About VijaySrrie

VijaySrrie · ‎09-13-2024

Hi All, I need to download and install below app via command line https://splunkbase.splunk.com/app/263 Please help me with the exact commands, I tried with multiple commands, login is successful and getting token but during app download getting 404 bad request error

VijaySrrie · ‎09-04-2024

Hi Team, We are trying to install - Auto Update MaxMind Database into our splunk https://splunkbase.splunk.com/app/5482 --> This is the splunk app We have the account id and the license key While testing this by running command - | maxminddbupdate We got below error HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /geoip/databases/GeoLite2-City/download?suffix=tar.gz (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))

VijaySrrie · ‎09-02-2024

Hi All, I am able to see only 4 status, why am I not able to see status=skipped and status = continued

VijaySrrie · ‎08-28-2024

@KendallW INFO ThruputProcessor [2963 parsing] - Current data throughput (5125 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf. We will try increasing the limits.

VijaySrrie · ‎08-23-2024

Hi Team, We could see latency in logs Log ingestion via - syslog Network devices --> Syslog server --> splunk Using below query, we could see minimum 10 mins to maxminum 60 mins log latency index="ABC" sourcetype="syslog" source="/syslog*" | eval indextime=strftime(_indextime,"%c") | table _raw _time indextime What should be our next steps to check where the latency is and how to fix it?

VijaySrrie · ‎08-23-2024

index=_introspection sourcetype=splunk_resource_usage host IN ("hostname" ) component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | eval Tenant=case(match(host,"name"),"Core",match(host,"name"),"Enterprise Security",match(host,"name"),"Critical Reports",match(host,"hostname"),"Mgmt",match(host,"hostname"),"IDX",match(host,"hostname"),"AWE",match(host,"hostname"),"ABC",1==1,host) | eval Env=case(match(host,"hostname"),"Prod",match(host,"hostname"),"E2E",match(host,"hostname"),"ABC",1==1,splunk_server) | fields host_zone Tenant _time total_cpu_usage | table host_zone Tenant _time total_cpu_usage | search host_zone="pr" Tenant="Core" | bin span=24h aligntime=@d _time | stats Perc90(total_cpu_usage) AS cpu_usage BY _time | trendline sma2(cpu_usage) AS trend | fields * trend

VijaySrrie · ‎08-18-2024

@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"Hostwide","data":{"cpu_arch":"x86_64","os_name":"Linux","os_name_ext":"Linux","os_build":"#1 ABC Thu Apr 4 03:33:23 EDT 2024","os_version":"3.10.0-1160.118","instance_guid":"ABCDEFGH","splunk_version":"9.2.1","mem":"382641.051","mem_used":"41983.578","swap":"511.996","swap_used":"511.996","pg_paged_out":"50842005897","pg_swapped_out":"164124","forks":"00000600","cpu_count":"24","virtual_cpu_count":"48","runnable_process_count":"19","normalized_load_avg_1min":"1.14","cpu_user_pct":"45.35","cpu_system_pct":"10.68","cpu_idle_pct":"43.98"}}

VijaySrrie · ‎08-13-2024

I want to know how much CPU is utilized in our environment along with the trendline @ITWhisperer

VijaySrrie · ‎08-13-2024

Hi All, Need help with Timechart and trendline command for below query Both timechart and trendline command are not working index=_introspection sourcetype=splunk_resource_usage component=Hostwide | eval total_cpu_usage=('data.cpu_system_pct' + 'data.cpu_user_pct') | stats Perc90(total_cpu_usage) AS cpu_usage latest(_time) as _time by Env Tenant | timechart span=12h values(cpu_usage) as CPU | trendline sma2(CPU) AS trend

VijaySrrie · ‎07-31-2024

Hi All, I have a percentage value in one field in a dashboard studio. I need to add below colours 0% - 5% Green 5% - 10% Yellow others RED

VijaySrrie · ‎07-23-2024

Hi @gcusello I tried to clone it but there is no option to clone dashboard studio to classic dashboard, dashboard studio can be cloned only to dashboard studio.

VijaySrrie · ‎07-22-2024

Hi Team, Is there a easy way to convert Dashboard Studio to Classic dashboard and enable export option?

VijaySrrie · ‎07-16-2024

Hi All, I am working on skipped searches, what is the difference between below 2? 1) The maximum number of concurrent historical scheduled searches on this cluster has been reached 2) The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached

VijaySrrie · ‎07-04-2024

Hi Team, I have a dashboard with 7 panels I need an alert to monitor the dashboard and alert us if any one of the panel shows percentage is > 10 Is there a possibility to create alert with the dashboard link?

VijaySrrie · ‎07-01-2024

Hi Team, An alert is scheduled to run for every 2 hours It is getting skipped per day the alert will run - 12 times For a week 12*7 = 84 times a week We could see in the skipped search result that the alert is skipped for 3000 times in last 7 days How is it possible? Below search is used to find the skipped search splunk_server=*prod1-heavy index="_internal" sourcetype="scheduler" host=*-prod1-heavy | eval scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | lookup search_env_mapping host AS host OUTPUT tenant | stats count values(scheduled) as scheduled values(savedsearch_name) as search_name values(status) as status values(reason) as reason values(run_time) as run_time values(dm_node) as dm_node values(sid) as sid by savedsearch_name tenant | sort -count | search status!=success | table scheduled, savedsearch_name, status, reason,count,tenant

VijaySrrie · ‎06-30-2024

Hi Team, How to check the expiry date of a certificate in splunk windows using command line User is having local admin access and not able to delete the server.pem file (is there any other way to delete it)

VijaySrrie · ‎06-11-2024

Hi Team, I have a field extraction and a calculated field which is not working Please let me know whether there is any other way to extract it EXTRACT-User = \"path\"\:\"auth\/(abc|xyz)\/login\/(?<User>[\w\_]+) EVAL-user = if(error="invalid credentials",User,'auth.display_name') "auth.display_name" is the existing field

VijaySrrie · ‎06-10-2024

@inventsekar - This is the python code we use to pull the loigs

VijaySrrie · ‎06-10-2024

#!/usr/bin/env python # coding=utf-8 from __future__ import print_function import sys, os import xml.dom.minidom, xml.sax.saxutils from pymongo import MongoClient from datetime import datetime import base64 import json import re import logging from io import open import six logging.root logging.root.setLevel(logging.DEBUG) formatter = logging.Formatter('%(levelname)s %(message)s') handler = logging.StreamHandler() handler.setFormatter(formatter) logging.root.addHandler(handler) SCHEME = """<scheme> <title>API Gateway Analytics</title> <description>Ingest data from API Gateway mongodb tyk_analytics database</description> <streaming_mode>xml</streaming_mode> <endpoint> <args> <arg name="mongodb_uri"> <title>MongoDB URI</title> <description>mongodb://USER:PASS@SERVER1:27017,SERVER2:27017/tyk_analytics?replicaSet=mongo-replica</description> </arg> </args> </endpoint> </scheme> """ def do_scheme(): print(SCHEME) # Empty validation routine. This routine is optional. def validate_arguments(): pass def get_config(): config = {} try: # read everything from stdin config_str = sys.stdin.read() # parse the config XML doc = xml.dom.minidom.parseString(config_str) root = doc.documentElement conf_node = root.getElementsByTagName("configuration")[0] if conf_node: stanza = conf_node.getElementsByTagName("stanza")[0] if stanza: stanza_name = stanza.getAttribute("name") if stanza_name: logging.debug("XML: found stanza " + stanza_name) config["name"] = stanza_name params = stanza.getElementsByTagName("param") for param in params: param_name = param.getAttribute("name") logging.debug("XML: found param '%s'" % param_name) if param_name and param.firstChild and param.firstChild.nodeType == param.firstChild.TEXT_NODE: data = param.firstChild.data config[param_name] = data logging.debug("XML: '%s' -> '%s'" % (param_name, data)) checkpnt_node = root.getElementsByTagName("checkpoint_dir")[0] if checkpnt_node and checkpnt_node.firstChild and checkpnt_node.firstChild.nodeType == checkpnt_node.firstChild.TEXT_NODE: config["checkpoint_dir"] = checkpnt_node.firstChild.data if not config: raise Exception("Invalid configuration received from Splunk.") except Exception as e: raise Exception("Error getting Splunk configuration via STDIN: %s" % str(e)) return config def save_checkpoint(config, checkpoint): checkpoint_file = "checkpoint-" + config["name"] checkpoint_file = re.sub('[\\/\s]', '', checkpoint_file) checkpoint_file_new = checkpoint_file + ".new" chk_file = os.path.join(config["checkpoint_dir"], checkpoint_file) chk_file_new = os.path.join(config["checkpoint_dir"], checkpoint_file_new) checkpoint_rfc3339=checkpoint.strftime('%Y-%m-%d %H:%M:%S.%f') logging.debug("Saving checkpoint=%s (checkpoint_rfc3339=%s) to file=%s", checkpoint, checkpoint_rfc3339, chk_file) f = open(chk_file_new, "w") f.write("%s" % checkpoint_rfc3339) f.close() os.rename(chk_file_new, chk_file) def load_checkpoint(config): checkpoint_file = "checkpoint-" + config["name"] checkpoint_file = re.sub('[\\/\s]', '', checkpoint_file) chk_file = os.path.join(config["checkpoint_dir"], checkpoint_file) #chk_file = os.path.join(config["checkpoint_dir"], "checkpoint") # try to open this file try: f = open(chk_file, "r") checkpoint_rfc3339=f.readline().split("\n")[0] logging.info("Read checkpoint_rfc3339=%s from file=%s", checkpoint_rfc3339, chk_file) checkpoint = datetime.strptime(checkpoint_rfc3339, '%Y-%m-%d %H:%M:%S.%f') f.close() except: # assume that this means the checkpoint is not there (Use 2000/1/1) checkpoint_rfc3339='2000-01-01 00:00:00.000000' checkpoint = datetime.strptime(checkpoint_rfc3339, '%Y-%m-%d %H:%M:%S.%f') logging.error("Failed to read checkpoint from file=%s using checkpoint_rfc3339=%s", chk_file, checkpoint_rfc3339) logging.debug("Checkpoint value is: checkpoint=%s", checkpoint) return checkpoint # Routine to index data def run(): config = get_config() mongodb_uri = config["mongodb_uri"] checkpoint = load_checkpoint(config) client = MongoClient(mongodb_uri) database = client["tyk_analytics"] collection = database["tyk_analytics"] cursor = collection.find({'timestamp': {'$gt': checkpoint} }) sys.stdout.write("<stream>") #logging.info("H: Before Document") for document in cursor: #logging.info("After1 Before Document") new_checkpoint=document['timestamp'] #logging.info("After2 Before Document") #document['timestamp'] is in GMT, so we can do a straight epoc conversion, and not be concerned with timezones epoc_timestamp = (new_checkpoint - datetime(1970,1,1,0,0,0,0)).total_seconds() #logging.debug("Calculated epoc_timestamp=%s, from ['timestamp']=%s", str(epoc_timestamp), checkpoint) outputdata={} outputdata['timestamp'] = six.text_type(document['timestamp']) outputdata['apiname'] = document['apiname'] outputdata['ipaddress'] = document['ipaddress'] outputdata['id'] = six.text_type(document['_id']) outputdata['requesttime'] = str(document['requesttime']) outputdata['responsecode'] = str(document['responsecode']) outputdata['method'] = document['method'] outputdata['path'] = document['path'] request=base64.b64decode(document['rawrequest']) try: request.decode('utf-8') #print "string is UTF-8, length %d bytes" % len(request) except UnicodeError: request = "(SPLUNK SCRIPTED INPUT ERROR) input is not UTF-8 unicode" m = re.search('(?s)^(.+)\r\n\r\n(.*)', request.decode('utf-8')) if m: #Strip any Authorization header outputdata['requestheader']=re.sub('\nAuthorization: [^\n]+','',m.group(1)) outputdata['requestbody']=m.group(2) else: outputdata['request'] = request response=base64.b64decode(document['rawresponse']) try: response.decode('utf-8') #print "string is UTF-8, length %d bytes" % len(response) except UnicodeError: response = "(SPLUNK SCRIPTED INPUT ERROR) input is not UTF-8 unicode" if response != "": m = re.search('(?s)^(.+)\r\n\r\n(.*)', response.decode('utf-8')) if m: outputdata['responseheader']=m.group(1) outputdata['responsebody']=m.group(2) else: outputdata['response'] = response.decode('utf-8') sys.stdout.write("<event>") sys.stdout.write("<time>") sys.stdout.write(str(epoc_timestamp)) sys.stdout.write("</time>") sys.stdout.write("<data>") logging.info("Before Json dumps") sys.stdout.write(xml.sax.saxutils.escape(json.dumps(outputdata))) logging.info("After1 Json dumps") sys.stdout.write("</data><done/></event>\n") if new_checkpoint > checkpoint: checkpoint_delta = (new_checkpoint - checkpoint).total_seconds() checkpoint=new_checkpoint if checkpoint_delta > 60: save_checkpoint(config, checkpoint) #End for block save_checkpoint(config, checkpoint) sys.stdout.write("</stream>") sys.stdout.flush() # Script must implement these args: scheme, validate-arguments if __name__ == '__main__': if len(sys.argv) > 1: if sys.argv[1] == "--scheme": do_scheme() elif sys.argv[1] == "--validate-arguments": validate_arguments() else: pass else: run() sys.exit(0)

VijaySrrie · ‎06-09-2024

Hi Team, We are using modular input to ingest the logs into splunk, we have checkpoint file, but we see duplicate logs are ingested into splunk. How to eliminate duplicates? application from which the logs are ingested - Tyk analytics

VijaySrrie · ‎06-09-2024

@VatsalJagani 1. Duplicate logs are ingested into splunk, we tried to change the checkpoint file value, even after that at 2 am duplicated are ingested 2. We are using python script to ingest TYK mongoDB logs into splunk

VijaySrrie · ‎06-06-2024

Hi Team, We use mongo db python script to get the logs into splunk We could see historical logs are getting ingested, we changed the checkpoint value to 2024-05-03 08:46:13.327000 After that it worked fine for sometime, again we could see historical data getting ingested at 2 am How to fix it? What would be the checkpoint file value?

VijaySrrie · ‎06-04-2024

Hi Team, I need to create 3 calculated fields | eval action= case(error="invalid credentials", "failure", ((like('request.path',"auth/ldap/login/%") OR like('request.path',"auth/ldapco/login/%")) AND (valid="Success")) OR (like('request.path',"auth/token/lookup-self") AND ('auth.display_name'="root")) ,"success") | eval app= case(action="success" OR action="failure", "appname_Authentication") | eval valid= if(error="invalid credentials","Error","Success") action field is dependant on valid app field is dependant on action I am unable to see app field in the splunk, may I know how to create it?

VijaySrrie · ‎06-02-2024

Hi Team, How to write a calculated field for below | eval action=case(like("request.path","auth/ldap/login/names"),"success") Names field will be changeing Above one is not working

VijaySrrie · ‎05-30-2024

Hi Team, We have some reports in a shared path, how to bring it to splunk?

Posts	274
Solutions	13
Karma Given	73
Karma Received	10
Member Since	‎02-22-2019

Online Status	Offline
Date Last Visited	‎10-16-2024 08:53 PM

Splunkbase app download via command line

Auto Update MaxMind Database

Skipped search

Log latency

timechart and trendline command

Dashboard studio - Add colours

dashboard studio to classic dashboard

Skipped searches

Splunk Alert creation from dashboard

Skipped Search

Splunkbase app download via command line

Auto Update MaxMind Database

Skipped search

Re: Log latency

Log latency

Re: timechart and trendline command

Re: timechart and trendline command

Re: timechart and trendline command

timechart and trendline command

Dashboard studio - Add colours

Re: dashboard studio to classic dashboard

dashboard studio to classic dashboard

Skipped searches

Splunk Alert creation from dashboard

Skipped Search

Expiration date of a certificate in splunk windows...

Calculated field

Re: Duplicate logs via modular input

Re: Duplicate logs via modular input

Duplicate logs via modular input

Re: TypeError: Object of type bytes is not JSON se...

Mongo-db - checkpoint file error

Calculated field

Calculated field

Need report to be emailed/send to splunk