Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Branden
Branden
Builder
Member since:
07-19-2010
11-16-2022
Community Statistics
| Posts | 250 |
| Solutions | 3 |
| Karma Given | 85 |
| Karma Received | 81 |
| Member Since | 07-19-2010 |
Activity Feed
- Posted UF Upgrade to 9.0.1 - disable kvstore? on Installation. 10-28-2022 10:20 AM
- Posted Export unlimited results from CLI search - not working on Splunk Search. 01-26-2022 11:54 AM
- Tagged Export unlimited results from CLI search - not working on Splunk Search. 01-26-2022 11:54 AM
- Got Karma for Re: splunk thinks text file is binary. 06-30-2020 11:34 PM
- Karma Re: Creating pie chart with nested data for ololdach. 06-05-2020 12:50 AM
- Karma Re: Creating pie chart with nested data for gcusello. 06-05-2020 12:50 AM
- Karma Re: Check for event that has not changed for X days for ololdach. 06-05-2020 12:50 AM
- Karma Re: rsyslog server with UF not sending events to Splunk for solarboyz1. 06-05-2020 12:50 AM
- Karma Re: rsyslog server with UF not sending events to Splunk for solarboyz1. 06-05-2020 12:50 AM
- Karma Re: Migration - will Splunk re-index a directory? for woodcock. 06-05-2020 12:50 AM
- Karma Re: Migrate to new server, splitting hot/warm and cold in the process for woodcock. 06-05-2020 12:50 AM
- Karma Re: Migrate to new server, splitting hot/warm and cold in the process for chrisyounger. 06-05-2020 12:50 AM
- Got Karma for DBConnect: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.. 06-05-2020 12:50 AM
- Got Karma for DBConnect: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.. 06-05-2020 12:50 AM
- Got Karma for DBConnect: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.. 06-05-2020 12:50 AM
- Got Karma for DBConnect: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.. 06-05-2020 12:50 AM
- Got Karma for DBConnect: OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.. 06-05-2020 12:50 AM
- Got Karma for Splunk migration - missing data. 06-05-2020 12:50 AM
- Karma Re: How do you group two queries from different sourcetypes and events? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Can you simply delete the 6.4.3 forwarder and installing the 7.2.1 forwarder? for CarsonZa. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 5 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
10-28-2022
10:20 AM
Hello. We are trying to upgrade our Splunk UFs from 8.1.9 to 9.0.1. We use a configuration management tool (Puppet) to upgrade our UFs. This has worked fine until the leap to 9.0.1. We are experiencing a timeout during a kvstore migration. This appears to be a known issue, and I employed the solution found here. The solution (or workaround) appears simple: Edit server.conf and add this: [kvstore]
disabled = true And that works. However, I'm concerned about the consequences of this fix. I'm not familiar with the kvstore or how it works, etc. Is there any harm in using this workaround? Thank you in advance.
... View more
Labels
- Labels:
-
universal forwarder
-
upgrade
01-26-2022
11:54 AM
Hi. I am running a Splunk query from the CLI and would like to export the results as rawdata to a file. When I specify a value in maxout, it honors that number and exports the correct number of events. However, I want all of the events - unlimited. So I set maxout to 0, per the documentation. When I do this, it exports nothing. The search just sits there forever, exporting nothing. Even if it's a quick and simple search. Here is my query: splunk search "index=ldap earliest=01/24/2022:00:00:01 latest=01/25/2022:23:59:00" -output rawdata -maxout 0 > /mnt/splunk-backups/test/ldap-raw-test.log I want all events to be outputted as rawdata to the specified file. Am I missing something? We are running Splunk Enterprise 8.1.4. Thanks in advance!
... View more
Labels
- Labels:
-
other
12-03-2019
08:20 AM
They are not. Simple environment. One indexer, bunch of forwarders. I'll update the original post with that info.
... View more
12-03-2019
07:22 AM
Hello. We are planning an upgrade from Splunk 7.2.1 to Splunk 8.0.x. For best practices, we'd like to back up our indexes prior to the upgrade, but we're having an issue: our backup solutions can never keep up with the amount of incoming data, and we can't (won't) turn Splunk off for a long enough time to freeze incoming traffic for a full backup. It's many terabytes of data...
Some indexes are more important than others, so I was kicking around backing up just the 'critical' indexes. If we upgrade and the indexes become corrupted, we could still restore the important indexes.
Is that sound logic? Can indexes be restored piece-meal like that?
Our environment is simple: one Indexer/Search head with a bunch of UFs.
Also, if anyone has any recommendations for backing up Splunk indexes, please let me know. I've read Splunk's docs as well as posts on here on how to do it but, as I mentioned, the backups just can't keep up with the incoming stream.
Thanks!
... View more
11-19-2019
08:32 AM
I can actually calculate the epoch time six months in the future from the date of the password set:
| eval pwDate=strptime(pwdLastSet,"%Y-%m-%dT%H:%M:%S.%3N") | eval sixMonthsAhead=relative_time(pwDate, "+520d@d") | table cn, pwdLastSet, sixMonthsAhead
But I can't seem to get an alert to trigger once that date arrives...
... View more
11-19-2019
07:56 AM
Hi. We a Dashboard that informs us of the date a service account password was changed/reset. Passwords need to be reset no later than every 700 days, but we'd like Splunk to alert us 6 months prior to that deadline.
Our date field looks like this:
2019-11-15T15:27:42.416732Z
From that date, we need to alert when that account password is 520 days old (700 days minus 6 months/180 days). So in the above example, we need to receive an alert on April 18, 2021, to remind us to schedule a password reset for that account.
We are getting the account name date of the last password set from Active Directory, in case that matters.
In other words, is there a way to do "Calendar arithmetic" in Splunk? I have no idea where to even begin with this.
Thank you!
... View more
11-15-2019
09:08 AM
You were absolutely right. I misunderstood what you were saying.
I worked with one of our admins and we have the query working. You're right - it's quite an easy solution. Thank you very much!
... View more
11-13-2019
11:13 AM
Thank you for your response. We have an AD environment and a separate LDAP environment (running on Linux). Your solution would work for our LDAP logs, but for AD all I have to go by are the Windows Event Logs.
... View more
11-13-2019
10:48 AM
Hello.
I'm struggling with a query. We want to search Windows Event logs for accounts whose passwords have not been changed (by admins) for more than 700 days. I have created a query that informs me of when a password was changed:
index=main host=*DC* EventCode=4724 | eval Modifier = mvindex(Account_Name, 0) | eval User_Name = mvindex(Account_Name, 1) | rename Group_Name AS Modified_Group | table _time Modifier User_Name
But I do not know how to get Splunk to check for a password that has NOT been changed for over X days. Is this even possible?
Thank you in advance for your help.
... View more
10-29-2019
06:45 AM
I think this ended up being a red herring. Even though the error was appearing, I clicked through and things still worked as expected. Strange... So it looks like the error was a false positive.
... View more
10-24-2019
04:07 PM
Thank you for your response.
I thought of that, so I tried the actual path (/usr/java/jdk1.8.0_231-amd64/jre) but it still didn't work.
... View more
10-24-2019
03:53 PM
5 Karma
Hi. I'm trying to configure DBConnect on my Splunk instance (Splunk 7.2.4 on RHEL). I can't make any progress because of this error:
OSError: [Errno 2] No such file or directory validate java command: /usr/java/latest/bin/java.
That is the correct location of java. It's Oracle java version 1.8.0_231.
JAVA_HOME is set:
echo $JAVA_HOME
/usr/java/latest
The splunk user ('splunk') has full rights to access this installation of java.
-rwxr-xr-x. 1 root root 8534 Oct 5 06:15 /usr/java/latest/bin/java
As you can see, it has wide-open read/execute permissions, and I've manually verified that the splunk user can use java.
I then ran this command:
/opt/splunk//bin/splunk cmd python -c "import os; print(os.environ)"
And see that JAVA_HOME is set:
{'USER': 'splunk', 'LOGNAME': 'splunk', 'JAVA_HOME': '/usr/java/latest', .......
What am I missing here? I've seen similar posts with this question, but no good solutions.
Thank you in advance.
... View more
10-04-2019
01:55 PM
Wow... that is quite amazing. Not quite the solution I was expecting, but it works! 🙂
And I learned some stuff. Thank you. 🙂
... View more
10-04-2019
11:37 AM
Actually, Trellis DID help me, thank you! Still having some difficulty (see edits above), but definitely progress.
... View more
10-04-2019
11:25 AM
Thank you for your reply. I experimented with Trellis, but all it gave me was a bunch of blank pie charts containing no data.
... View more
10-04-2019
10:12 AM
Hello. We have tabular data formatted like this:
"CollectionName" "CollectionSize" "PercentageUsed"
"FOO" "36" "50"
"BAR" "14" "36"
(The first row is the column headers, translated into field names.)
We are trying to create a dashboard containing pie charts like this:
For each CollectionName, create a pie chart labeled with "CollectionName" that contains the value of field "CollectionSize."
Within that pie chart, we want a wedge for the "PercentageUsed" field. So if "PercentageUsed" field is "50" (%) of CollectionSize, it would split the pie chart in half. If it's "20" (%) of CollectionSize then the pie chart would have a wedge that is 20% of the chart's size. We'll eventually want to be able to click on that wedge to drill down, but we'll tackle that later.
We'd like the dashboard to show a pie chart for each CollectionName. I think I'm close. I can get it to create a single pie chart for one CollectionName.
index=foo sourcetype="foo-usage" CollectionName=FOO | stats count by CollectionSize,PercentageUsed | transpose
That will show a single pie chart for the CollectionName "FOO." How do we get a pie chart for each CollectionName on the dashboard?
Thanks!
Update: I am able to get pie charts for each CollectionName with the PercentageUsed on top:
index=vdiclinics sourcetype="vdi-usage" | stats count by PercentageUsed,CollectionName
and using Trellis (finally got that to work). That's okay, but I'd like PercentageUsed to be a wedge, not a label. Here's what I have right now for one Collection:
How can I accomplish this? Thank you!
... View more
04-30-2019
12:44 PM
This resolution worked for me. I noticed that splunk_private_db.old was owned by root, so I simply chown'd it. Fixed the problem!
... View more
03-28-2019
09:28 AM
You are amazing, my friend. That solved this issue. Thanks!
... View more
03-27-2019
03:39 PM
Thank you for your response. I thought of that and, yes, I have verified that the splunk user can access the files. The dirs are 755 and the files are 644. I also changed to the splunk user and manually verified.
... View more
03-27-2019
02:25 PM
Hi. At Splunk's recommendation, I have a centralized syslog server (using rsyslog) that writes to /logs/hostname/year/month/day/file.log
This works fine.
However, I cannot get the Universal Forwarder to send the events to the Splunk Indexer. I added my stanza to /opt/splunkforwarder/etc/system/local/inputs.conf. When that didn't work, I created an app and put the stanza into /opt/splunkforwarder/etc/apps/syslog/local/inputs.conf
Didn't work.
Here is my stanza:
[monitor:///logs/*]
disabled = false
host_segment = 2
index = main
sourcetype = syslog
That looks straightforward to me.
I checked the Splunk logs on the Indexer and there's no sign that it's ever receiving these events.
In the UF logs I see that it has added a watch to /logs:
INFO TailingProcessor - Parsing configuration stanza: monitor:///logs/*.
INFO TailingProcessor - Adding watch on path: /logs.
I have verified that the port is open between the UF and the Indexer.
Indexer is running 7.2.4 and UF is running 7.1.2.
Am I missing something?
Thank you in advance!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-16-2022
11:21 AM
|
Karma given to
