Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MaverickT
MaverickT
Communicator
Member since:
05-16-2013
07-30-2021
Community Statistics
| Posts | 65 |
| Solutions | 5 |
| Karma Given | 24 |
| Karma Received | 21 |
| Member Since | 05-16-2013 |
Activity Feed
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-29-2021 12:08 AM
- Tagged tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:57 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:56 PM
- Tagged Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:55 PM
- Posted Re: tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 12:51 PM
- Posted tstats where index=_internal no results on Monitoring Splunk. 07-28-2021 07:52 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-03-2021 08:14 AM
- Got Karma for Re: Assign multiple risk objects in Risk Analysis. 05-02-2021 04:02 PM
- Karma Re: biuld a siem without Enterprise security app for radam2000. 04-29-2021 11:20 PM
- Posted Re: Assign multiple risk objects in Risk Analysis on Splunk Enterprise Security. 04-29-2021 11:11 PM
- Posted Adaptive Response Action Send email not sending results on Splunk Enterprise Security. 04-29-2021 11:08 PM
- Posted Re: Not receiving CrowdStrike Intel Indicators events on Getting Data In. 01-22-2021 07:51 AM
- Got Karma for Re: Splunk ES taxii feed - AlienVault OTX config. 11-23-2020 12:50 AM
- Posted Re: Splunk ES taxii feed - AlienVault OTX config on Splunk Enterprise Security. 11-22-2020 11:46 PM
- Got Karma for Re: How to integrate Microsoft Cloud App security with Splunk. 11-16-2020 02:17 PM
- Posted Re: How to integrate Microsoft Cloud App security with Splunk on All Apps and Add-ons. 11-09-2020 12:58 AM
- Karma Re: Mac OS X Sierra - How to get all logs from the Unified Log database? for rkantamaneni_sp. 10-12-2020 11:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
07-29-2021
12:08 AM
Yes, thats exactly the behaviour. To be more precise - tstats does not fail, it just doesnt return any results. To make things even more challenging - same tstats command works on other indexes.
... View more
07-28-2021
12:51 PM
Thanks for your reply. I guess I wasn't clear enough. I run search on search head, the search log is taken from search head, but also includes log from indexer. It is taken from here: $SPLUNK_HOME/var/run/splunk/dispatch/$SEARCH_JOB_ID/remote_logs/$INDEXER.search.log I am sure all logs from search heads, heavy and universal forwarders are forwarded to indexer tier, since normal search (eg. index=_internal | stats count by host) produces results.
... View more
07-28-2021
07:52 AM
I am trying to run the following tstats search on indexer cluster, recently updated to splunk 8.2.1: | tstats count where index=_internal by host The search returns no results, I suspect that the reason is this message in search log of the indexer: Mixed mode is disabled, skipping search for bucket with no TSIDX data: \opt\splunkhot\_internaldb\db\hot_v1_4334 When I check the specified bucket folder, I can see the tsidx files inside. Interesting fact is, that this issue occurs only with _internal index, same command works fine with other indexes. I have datamodel "Splunk's Internal Server Logs" enabled and accelerated. Any suggestions where to start troubleshooting this issue?
... View more
Labels
04-29-2021
11:11 PM
2 Karma
The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.
... View more
04-29-2021
11:08 PM
We made a clean installation of on-prem Splunk Enterprise 8.0.9 and Enterprise Security 6.4.0. When correlation search returns results, we would like to append these results to an email via adaptive response action "Send Email". We had selected the option to include an inline-table, but regardless of this setting, the table with results is still not added to the email. There are two additional findings we discovered: If we try to append results of standard alert search (non-correlation search) to an email it works. If we set sendresults = 1 in $SPLUNK_HOME/etc/system/local/alert_actions.conf it also works but not for all correlation searches... Has anybody encountered such problems and how did you solve it?
... View more
Labels
- Labels:
-
notable event
-
troubleshooting
01-22-2021
07:51 AM
Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working. Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.
... View more
11-22-2020
11:46 PM
1 Karma
My advice is to install Splunk Add-on for Open Threat Exchange and Supporting Add-on for Open Threat Exchange. The installation is pretty straight forward and configuration guide can be found in the Details section of each Add-on on splunkbase. I've managed to install and configure those add-ons in less than an hour. https://splunkbase.splunk.com/app/4336/ https://splunkbase.splunk.com/app/4337/
... View more
11-09-2020
12:58 AM
1 Karma
Since October 2020 there is add-on available for this matter: Microsoft Cloud App Security Add-on for Splunk
... View more
08-14-2020
07:20 AM
It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).
... View more
08-14-2020
07:16 AM
There is an option to code your own adaptive response action, which can be used to forward the data to other systems. But you will need to do a little bit of python coding... https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/
... View more
08-14-2020
02:05 AM
There is no way of doing Splunk database backup via GUI. Even the CLI might get a little bit complicated, because you have to roll the buckets before making backup. You can learn more about making backup here: https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Backupindexeddata https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/BackupKVstore Maybe you should consider moving the cold buckets to the QNAP NAS?
... View more
08-14-2020
01:34 AM
Can you check if you maybe have "Remote event log collections" enabled for this host on one of your Splunk instances? This is one of the reasons why there can be duplicate data..
... View more
- Tags:
- Can
07-09-2020
11:07 AM
Oh, sorry, fast reading. I am trying to download splunk 7.3.1.1 to help you, but somehow the download link for previous releases of splunk doesn't work :/.
... View more
07-09-2020
10:43 AM
Just one addon to your arhitecture. Search head cluster should have at least 3 members. Otherwise it won't be able to elect the search head captain.
... View more
07-09-2020
10:38 AM
We had just installed Splunk Add-on for Amazon Web Services on brand new Splunk server version 8. Works like a charm. You've mentioned that you are using Splunk 7.3.1.1. That might be the reason it is not working, since latest version of Add-on is supported only on Splunk version 8. I guess you have two options: Upgrade your heavy forwarder to latest splunk version Use old version of add-on - 4.6.1. is supported with splunk 7.3.
... View more
07-09-2020
05:33 AM
After small amount of scripting and even greater amount of waiting we finally managed to get those slice files merged with journal.gz. We tried uncompressing journal.gz and just appending slice file, but it didn't work. Final solution was to use "splunk cmd exporttool" and "splunk cmd importtool". Because the amount of bucket, that needed to be fixed was above 2500 we addapted the export/import script that was published splunkwiki years ago. I am sharing it here in case somebody needs it in future. #!/bin/bash
:'
This is a bucket fixup script. It fixes the buckets with leftover slices by using export command.
It also renames buckets that are single-instance to cluster format (by adding instance GUID)
Author: Žiga Humar, Our Space Appliances
Author takes no responsibily for this script or for any data corruption it might cause.
Thanks to jrodman, whos script was good starting point. And to Christian Bran at Splunk Support who expained me the
logic about leftover slices.
'
# EDIT YOUR VARIABLES HERE
BUCKET_TMPDIR=/tmp
SPLUNK_HOME=/opt/splunk
SPLUNK_BIN=/opt/splunk/bin/splunk
INSTANCE_GUID="C221DE6A-20A8-41B8-A8D2-27E1F7A4B0B8"
PATHS=(splunkhot splunkcold)
# VARIABLES FINISHED
EXPORT_CMD="$SPLUNK_BIN cmd exporttool"
IMPORT_CMD="$SPLUNK_BIN cmd importtool"
declare -a index_list
# select indexes to process
for path in ${PATHS[0]};
do
for index in /opt/$path/*;
do
index_name=$(basename $index)
if [ -d $index ] && [ ${index_name:0:1} != "_" ] && [ $index_name != "audit" ]
then
index_list+=($index_name)
fi
done
done
# loop trough hot and warm paths
for path in ${PATHS[@]};
do
echo "$(date) Processing path=/opt/$path/"
# loop trought indexes
for index in /opt/$path/*;
do
index_name=$(basename $index)
# check if this index should be processes by this instance
index_found=0
for iteration_index in "${index_list[@]}"
do
if [ "$iteration_index" == "$index_name" ] ; then
index_found=1
fi
done
# if this is folder and if it should be processed keep on going
if [ -d $index ] && [ $index_found == 1 ]
then
echo "$(date) Processing index: $index_name"
for bucket in $index/*/db_*;
do
bucket_dir=$(dirname $bucket)
bucket_name=$(basename $bucket)
if [ -d $bucket ] && [ ${bucket_name:0:2} == "db" ]
then
bucket_id_guid=$(echo $bucket_name | sed 's/db_[0-9]*_[0-9]*_//')
bucket_guid=$(echo $bucket_id_guid | sed 's/[0-9]*//')
bucket_id=$(echo $bucket_id_guid | sed 's/_[0-9a-Z\-]*$//')
#echo "$(date) Checking bucket=$bucket_id index=$index_name"
#echo "$(date) Guid: ${bucket_guid}"
# If rawdata folder contains uncompressed slice file, do the export/import procesure
if [ $(find $bucket -type f -regex '.*rawdata/[0-9]+$' | wc -l ) != "0" ] ;
then
echo "$(date) FIXUP task for bucket=${bucket_id} index=$index_name required"
echo "$(date) Exporting bucket=${bucket_id} index=$index_name"
NEW_BUCKET=$BUCKET_TMPDIR/new_bucket_$index_$bucket_id
EXPORTING_BUCKET=$BUCKET_TMPDIR/export_bucket_$index_$bucket_id.csv
# delete old export files (just in case they are left from previous migration)
rm -Rf $NEW_BUCKET
rm -Rf $EXPORTING_BUCKET
# do export
SECONDS=0
$EXPORT_CMD $bucket $EXPORTING_BUCKET -csv
EXPORT_ENDTIME=$(date +%s)
duration_export=$SECONDS
echo "Export took $duration_export seconds."
# do import
echo "$(date) Reimporting bucket=${bucket_id} index=$index_name"
SECONDS=0
$IMPORT_CMD $NEW_BUCKET $EXPORTING_BUCKET
duration_import=$SECONDS
echo "Reimport took $duration_import seconds."
# go into new bucket and get earliest and latest time in the bucket
(cd $NEW_BUCKET; ls *.tsidx | sed 's/-[0-9]\+\.tsidx$//' |sed 's/-/ /') | {
global_low=0
global_high=0
while read high low; do
if [ $global_high -eq 0 ] || [ $high -gt $global_high ]; then
global_high=$high
fi
if [ $global_low -eq 0 ] || [ $low -lt $global_low ]; then
global_low=$low
fi
done
REAL_BUCKET_NAME=db_${global_high}_${global_low}_${bucket_id}_${INSTANCE_GUID}
# move the old bucket to temporary location
if [ -d $bucket ];
then
mv $bucket $BUCKET_TMPDIR
else
echo >&2 bucket $bucket vanished while processing.. inserting new one and hoping for the best
fi
# replacing old bucket with a new one
echo "Replacing bucket=${bucket_id} index=$index_name"
mv $NEW_BUCKET $bucket_dir/$REAL_BUCKET_NAME
}
# delete temporary export file and the old one.
rm -rf $BUCKET_TMPDIR/$bucket_name # delete old one
rm $EXPORTING_BUCKET # delete exported one
# if bucket folder doesn't end with the INSTANCE_GUID, lets append it
elif [ "$bucket_guid" != "_${INSTANCE_GUID}" ];
then
echo "$(date) Renaming bucket=${bucket_id} from single instance to cluster format index=$index_name"
mv $bucket ${bucket}_${INSTANCE_GUID}
fi
fi
done
fi
done
done
Just for info: we had 30% of buckets in this state. The total size of all indexes is 3 TB. It took us 4 days to run the script. And after running it, there was also a couple of other buckets that were corrupted which had to be exported in same fashion, but it was fast and easy job.
... View more
07-03-2020
06:55 AM
I've managed to fix it, by changing TZ to our local timezone in dbx_logging _formatter.py. From this: if os.getenv('TZ'):
os.unsetenv('TZ') To this: if os.getenv('TZ'):
os.putenv('TZ', 'Europe/Ljubljana') It should work until app is upgraded... 🙂 Thanks for this question, it directed me towards solution.
... View more
07-03-2020
06:33 AM
We are also struggling with this issue. Did you already found a solution?
... View more
07-01-2020
08:20 AM
Just an update: we are in contact with Splunk Support. This weird plain-text non-compressed file is a temporary slice file where fresh events are temporary written. When the slice is "full" it is appended to journal.gz. When buckets are being rotated from hot to warm, slice is merged with journal.gz. But in case of indexer crash, this slice is not merged with journal.gz so the bucket is left with journal.gz and the slice file. Now we are working on a way how to merge this slices with journal.gz as effective as possible. Will keep you posted.
... View more
06-29-2020
01:24 PM
Due to migration from a stand-alone indexer (on Windows) to three-node indexer cluster (CentOS), we are doing a test migration of an index. We had managed to copy all buckets to one of the new nodes (indexer01) and appended instances GUID to the end of the bucket folders, started splunk instaces, exited maintenance mode and waited for the replication to happen. And everything worked like charm until... We tried to search this newly migrated index for period "All time" on the cluster. The other two nodes returned the warning such as: [indexer02] Failed to read size=257 event(s) from rawdata in bucket='qualys~18~C221DE6A-20A8-41A8-A8D2-27E1F7A4B043' path='/opt/splunkcold/qualys/colddb/rb_1526515073_1526386468_18_A221DE6B-20A00-41A8-A8D2-27E1F7A4B043. Rawdata may be corrupt, see search.log. Results may be incomplete! We tried with repairing the specific bucket with splunk rebuild command and reinitiated the replication, but the result was same. So we dug a little deeper and figured out that the rawdata folder, which should contain journal.gz, slicemin.dat and slicesv2.dat also contains weird plain-text non-compressed file with raw events. It is named with a number which doesn't tell much. The question is the following - what is this file. It is located only on indexer01 and it is not being replicated to other nodes. Is there any way to append this file to journal.gz or to force the replication of this file as well.
... View more
Labels
- Labels:
-
indexer clustering
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-30-2021
03:16 AM
|
Karma given to
