cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rmills1
Explorer
Member since: ‎12-06-2017
‎10-14-2020
Community Statistics
Posts 6
Solutions 2
Karma Given 0
Karma Received 2
Member Since ‎12-06-2017
Activity Feed
View All

Re: Splunk Add-on for JBoss: Why is Splunk combini...

by in All Apps and Add-ons
‎04-02-2018 12:01 PM
‎04-02-2018 12:01 PM
I based the attributes I used on the ones in the default props.conf. I wanted to modify it as little as possible. However, I might look into those attributes in addition. Here's the default props.conf from the add-on: [jboss:server:log] MAX_TIMESTAMP_LOOKAHEAD = 32 01:59:41,057 EXTRACT-server = ^\d{2}:\d{2}:\d{2},\d{3}\s+(?P\w+)\s+[(?P[-.\w$]+)]\s((?P.+?))\s(?P[\s\S]+)$ BREAK_ONLY_BEFORE = ^\d{2}:\d{2}:\d{2},\d{3} LOOKUP-severity_name = jboss_severity_lookup log_level OUTPUT severity FIELDALIAS-body = message AS body FIELDALIAS-subject = event_category AS subject EVAL-app = "JBoss" EDIT: The code block is apparently not working for me in comments section...ugg ... View more

How to run Splunk Add-on for JBoss on Splunk 7.0?

by in All Apps and Add-ons
‎04-02-2018 11:57 AM
‎04-02-2018 11:57 AM
The Splunk Add-on for JBoss currently only lists up to Splunk 6.5 as compatible. Has anyone run it with 6.6 or 7.0? I'd like to upgrade my Splunk instance to 7.0, but I don't want to break the Add-on for JBoss. ... View more

Re: Splunk Add-on for JBoss: Why is Splunk combini...

by in All Apps and Add-ons
‎04-02-2018 11:52 AM
‎04-02-2018 11:52 AM
I noticed I accidentally hit the quote button instead of the code button, so the prop.conf lines were incorrect. Fixed to show correctly. ... View more

Re: Splunk Add-on for JBoss: Why is Splunk combini...

by in All Apps and Add-ons
‎03-29-2018 01:23 PM
‎03-29-2018 01:23 PM
I ran into the same problem, so I figured I'd post my fix here. Skoelpin was right about the line breaking problem. The line breaking and field extraction in the default props.conf doesn't work correctly (at least with my version of jboss). It's expecting a time field without a date, but my jboss logs had both date and time at the beginning of each line. Here's the format in my logs: 2018-03-29 16:20:31,058 To fix it, put the following in $SPLUNK_HOME/etc/apps//local/props.conf: [jboss:server:log] EXTRACT-server = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}\s+(?P<log_level>\w+)\s+\[(?P<event_category>[\-\.\w$]+)\]\s(?P<message>[\s\S]+)$ BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3} ... View more

Re: Splunk App for Windows Infrastructure: inputlo...

by in All Apps and Add-ons
‎12-13-2017 08:46 AM
2 Karma
‎12-13-2017 08:46 AM
2 Karma
So I figured out my issue. I realized the kvstores were the problem. Once I learned a bit about kvstores, I checked file permissions and other stuff. Finally, I just ran the command domain-selector-search|outputlookup DomainSelector and discovered it worked. My kvstore was populated. So at that point I knew there was a permission issue. After more digging, I found out that you could view scheduled searches with index=_internal sourcetype=scheduler | table _time user savedsearch_name status scheduled_time run_time result_count That showed me that the jobs running to update my kvstores was running as the admin user. Sure enough, I didn't give the admin user the winfra-admin role, so it didn't have permissions to get the data in the first place. Once I did that, I waited for the jobs to run again, and everything was successful. TL:DR - Make sure the admin user has the winfra-admin role. ... View more

Splunk App for Windows Infrastructure: inputlookup...

by in All Apps and Add-ons
‎12-06-2017 12:21 PM
‎12-06-2017 12:21 PM
I've just setup Splunk App for Windows Infrastructure v1.4.2 (on Splunk v6.5.6) with Active Directory shipping in logs. Most of it seems to be working fine, except for pages that have the Domain drop down box don't work. I just get the message, Search produced no results. Looking at the search for that drop down box, the first part of the command is | ad-domains . When I run that I get nothing back. When I look up ad-domains macro, it starts with inputlookup DomainSelector. When I run that, it returns no results. I checked, and DomainSelector.csv in the lookups folder does contain the correct data. And running |inputlookup DomainSelector.csv works as expected, returning the contents of the csv. If I do |inputlookup EventCodes it works fine. The main difference I can find is in transforms.conf [DomainSelector] external_type = kvstore collection = DomainSelector_collection fields_list = host, DomainNetBIOSName, DomainDNSName, ForestName, Site [EventCodes] filename=EventCodes.csv max_matches=1 DomainSelector is a collection, while EventCodes is just a .csv. This is going beyond my limited knowledge, so I'm hoping for some help. How do I get the inputlookup command to work for DomainSelector? Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-14-2020 01:41 PM
Karma from
View All