Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About verbal_666
verbal_666
Builder
Member since:
03-15-2017
Tuesday
Community Statistics
| Posts | 237 |
| Solutions | 21 |
| Karma Given | 59 |
| Karma Received | 19 |
| Member Since | 03-15-2017 |
Activity Feed
- Karma Re: MONGODB vulnerability in ZLIB for PickleRick. Tuesday
- Posted Re: MONGODB vulnerability in ZLIB on Splunk Enterprise. Tuesday
- Posted Re: MONGODB vulnerability in ZLIB on Splunk Enterprise. Monday
- Karma Re: MONGODB vulnerability in ZLIB for livehybrid. Monday
- Posted Re: MONGODB vulnerability in ZLIB on Splunk Enterprise. Monday
- Karma Re: MONGODB vulnerability in ZLIB for PickleRick. Monday
- Posted MONGODB vulnerability in ZLIB on Splunk Enterprise. Monday
- Got Karma for Re: Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading?. 12-05-2025 07:20 AM
- Got Karma for Re: Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading?. 12-05-2025 07:20 AM
- Posted Re: Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading? on Splunk Enterprise. 12-05-2025 06:28 AM
- Posted Re: Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading? on Splunk Enterprise. 12-05-2025 05:41 AM
- Karma Re: Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading? for livehybrid. 12-05-2025 05:39 AM
- Posted Where are login credentials to peers stored? And why bin/scripts/ is deleted after upgrading? on Splunk Enterprise. 12-05-2025 04:43 AM
- Got Karma for Re: Let's think about an unique way to always and always read a log file. 12-04-2025 05:20 AM
- Posted Re: Let's think about an unique way to always and always read a log file on Getting Data In. 12-04-2025 12:02 AM
- Posted Re: Let's think about an unique way to always and always read a log file on Getting Data In. 12-03-2025 10:43 PM
- Posted Re: Let's think about an unique way to always and always read a log file on Getting Data In. 12-03-2025 11:17 AM
- Got Karma for Let's think about an unique way to always and always read a log file. 12-03-2025 08:23 AM
- Posted Let's think about an unique way to always and always read a log file on Getting Data In. 12-03-2025 03:43 AM
- Got Karma for Re: Not all field values are extracted for long JSON files. 11-12-2025 07:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Tuesday
Can someone, please, open a case to SPLUNK for official communication? I get error after sending a NEW CASE MONGODB Vulnerability CVE-2025-14847
https://www.mongodb.com/company/blog/news/mongodb-server-security-update-december-2025
SPLUNK ENTERPRISE
9.3.X
9.4.X
10.X.X
/opt/splunk/bin/splunk cmd mongod -version
SECURITY ISSUE
... View more
Monday
I know it, only SPLUNK instance can access mongodb from localhost only and our SPLUNK it's not exposed outside, only in Intranet. But my Company wants a solution or a valid explanation to exclude vulnerabilities on the instances 😥 Maybe a formal official SPLUNK communication could help! 😎 Thanks 👍👍👍
... View more
Monday
Hello. Recently a critical vulnerability was found in ZLIB of MongoDB. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/vulnerability-in-mongodb-product-mongodb-server-leak Is there a way resolve this internal issue? Thanks.
... View more
Labels
12-05-2025
06:28 AM
1 Karma
Gosh! I think i did a mistake for Question#1. The credentials/keys are stored in every searchpeer path dir "$SPLUNK_HOME/etc/auth/distServerKeys/search_peer#x/", inside where you can find all the kets... i did confusion with var 🤧 And the files the user deleted, since i need a full reinstall, were at fact inside $SPLUNK_HOME/etc/ (the user removed for an error ☹️ 🙁 all the etc in $SPLUNK_HOME). So, there's no mistery at all. He deleted all previous recorded keys the peer stored when called from SearchHead. So it really needed to recreate them, they were gone 😖 Sorry, problem solved!!! My fault... 😑
... View more
12-05-2025
05:41 AM
1 Karma
Oh, really thanks. I was worried about this behavious. Luckily we have daily backups. Next we create a custom app to deploy them to 👍👍👍i really miss this security feature 👍👍👍
... View more
12-05-2025
04:43 AM
Hi. QUESTION #1: search peer login credentials In previous versions, i'm talking about v7 and/or v8, in my memory, login credential to search peers were stored into filesystem, inside /var/... in some files named search_peer#1.something, search_peer#2.something etc.. Now i upgraded to 9.4 version, and can't find them anymore. Where are credentials stored? In KVSTORE? I ask this question since today i need to untar a 9.4 version over a same 9.4 version to take some files a user deleted for error🤦♂️and after doing it, it was a searchpeer/indexer, on the SearchHead and Deployer (Management Console) the peer was DOWN, i needed to reinsert the login credential again as first time to make it UP & Healthy again. Is it for security or is it a bug? I remember i need to do it also months ago when we upgraded 9.3 to 9.4!!! After upgrading, all peer credentials was gone. I thought it was a temporary bug, but now it seems to be the normal behaviour: reinstalling an instance, over the same, removes all previous registered credentials for searchpeers? QUESTION #2: Splunk upgrading removes all $SPLUNK_HOME/bin/scripts/ And, also, after upgrading, all out custom scripts in $SPLUNK_HOME/bin/scripts/ was totally deleted, SPLUNK UPGRADER remove all of them, i found only the "readme.txt", we had something like 50 custom scripts, all gone 🙄 obviously we have a backup!!! But is it normal??? Thanks.
... View more
Labels
- Labels:
-
administration
-
configuration
-
upgrade
12-04-2025
12:02 AM
It's the main application that in some cases gets crazy and start writing so many error headers ☹️ i still talk to developers and tell this is the why, and in case the manual how-to to unlock logs 🤧 There is a limit to everything 😂
... View more
12-03-2025
10:43 PM
1 Karma
The logs posted in main thread were totally a test, to simplify the real problem. The issue came out with a user who can't read his logs one day. And the problem was that for the same 2 days the Application at 00:00 starts writing on 2 nodes the same identical log errors for about 4k, without any timestamp at all, not even a dot was different from day 1 to day 2 from the first default 256 initCrcLen 😎 first time it happened, months ago, i raised initCrcLen to 1024 and injection went ok, but last day i discovered that the "header" errors were about 4k, so, the 3rd day the logs were stuck, since UF thought it was the same identical file already injected! But it weren't since from 10k about Apps start to write json logs with correct timestamps. In this single case i raise again initCrcLen over the 4k and all was ok. Next days, i can have a 10k identical error header over the same logs. So... in this special case, if issue still come out, i will raise again initCrcLen to maximum and tell user to fix the problem with a simple wortaround: sed -i "1i$(date) $RANDOM" /path/lo/log And... that's all. SPLUNK can do much, but not all 😆 Anyway, it could be useful in future UF versioning developments, a new inputs.conf parameter in stanza to use OS file timestamp CRC as crcSalt, something like, crcSalt = <FILE_TIMESTAMP> or a salt with present date/time, crcSalt = <NOW> 👍👍👍 What do you think about it?
... View more
12-03-2025
11:17 AM
Anyway the only solution was to raise the initCrcLength to a high value over the header 👍
... View more
12-03-2025
03:43 AM
1 Karma
Hi. OK, this question is totally theory, but i came in case of pratical issue on such problem. So, let's think i have an App that writes the new log file every 00:00 and writes, I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE.
12/02/2025 00:30:00 log #1
12/02/2025 00:30:01 log #2
12/02/2025 00:30:02 log #3 PREMISE: every day, at 00:00 the log is totally rewritten from 0 byte with same headers. So, Splunk UF the first day should take the first 256 bytes for CRC and should take the log entry since it's new for it and send to indexers. Next day it should block it, thinking it's the same as the day before, since the 256b CRC it's the same, so i should find something like in UF log, File will not be read, is too small to match seekptr checksum [...] And find only the entries of yesterday. Now i force an "initCrcLen = 1024", and now i should start on indexing since the file has, for example, I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE. I'M STARTING TO WRITE.
AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG. AND NOW I START TO LOG.
12/02/2025 00:30:00 log #1
12/02/2025 00:30:01 log #2
12/02/2025 00:30:02 log #3 The next day, initCrcLen to 1024 bytes wil be the same, UF tags the log as already sent yesterday and blocks it again. OK, now i force a new "crcSalt = <SOURCE>" to the input. But in few days both initCrcLen = 1024 [same header size] crcSalt = <SOURCE> [same file path] will calculate a same identical CRC, so the UF will think the log is still the same and it will be blocked! Am i wrong? I know the question is an old and always discussed question. But it's interesting to know if it's possibile to tell UF: "read the file without thinking about it's CRC, if i have still indexed it, read it, do anything other, and send to indexers!" 😉😉😉
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
11-11-2025
07:04 AM
Very interesting 👍👍👍 Thanks a lot 👏👏
... View more
11-11-2025
03:49 AM
Really useful 👍👍👍 Many thanks 👏👏👍
... View more
11-10-2025
11:18 AM
for my knowledge, there isn't! Short answer is - no. I think the issue is totally resolved 😂 Thanks all 😎
... View more
11-10-2025
02:52 AM
A simple, but not trivial, question. When searching a log file, we sometimes find fields previously extracted "on-the-fly" from the search SH, in various ways (Regex, Field_Delimiter), or directly from the Indexer, again in different ways. NOW, the question: it often happens that we spend a lot of time searching for the exact config from which the extraction comes, sifting through the various SH and Indexer configs... eventually, between one thing and another, we get there. But, as mentioned, it often wastes a lot of time... just an example: i have a log where, in many years, many users put an hand, any user inserted his field extraction for a single field, creating something like 20/30 conf for a single log and for 20/30 fields... bothersome when debugging and seeking a single field (as said with the search form you get it quite soon, but...)!!! 🙄 Is there a quick way to understand WHERE a particular field extracted from the log COMES FROM? A "detailed-field-inspector" that tells us exactly: "this field is extracted from the SH, Regex, 'Sourcetype: my_extract_conf'"? Thanks.
... View more
Labels
11-05-2025
02:10 AM
Ahhhhhhhhhhhhhhhhhhh!!! 😚 So the DS must index locally and then send data to Indexers... 👍👍👍 Thanks 👏👏
... View more
11-05-2025
01:17 AM
Hello. I'm having new issues after upgrading a DS from V.9.1 to V.9.4.5. Every phone-home from the UFs (i have about 2000 UFs), gives a 0 [ZERO] in UI. I can see UFs connected to 8089 of my DS Listener, many errors on Splunk logs, AdminHandler:AuthenticationHandler [289178 TcpChannelThread] - Denied session token for user: splunk-system-user On UFs i have the classic "deploymentclient.conf", with a simple, [target-broker:deploymentServer]
targetUri = myDS:8089 With previous versions i never had issues. Has something changed in 9.4 for UFs to DS connect? Thanks.
... View more
Labels
10-28-2025
03:34 AM
I always do a full backup before updating, tar -zcf /my_path_for_backups/splunk_actual.tgz /opt/splunk I don't understand why it bothers you so much if i deal with cases where any user could end up, providing documentation that could be useful!!! Since i love I.T. , and Splunk, i really like to enter many cases and seek for a clue to remediate issues. Does it bother you? Byebye. PS. reading around, i found others users with this DS issue!!!
... View more
10-28-2025
03:15 AM
No. The problem was by, 1. updating 8.2.x to 9.1.9 [OK] 2. updating 9.1.9 to 9.4.4 [KO... KVSTORE stops starting... and updating from V4>>V7] So i remained stuck at 9.4.4 with KVSTORE not working in SHCluster!!! And that's a great problem!!! So i need to, 3. downgrading from 9.4.4 to 9.1.9 And now the /apps/search/default totally broke che DS UI 😳 IMO it's not normal!!!
... View more
10-27-2025
05:40 AM
Maybe... i say maybe...... i found a trick to make instance start with KVSTORE which starts and updates from v4 to v5>v6>v7. Since i have many personal etc full of all my config, from many instances, i need them. But the problem seems related to mongodb/Splunk certificates. So, i regenerate all of them from the start. NETWORK [listener] connection accepted from 127.0.0.1:34164 #517 (1 connection now open)
NETWORK [conn517] SSL peer certificate validation failed: certificate has expired
NETWORK [ReplicaSetMonitor-TaskExecutor] SSL peer certificate validation failed: certificate has expired
NETWORK [conn517] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: certificate has expired. Ending connection from 127.0.0.1:34164 (connection id: 517)
NETWORK [conn517] end connection 127.0.0.1:34164 (0 connections now open) So, i tried a /opt/splunk/bin/splunk stop /opt/splunk/etc/auth rm -fr $(ls -1|egrep -v "^splunk.secret") cd /opt tar -xf splunk-9.4.5-8fb2a6c586a5-linux-amd64.tgz /opt/splunk/bin/splunk restart --accept-license --answer-yes /opt/splunk/bin/splunk show kvstore-status --verbose Doing this on an instance blocked at [Failed to read 4 bytes: socket error or timeout] i finally was able to start instance and make KVSTORE starting and updating V4>>V7. Strange.. very strange.... 🤔
... View more
10-27-2025
03:38 AM
Bah...... that's strange... i tried first to delete completely the Deployer "var", totally reinstall the 9.4.5 SH-Cluster, and the problem has gone 🙄 It seems it was a first cluster notification that was stuck somewhere. I also deleted all the "var" from all SHC and relaunched the SHC bootstrap. Nothing happened. Really do not know 😦 SPLUNK has some very strange behavious sometimes 🤔
... View more
10-27-2025
03:27 AM
No way to get rid of the error, featureCompatibilityVersion : An error occurred during the last operation ('getParameter', domain: '15', code: '13053'): No suitable servers found: `serverSelectionTimeoutMS` expired: [Failed to read 4 bytes: socket error or timeout] After starting 9.4.4 / 9.4.5 over a 9.1.9 🤔 At this time i can only think about mongodb problems starting and updating, maybe hardware compatibility (avx says are supported 😐). Any try to start the 9.4.x instance make the kvstore/mongodb blocked, [Failed to read 4 bytes: socket error or timeout] I stay at 9.3.6 version, can't pass over 😔
... View more
10-27-2025
12:52 AM
I'll try 👍
... View more
10-27-2025
12:43 AM
Query in splunkd gives no entries. I tried, 1. edit the TEST.csv with lookup_editor, save... alarm still there! 2. delete TEST.csv... alarm still there! 3. remove the app from Deployer... alarm still there! 4. redeploy the app from Deployer... alarm still there! It's quite misterious. Rolled back to 9.3.6... no alarm! 😷
... View more
10-26-2025
11:16 PM
I searched yet the quarantined lookup... | rest /services/replication/configuration/quarantined-assets splunk_server=local Also the new query you linked gives the same csv... nobody my_web_app TEST.csv ae488df36e68414c86ef7d9c6f953fde8945cf92 [ {quarantined_at_host=https://centos:8089, quarantined_at=1761477321, lookup_size=0, quarantine_reason=lookup_size_unknown} ] 10/26/2025 12:15:21 0.00 1. "TEST.csv" is no longer present on the SH-Cluster, i deleted it 😶 alarm persists!!! 2. "TEST.csv" was anywhere 0 kb size, empty 🤔 3. IMO "quarantine_reason=lookup_size_unknown" is some case of bug!!!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
Karma from
Karma given to
