Hey Gang, I am running Splunk Enterprise 7.3.1, with a Search Head Cluster with 4 nodes across two sites and an indexing cluster that has 6 nodes across those same two sites. All of our Splunk servers are RHEL 7. I have "successfully" deployed the Splunk App for Jenkins to a Heavy Forwarder, and I'm successfully receiving Jenkins data from an onsite Jenkins install. I have seen data in the "User" role as part of the app, however, anytime I attempt to switch the dashboard roles over to "Admin" the whole screen goes white, and I have no options to do anything. We do have a custom index, and I have edited the search macros manually to point to the appropriate custom index. However, I still can't get to the Admin dashboards. Any and all help would be very appreciated. Sincerely, Matthew Granger ... View more

I have installed the most recent version of the Search Activity App (2.2.12) to the Server that is running Splunk Enterprise 7.0.3 on Red Hat Linux, and is currently operating as my Search Head Cluster "Deployer" and my DMC. I have also installed the current version of the SA-ldapsearch app (2.1.6) on this same machine. I have been able to run a successful LDAP test connection in the SA-ldapsearch app. However, when I try to configure "Basic LDAP Data" setup in the Search Activity App, and I attempt to select the "SA-LDAPSearch" option, Nothing populates in the Domains drop down box and there is a message below it that says "Search produced no results". In addition, if I try to use the search that is offered up as the "Existing LDAP Lookup" search, it claims there are no results. I would really like to use this app, but I'm having a very difficult time getting it up and running. Any help would be appreciated. BTW, I attempted to use the Support Request Link from within the app, however, it returned a “Page Not Found” error. In addition, I followed a link to an app page for David Veuve (the app creator) that had a "contact me" link that led to a contact email, and that email bounced. ... View more

Hey Gang, First, the basics. We are running a Splunk Enterprise 6.6.4 infrastructure on Red Hat Linux. We are attempting to collect data from a Cloud Foundry Log Drain, as documented here: https://docs.cloudfoundry.org/devguide/services/integrate-splunk.html We have almost everything working properly, however, for some reason, we are receiving the HTTP header information (about 7 lines of it), but we are not receiving the body of the message. We have confirmed by using TCP packet captures that complete messages are being sent to my Splunk Heavy Forwarder, but when I look in Splunk at the index I've created for this purpose, the body of the messages are not being received. I have several concerns. First, we are running the 1.1 version of the RFC5424_Syslog, and there haven't been any updates to this app since 2014. Second, the "Splunk Compatibility" of this app only goes through version 6.1 (which I'm sure was probably the current version back in 2014 when the last update was made). Is anyone familiar with this app? Has anyone had an issue with losing the body of the message while using this app? Any help would be appreciated. Sincerely, Matthew Granger ... View more

Okay, here we go. Let's get the basics out of the way. We run Splunk Enterprise 6.6.4, on-prem, from Linux based servers (RedHat). We have 4 indexers, but they aren't clustered, they are just autoLB. I don't think any of this will effect my question, but I like to set the stage. I'm the Splunk admin for our organization, and while I can muddle my way through Regex, I'm not great with it. I have a situation where there is a data source that throws multiple "records" into a single Splunk "event". This data source is coming off of a mainframe feed where I don't really have the option of altering the source data. Every "record" within the "event" starts with a userid that can be any letter, number or character and may be somewhere between 1 and 8 characters. That user id is followed immediate by a space, 9 dashes, another space and then the word "STRING(S)". I basically need a regex that will pull out each "record" into its own string. I have been able to write a regex that successfully pulls out every other record, but because I have to use the " --------- STRING(S) FOUND" as the terminating string as well as the starting string, I don't know how to tell it to read the terminating string to determine the record is over, but then effectively back up and use the terminating string of one record as the starting string of the next record. Further adding to the complexity is the fact that there may be several CR LF (carriage return, line feed) hidden characters in the string that I want to capture. I've included some sample data, and in the sample data, I need to capture from "@1YMD" down to, but not including "@2EDA". Then, I need the next capture string to go from "@2EDA" and go up to but not include "@2EDC" (and then so on, and so forth through the whole event). I want to capture everything from the word prior to " --------- STRING(S)" to the next occurrence of " --------- STRING(S)" without reading the second userid, so that it is available to start the next record. I've tried non capture groups and having it "give back" some of the characters, but I can't get it just right. This is as close as I've gotten: (?<member_string>(?<member>[a-zA-Z0-9\@]{1,8})\s+---------\sSTRING\(S\).*?)\s[a-zA-Z0-9\@]{1,8}\s---------\sSTRING(S) I'm really hoping this makes sense to all of you, and that I don't sound like an idiot. Any help would be appreciated. Sincerely, Matthew Granger P.S. - I've tried to clean up the regex to display properly in the "preview" to show less than and greater than symbols and such, hopefully I've do okay @1YMD --------- STRING(S) FOUND ------------------- 1 00001000$KEY(1YMD) TYPE(AKC) 2 00002000 UID(EJB7) ALLOW 3 00003000 UID(EJC7) ALLOW 4 00005000 UID(EJF4) ALLOW 5 00006000 UID(EJF5) ALLOW 6 00007000 UID(EJ03) ALLOW 7 00008000 UID(EJ18) ALLOW 8 00009000 UID(EJ19) ALLOW 9 00010000 UID(EJ20) ALLOW 10 00011000 UID(EJ21) ALLOW 11 00013000 UID(EJ54) ALLOW 12 00014000 UID(EJ55) ALLOW 13 00015000 UID(EJ58) ALLOW 14 00016000 UID(EJ62) ALLOW 15 00017000 UID(E*KG01) ALLOW 16 00018000 UID(EKL00) ALLOW @2EDA --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EDA) TYPE(AKC) 3 00002001 UID(EJ19) ALLOW 4 00002101 UID(EJ20) ALLOW 5 00002202 UID(EJ21) ALLOW @2EDC --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EDC) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW ISRSUPC - MVS/PDF FILE/LINE/WORD/BYTE/SFOR COMPARE UTILITY- ISPF FOR z/OS 2017/12/20 0.15 PAGE 6 LINE-# SOURCE SECTION SRCH DSN: SECURITY.ACF2AKC.RULES 15 00015000 UID(E**I9) ALLOW @2EMT --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2EMT) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW 15 00015000 UID(E****I9) ALLOW @2FCS --------- STRING(S) FOUND ------------------- 2 00001000$KEY(2FCS) TYPE(AKC) 3 00002000 UID(EJB7) ALLOW 4 00003000 UID(EJF4) ALLOW 5 00004000 UID(EJF5) ALLOW 6 00005000 UID(EJ03) ALLOW 7 00007000 UID(EJ18) ALLOW 8 00008000 UID(EJ19) ALLOW 9 00009000 UID(EJ20) ALLOW 10 00010000 UID(EJ21) ALLOW 11 00011000 UID(EJ54) ALLOW 12 00012000 UID(EJ58) ALLOW 13 00013000 UID(EJ60) ALLOW 14 00014000 UID(EKL00ON) ALLOW 15 00015000 UID(E*******I9) ALLOW ... View more

Hey Gang, Here are the basics: We are running Splunk Enterprise 6.5.1. I have a distributed architecture that has two separate search heads, 4 indexers with AutoLB (but no clustering) and a deployment server (all 6.5.1 running on RedHat). Now for the actual question. We have 70 or more websphere servers that are all similarly named (i.e. prdwas01, prdwas02, prdwas03...tstwas01, tstwas02, tstwas03....stgwas01, stgwas02, stgwas03....etc.etc.etc.). I have a series of extracted fields that I pull from the "source" value (see below): EXTRACT-sourcefields = (?<WAS_Cluster_All>(?<=logs\/)[a-zA-Z0-9.]++) in source EXTRACT-sourcefileds = \/logs\/(?<WAS_JVM_name>[a-zA-Z0-9]++)_(?[a-zA-Z0-9]++) in source Basically, I'm pulling out some cluster and JVM characteristics from the file path of the source. Now, I would like to apply this across all 70 websphere servers. As near as I can tell, you can only specify field extractions for host, source or sourcetype. Well, I want to be able to pull these values across 70 or more different servers without having to enter in over 70 separate stanzas. If I could apply it based on index I'd be fine, but that's not an option. I have seen some articles on answers that reference using regex as part of the stanza title for these extractions in source and sourcetype, and I have attempted some of those, and not gotten them to work. Ideally, I would like to have a stanza that said something along the lines of: [host::.{3}was\d\d] That would represent any hostname that had 3 characters, then the letters 'was' and then two digits and have it then apply the included field extractions. I spoke with my sales engineer, and he claimed that it wasn't possible to use regex as part of the stanza header, and I wasn't able to get any of the examples from answers to work, so I decided to ask a question that specifically dealt with what I was trying to do. Any thoughts or information would be very appreciated. Thanks, Matthew Granger ... View more

Hey Gang, We are currently running Splunk Enterprise 6.3.1 on RHEL 6.x servers. I have a string value that I have brought in from a long that represents hours, minutes, and seconds in the form HH:mm:ss , and the user would like to graph the trend of the duration. The easiest way that I can think of to do this would be to convert this string into a number of seconds so that I could represent a single numeric value to graph. Does anyone have an easy way to do this, or an alternate way to graph HH:mm:ss ? Thanks, in advance for any help you may be able to provide. ... View more