Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About marksnelling
marksnelling
Communicator
Member since:
02-06-2012
06-05-2020
Community Statistics
| Posts | 49 |
| Solutions | 5 |
| Karma Given | 4 |
| Karma Received | 15 |
| Member Since | 02-06-2012 |
Activity Feed
- Got Karma for Splunk Add-on for Microsoft Windows: Why am I getting error "Missing FORMAT for: transform_name='Security_ID_as_src_nt_domain'"?. 06-05-2020 12:47 AM
- Got Karma for How do I disable admon, netmon, powershell etc scripts running on Windows UF 6.3.1. 06-05-2020 12:47 AM
- Karma Re: DateParserVerbose - timestamp match is outside of the acceptable time window for yannK. 06-05-2020 12:46 AM
- Karma Re: Parsing Redis logs for _d_. 06-05-2020 12:46 AM
- Karma Re: Per-app machineTypesFilter broken in serverclass.conf for ctux. 06-05-2020 12:46 AM
- Karma Re: Scheduled Real-time AlertsTerminating for piebob. 06-05-2020 12:46 AM
- Got Karma for Empty scheduled PDF reports. 06-05-2020 12:46 AM
- Got Karma for Empty scheduled PDF reports. 06-05-2020 12:46 AM
- Got Karma for Empty scheduled PDF reports. 06-05-2020 12:46 AM
- Got Karma for Empty scheduled PDF reports. 06-05-2020 12:46 AM
- Got Karma for Re: Empty scheduled PDF reports. 06-05-2020 12:46 AM
- Got Karma for Shuttl archiving errors. 06-05-2020 12:46 AM
- Got Karma for Problem enabling boot-start with user parameter. 06-05-2020 12:46 AM
- Got Karma for Shuttl setup/configuration with S3. 06-05-2020 12:46 AM
- Got Karma for DateParserVerbose - timestamp match is outside of the acceptable time window. 06-05-2020 12:46 AM
- Got Karma for Re: Real-time search with fixed start. 06-05-2020 12:46 AM
- Got Karma for Per-app machineTypesFilter broken in serverclass.conf. 06-05-2020 12:46 AM
- Got Karma for Scheduled Real-time AlertsTerminating. 06-05-2020 12:46 AM
- Got Karma for Re: "First-time-run has not finished." After migrating to new host. 06-05-2020 12:45 AM
- Posted Splunk 6.6.2 error sending alert email "ERROR:root:EOF occurred in violation of protocol (_ssl.c:676)" on Reporting. 08-08-2017 02:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 4 | |||
| 1 |
08-08-2017
02:36 AM
I just upgraded from Splunk 6.5.2 to 6.6.2 and now the emailing of alerts when using STARTTLS is broken. Looking at the splunkd.log file I can see the error ERROR:root:EOF occurred in violation of protocol (_ssl.c:676) .
Email works correctly if I disable the SMTP STARTTLS option in email settings which is less than ideal.
... View more
02-16-2016
06:27 AM
Ok, thanks your your help anyway.
... View more
02-15-2016
07:03 AM
Running that tool showed all of the perfmon, admon, powershel, powershell2 etc inputs as disabled but they are still running every 60s visibly in the Task Manager
... View more
02-15-2016
06:37 AM
Thanks, ok so I could probably find the network interface name easy enough but what should you use for admon, powershell, powershell2, regmon...
... View more
02-15-2016
04:08 AM
Here is one of the stanzas
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf [WinNetMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf baseline = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf dedicatedIoThreads = 2
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf disabled = 1
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf enableSSL = 1
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = ODIN
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf maxSockets = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf maxThreads = 0
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf port = 8088
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf useDeploymentServer = 0
... View more
02-12-2016
03:27 AM
1 Karma
I'm not wanting to monitor these events and yet the scripts still run every minute (by looking at the task manager). I have tried adding stanzas to disable them in etc/system/local/inputs.conf but this doesn't seem to work, the still run.
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 1
[script://$SPLUNK_HOME\bin\scripts\splunk-netmon.path]
disabled = 1
[script://$SPLUNK_HOME\bin\scripts\splunk-winprintmon.path]
disabled = 1
[script://$SPLUNK_HOME\bin\scripts\splunk-powershell.path]
disabled = 1
[script://$SPLUNK_HOME\bin\scripts\splunk-powershell2.path]
disabled = 1
[WinRegMon]
disabled=1
[WinNetMon]
disabled=1
[WinPrintMon]
disabled=1
[perfmon]
disabled=1
[admon]
disabled=1
[powershell]
disabled=1
[powershell2]
disabled=1
I can see in the splunk.log file the following
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"
INFO ExecProcessor - interval: run once
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"
INFO ExecProcessor - interval: 60000 ms
INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
INFO ExecProcessor - interval: 60000 ms
... View more
- Tags:
- splunk-enterprise
02-10-2015
08:46 AM
1 Karma
Hi,
I'm running the latest Splunk indexer and forwarders (6.2.1) with my indexer on Linux and my forwarders on Windows 2008 R2. I've also deployed the Splunk Add-on for Microsoft Windows (4.7.3) on both the indexer and forwarders.
I'm seeing a lot of the following errors in my splunkd.log
WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='Security_ID_as_src_nt_domain'
WARN SearchOperator:kv - Missing FORMAT for: transform_name='Security_ID_as_src_nt_domain'
What are these errors from and how can I fix them?
... View more
06-05-2014
09:00 AM
1 Karma
I have a number of real-time alerts scheduled that prior to upgrading to Splunk 6.1 would run continuously. Since the upgrade these jobs now stop alerting even though the jobs are visible in the Activity/Jobs window and are in status "Running 100%".
To get the jobs to start alerting again I have to either delete and recreate them.
Is this a known issue or have I missed a breaking change somewhere in the upgrade?
... View more
04-23-2014
04:09 AM
Yes the default movement from cold to frozen means that you can copy buckets back to splunk, but the way these buckets are stored in S3 means I can't copy them back out an into splunk. I also couldn't run Splunk in AWS and read them there.
I suggest you try and setup Shuttl to archive into S3 and then access S3 using some other file transfer application (such as DragonDisk or CyberDuck) and see if you can meaningfully extract any buckets the way you suggest.
... View more
04-23-2014
03:40 AM
I would like the data stored on S3 to be in a format that isn't seemingly tied to Shuttl like it is now. Preferably in files/directories just like if I were to specify coldToFrozenDir in the indexes.conf.
... View more
04-11-2014
04:39 AM
I'll give it a try but it doesn't answer my original question. Is the app going to be continually developed or has it hit a dead end?
... View more
04-11-2014
04:00 AM
Yes but have you actually tried to view the data directly on S3 and not using the Shuttl app? It is stored using a whole lot of block_123456789... files in the root directory , there is an archive_root folder that contains something that looks like the directory structure of an archived bucket but all the files are about 21 bytes. I can't see a way of mapping these little files to the block_* files in the root!
... View more
04-11-2014
02:14 AM
Development on the Shuttl app seems to have stopped, is this app still supported and going to be actively developed?
I started using this app to allow us to archive our frozen buckets in S3 however I disabled it due to concerns about the format of the stored data as I wasn't able to retrieve the data manually from S3 in any meaningful way.
I would like to start using this app again but not if development has stalled.
... View more
- Tags:
- Shuttl
12-05-2013
02:54 AM
I'm also getting this problem since upgrading to Splunk 6.0. I have a generic windows serverClass and a serverClass for SQL server.
The SQL serverClass defines it's own repositoryLocation for the TA-SQLServer app, somehow my generic windows serverClass is also using this repositoryLocation to locate the SA-ModularInput-PowerShell app instead of the one defined in [global] .
Here are the relevant sections of my serverclass.conf . I haven't found a solution to this yet.
[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
stateOnClient = enabled
restartSplunkd = true
whitelist.0 = *
[serverClass:Windows]
machineTypesFilter = windows-x64
whitelist.0 = *
[serverClass:Windows:app:Splunk_TA_windows]
[serverClass:Windows:app:SA-ModularInput-PowerShell]
[serverClass:MSSQL]
whitelist.0 = sql01
repositoryLocation = $SPLUNK_HOME/etc/apps/Splunk_for_SQLServer/appserver/addons
[serverClass:SQLServer:app:TA-SQLServer]
... View more
11-22-2013
04:01 AM
I'd also be happy to help. It seems that all development on Shuttl has stalled, it's not even flagged as supporting Splunk 6.0!
... View more
07-26-2013
05:10 AM
1 Karma
I have a server class defined in serverclass.conf and I want to install a different app based on the machineTypesFilter.
[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
stateOnClient = enabled
restartSplunkd = true
whitelist.0 = *
[serverClass:SomeClass]
whitelist.0 = *
[serverClass:SomeClass:app:WindowsApp]
machineTypesFilter = windows-x64
[serverClass:SomeClass:app:LinuxApp]
machineTypesFilter = linux-x86_64
However the machineTypesFilter seems to be broken and no apps are deployed.
This is basically a copy of Example 3 in the serverclass.conf documentation.
... View more
05-14-2013
06:49 AM
This resolved itself with absolutely no help from me. The forwarders just started passing the WinEventLog:Security events on their own.
... View more
05-08-2013
03:08 AM
Hi
I'm using Spunk 5.0.2 and the latest versions of the Splunk for Windows app and TA. I have Forwarders installed on a number of Windows Server 2008 R2 machines including a domain controller.
The forwarder on the DC is sending all WinEventLog:* events to the indexer but the forwarders on the other machines are sending everything but the WinEventLog:Security events.
Why aren't my non-DC machines sending the the WinEventLog:Security events?
[default]
evt_dc_name = \\DC01.mydomain
evt_dns_name =
###### OS Logs ######
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
... View more
04-30-2013
06:45 AM
I'm using v0.8.3.1 from Github. The application download from Splunkbase doesn't work.
... View more
04-30-2013
06:43 AM
1 Karma
I'm having a LOT of trouble getting Shuttl to work with my S3 backend. I can see some buckets in there but my shuttle logs are full of failed bucket messages. Looking at the entries in the shuttl index I can see a lot of these messages.
2013-04-30 14:35:59,091 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1343444042_1342777976_4%2FSPLUNK_BUCKET%2Farchive_meta%2Fbucket.size' - Unexpected response code 404, expected 200
2013-04-30 14:35:59,092 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1343444042_1342777976_4%2FSPLUNK_BUCKET%2Farchive_meta%2Fbucket.size' - Received error response with XML message
2013-04-30 14:36:00,425 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/block_5879788359877019897' - Unexpected response code 404, expected 200
2013-04-30 14:36:00,425 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/block_5879788359877019897' - Received error response with XML message
2013-04-30 14:36:17,838 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/block_-5224164744863339667' - Unexpected response code 404, expected 200
2013-04-30 14:36:17,838 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/block_-5224164744863339667' - Received error response with XML message
2013-04-30 14:36:18,314 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1344129802_1343444051_5%2FSPLUNK_BUCKET%2FSources.data' - Unexpected response code 404, expected 200
2013-04-30 14:36:18,314 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1344129802_1343444051_5%2FSPLUNK_BUCKET%2FSources.data' - Received error response with XML message
2013-04-30 14:36:18,571 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1344956552_1344669951_7%2FSPLUNK_BUCKET_TGZ' - Unexpected response code 404, expected 200
2013-04-30 14:36:18,571 WARN org.jets3t.service.impl.rest.httpclient.RestS3Service: Response '/%2Farchive_root%2Ftemporary_data%2Fmonitor%2Farchive_root%2Farchive_data%2Ftrading%2Fmonitor%2F_blocksignature%2Fdb_1344956552_1344669951_7%2FSPLUNK_BUCKET_TGZ' - Received error response with XML message
... View more
- Tags:
- Shuttl
04-30-2013
02:00 AM
Here's a link to the XML generating the report http://pastebin.com/aEjgCS73
... View more
04-25-2013
07:38 AM
I'm getting this too, since I upgrade to Splunk 5.0.2. Did you find out what causes it?
... View more
