Activity Feed
- Karma Re: Universal Forwarder ParsingQueue KB Size for ashleyherbert. 06-05-2020 12:46 AM
- Karma Re: How many indexers is too many? for araitz. 06-05-2020 12:46 AM
- Karma Re: How to create a table with time showing in the horizontal direction for Ayn. 06-05-2020 12:46 AM
- Karma Re: TIME_FORMAT and XML for kristian_kolb. 06-05-2020 12:46 AM
- Karma Re: tostring commas and locale specific separators for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Scaling the VMWare Forwarder Appliance for sfjim. 06-05-2020 12:46 AM
- Karma Scaling the VMWare Forwarder Appliance for beaunewcomb. 06-05-2020 12:46 AM
- Karma Re: Splunk App for VMware throughput much higher than expected for nazdrynau. 06-05-2020 12:46 AM
- Karma Re: Splunk App for VMware throughput much higher than expected for nazdrynau. 06-05-2020 12:46 AM
- Karma Re: servicesNS/admin/search/login 404 - not found for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Support for VMWARE 5.1 ? for okrabbe_splunk. 06-05-2020 12:46 AM
- Karma Re: Hosts appearing in host list with short and long names for araitz. 06-05-2020 12:46 AM
- Karma Re: LDAP Authorization and many LDAP groups for reed_kelly. 06-05-2020 12:46 AM
- Karma Re: VMware App & CPU Ready for tfletcher_splun. 06-05-2020 12:46 AM
- Karma VMware App & CPU Ready for chrislymanWMT1. 06-05-2020 12:46 AM
- Karma Re: *nix app scripts stopped when indexers are not available? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Universal Forward, Windows and Event Log files why is it so slow? for gkanapathy. 06-05-2020 12:46 AM
- Karma Getting SSL errors for idsersupport. 06-05-2020 12:46 AM
- Got Karma for Re: Summary Index Producing Doubled Results. 06-05-2020 12:46 AM
- Got Karma for Re: VMware App & CPU Ready. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 2 | |||
| 0 | |||
| 0 |
09-25-2013
02:48 PM
After some more research and reading through the restmap.conf file I found the following
# Tags by tag name do not support ACL read or write. The UI looks bad when some
# entities support sharing and permissions while others do not.
[eai:ntags]
showInDirSvc = false
I am taking this to mean that you cannot modify the ACLs for tags via REST.
To this I say BOOOOOOO!
If anyone from Splunk is reading this please mark this as something to be fixed/changed/corrected in the next minor release. Effectively the state of things now is that while you can create and remove tags there's no way to make them visible to anyone other than the user creating the tags. What I want is a programmatic way to bulk create and manage tags. I have a dynamic environment in which hosts come and go. I'd like to make sure that as new hosts come in to being I can give them relevant tags based on our organization.
... View more
09-25-2013
02:12 PM
So now that I've been trying different ways to solve this and no matter what I try I still get "Unknown endpoint" I'm starting to wonder if there is an /acl endpoint for tags.
So, is it possible to change the permissions (ACLs) for a tag through the REST API?
... View more
09-25-2013
10:25 AM
Another data point for this. I can reproduce this behavior (unknown endpoint) in python as well as powershell.
... View more
09-25-2013
08:46 AM
The URI would be something like this:
https://{searchhead}:8089/services/search/tags/{tag_name}/acl
... View more
09-25-2013
08:19 AM
1 Karma
Howdy all,
I'm working in PowerShell and accessing the REST API and I'm running in to a problem. My goal is to create a bunch of tags which is all fine and good until I try and change the ACLs on the tag and I get the error "Unknown endpoint."
Here's the code I'm using right now
$taginfo = "add=moname::" + $vm.Name
$aclinfo = "perms.read=*&sharing=global"
$endpoint = "/services/search/tags"
$baseuri = "https://{searchhead}:8089"
$uri = $baseuri + $endpoint + "/" + $folder.Name
Invoke-RestMethod -Verbose -Uri $uri -Method Post -Headers $headers -Body $taginfo
Invoke-RestMethod -Verbose -Uri $uri -Method Get -Headers $headers
$uri += "/acl"
#Invoke-RestMethod -Verbose -Uri $uri -Method Post -Headers $headers -Body = $aclinfo
Invoke-RestMethod -Verbose -Uri $uri -Method Get -Headers $headers
The portion that creates the tag works just fine. And I can get information about the tag that has been created back. As soon as I try and connect to the acl endpoint I get the "Unknown endpoint" error.
I'm guessing that there is something really obvious that I'm missing, what is it?
Please and Thank You
Colin J.
... View more
07-17-2013
10:35 AM
The problem that still remains is what is the default installation directory? The VMware Tools can be installed in any of the following ways:
Installed from a script.
Installed as a package.
Built from source (with the open source tools).
All of these leave things installed in different places.
... View more
07-17-2013
10:23 AM
Howdy all,
Now that I have Splunk for VMware up and running I've noticed that vCenter reports that the version of VMware Tools that is running on the forwarder appliance is not current. The guide (VMware Tools Installation Guide For Operating System Specific Packages) that VMware provides says to first remove any old copies of the VMware Tools before upgrading. Now I know the basics of using yum and rpm to install and remove packages. What I don't know is how or in what form the VMware tools are installed on the forwarder appliance. So, my questions are as follows:
What version of VMware Tools is installed on the Forwarder Appliance?
What is the right way to remove an older version of the VMware Tools from the Forwarder Appliance?
What is the right way to install a new(er) version of the VMware Tools on the Forwarder Appliance?
... View more
07-03-2013
08:17 AM
1 Karma
CPU ready time was just about the hardest thing for me to get my head around when I started working with vSphere and I'm still not always sure that I get it completely. The hardest part in understanding ready time is remembering that it is a summation of the ready times for all the vCPUs the VM has. However, when VMware talks about when you should worry they talk about ready times on a per vCPU basis. This means that you have to factor in how many vCPUs a machine has.
VMware says that 1000ms/vCPU should be the warning point and 2000ms/vCPU should be the critical point. Since CPU ready times are collected over a 20 second period (20000ms) these work out to 5% and 10% respectively. The search below is what I use to look at CPU ready times. For any given VM it will look up the VM in the inventory that Splunk generates so that it can divide the SumRdy_ms by the number of CPUs (numCpu). From that I can then get the max values and the average values for my normalized Sum Ready Time.
index=vmware source="VirtualMachinePerf" SumRdy_ms="*" perftype="cpu" moname="vmname"
| lookup TimeHierarchyVMSummary moname
| eval SumRdyPerCpu_ms=(SumRdy_ms / numCpu)
| timechart max(SumRdy_ms) AS "Sum Ready Time"
max(SumRdyPerCpu_ms) AS "Max Normalized Ready Time"
avg(SumRdyPerCpu_ms) AS "Average Normalized Ready Time"
... View more
07-03-2013
07:32 AM
So now my question is, was this package left off of the FA intentionally? If so why? Can it be included in future releases of the FA?
... View more
07-03-2013
07:32 AM
1 Karma
Well, here's what I did to solve this at least in the short run.
Found the necessary package with yum. yum whatprovides *bin/sar
Installed the necessary package with yum. sudo yum install sysstat-7.0.2-12.el5.x86_64
... View more
07-03-2013
07:12 AM
Howdy all,
I've got the Forwarder Appliance for Splunk for VMware up and running and I was hoping to monitor its behavior via Splunk. Since it is basically a Linux (CentOS) vm I have enabled the *nix app on it which seems to be working, for the most part. However there seem to be some data that are missing. It looks like neither sar or iostat are available on the FA. What this means is that I cannot collect cpu stats (among other things) from the FA. My reason for wanting this data is so that I can see how loaded the FA is and so that I can make a case for increasing its resources (CPU and RAM) if it is overloaded.
So, what's the right way to get all of the *nix app inputs to work properly on the FA?
... View more
07-02-2013
02:16 PM
Nerd, heal thyself.
So what was going wrong here was the same thing that my mechanic says goes wrong with my car, it was the nut that holds the steering wheel.
What I hadn't taken in to account is the caching that a browser does with a web page. So although I was changing the XML for the page I was not updating that when I viewed the page. Once I realized what I was doing it all worked fine.
So, always make sure that you aren't caching the page you are trying to look at if you are making changes.
Here endeth the lesson.
... View more
07-02-2013
02:11 PM
Howdy all,
As I work my way through the installation and configuration documentation for Splunk for VMware I've run in to a problem. I'm trying to follow the instructions for obfuscating the passwords but I'm running in to some problems.
The instructions talk about an engine.conf file which doesn't seem to exist in version 2.0. I have an engine.template file and then all of the files that are generated by enginebuilder.py based on that template file.
Do I need to create individual credential files for each configuration file I have and then concatenate them together? Is there some way I can use the engine.template file? I've tried this and credentials.pl doesn't seem to like it.
Thoughts and suggestions are welcome
... View more
06-28-2013
02:01 PM
$hostname$ is getting passed from a drop down selection earlier in the form. If I remove the lookup and eval lines from the search it works just fine.
<input type="dropdown" token="hostname" searchWhenChanged="true">
<label>Host:</label>
<populatingSearch fieldForValue="moname" fieldForLabel="moname">
| inputlookup TimeHierarchyVMSummary
| search type=VirtualMachine Cluster=CloudCluster
| dedup moname
| sort + moname
</populatingSearch>
</input>
... View more
06-28-2013
01:30 PM
Howdy all,
I'm working with the Splunk for VMware app and I'm having trouble with a lookup. The following search works just fine as a plain search
index=vmware source="VirtualMachinePerf" SumRdy_ms="*" perftype="cpu" moname="m-mssqlprd017"
| lookup TimeHierarchyVMSummary moname AS moname
| eval SumRdyPerCpu_ms=(SumRdy_ms / numCpu)
| timechart max(SumRdy_ms) AS "Sum Ready Time" max(SumRdyPerCpu_ms) AS "Actual Time Spent"
However when I try and use it in a searchTemplate for a form
index=vmware source="VirtualMachinePerf" SumRdy_ms="*" perftype="cpu" moname=$hostname$
| lookup TimeHierarchyVMSummary moname
| eval SumRdyPerCpu_ms=(SumRdy_ms / numCpu)
| timechart max(SumRdy_ms) AS "Sum Ready Time" max(SumRdyPerCpu_ms) AS "Actual Time Spent"
I get the following error:
PARSER: Applying intentions failed Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
Other than the use of a variable in the search when using it in the form everything is the same. If I remove the lookup then it all works just fine but I need the lookup so I can get the 'numCpu' value. Do I need to format the lookup differently when it is used in a searchTemplate?
... View more
06-26-2013
07:04 AM
And in this case the correct answer is: Check your firewalls.
Seems that we had another firewall between our FA and the ESXi hosts. Once that was take care of everything worked as expected.
... View more
06-21-2013
02:16 PM
Howdy all,
I'm working on setting up the Splunk for VMware FA and I'm running in to a problem. I've created an appropriate service account in Active Directory and I can connect to vCenter and the ESXi hosts using that service account and the vSphere client. However when I run enginebuilder.py I get the following for all of my ESXi hosts:
[splunkadmin@vsisplunkfa local]$ enginebuilder.py -c -l 2
Checking credentials on esx/i hosts...
checking permissions of ssv-splunk on ssvcloudn1.dsc.umich.edu...
ERROR: ssv-splunk has insufficient permissions on ssvcloudn1.dsc.umich.edu:
ran command:# logincreator.pl --target ssvcloudn1.dsc.umich.edu --ad 'XXXXX' --adpwd 'XXXXX'
output:
ERROR: cannot authenticate against ssvcloudn1.dsc.umich.edu with ssv-splunk and supplied password
I'm not sure what this means. I've checked and rechecked the role that I created and it has all (and only) of the permissions specified in the Creating service accounts documentation. Do these errors indicate that the Forwarder Appliance can't communicate at all with the ESXi hosts?
Any and all suggestions on how I might proceed are more than welcome.
... View more
06-20-2013
10:28 AM
The trouble here is with VMware and not Splunk. VMware stores the ready time as a summation across all vCPUs in each VM.
... View more
06-10-2013
10:29 AM
1 Karma
Has anyone else seen this behavior? I'm having the same problem. Single search running every five minutes. I get double the number of entries in the summary_index.
... View more
12-19-2012
07:51 AM
This is great! Given how much data this app is likely to collect I would suggest a tuning document forthwith.
... View more
12-13-2012
06:06 PM
1 Karma
Howdy all,
We just rolled out the Splunk for VMware suite to our test VMware environment for evaluation and I'm getting much higher throughput than expected. The docs for the VMware suite say to expect 800MB - 1GB of data indexed per day per ESXi host. I'm seeing 4x that much data being indexed and I'm wondering where things went pear-shaped.
Our test environment consists of two ESXi hosts and one vCenter installation running on a VM. We have a total of 16 running VMs in the environment and a few more that are turned off. This is not a busy system so when I saw 8GB/day going in to the vmware index I started to get worried. We've had this running since Monday and I've been checking daily and the 8GB/day indexing rate has stayed true since Monday.
So, are there any thoughts on where things might be going wrong? Or why we are seeing so much data getting indexed?
... View more
08-17-2012
10:35 AM
Actually I'm going to take the blame on this one. I was using Chrome instead of Firefox. Once I switched browsers it worked just fine. So color me knucklehead.
... View more
08-16-2012
11:32 AM
2 Karma
Howdy all,
I've been using the Google Maps add-on for some time now with no problems. Today when I tried to use one of the dashboards I have created there's no map visible. All I get is:
"Loading Google Maps API..."
but no map.
I've upgraded to the current version of the add-on so now I'm not sure what to do.
suggestions?
... View more
- Tags:
- google-maps
- maps
07-31-2012
11:44 AM
The Windows Admins are preventing me. They don't like installing "agents" on their domain controllers.
... View more
07-31-2012
10:49 AM
Howdy all,
We are running in to a problem with the speed of a universal forwarder on one of our Windows servers (2008 R2 64bit).
Every two hours the Windows server will contact each of the eight domain controllers, get back all of the successful and failed login events for the past two hours and outputs those events to a saved event log file (.evtx). One file is created for each of the domain controllers for each two hour block. So over the course of the day we produce 12 files for each domain controller for a total of 96 files.
The forwarder on the windows server is watching the directory that the files will appear in and then forwarder on the contents of the files to out indexers. The universal forwarder is not keeping up with the amount of data being generated which is about ~700 MB for each two hour period. So what I'm wondering is what might be cause the lag? The performance is slow enough that the data is being generated faster than it can be forwarded.
I've turned up the maxKBps to 1024 in the limits.conf file for the forwarder but that does not seem to have helped. Can anyone suggest what else we might look at?
Please and thank you
Colin J.
... View more
