand you correctly, you generate new tokens (disabled) on your deployment server using the web UI, and then you are copying the new stanza from inputs.conf in the splunk_httpinput app to your custom app and then enabling them there?
That is what I was thinking of doing, and was looking around to see if anyone else was doing this or had any other options when I came across this.
My only other option so far is to keep using the splunk_httpinput app, have it configured and deployed via the Deployment Server, but in this case the tokens would then also be enabled on the Deployment Server - which probably doesn't matter but Id rather not have it set up this way. I already have a Deployment Server in place, so can not set it up on one of the Heavy Forwarders as Splunk documentation recommends.
... View more
01-11-2017
01:58 PM
That worked for me too! Thank you!! I wish I had seen this 6 hours ago!!!
Any idea why this is required only for settings in alert_actions.conf? All of my other settings in the same app work fine.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma from
