I have installed the Duo Splunk Connector (3504) App, and when I go to configure it after Splunk restarts I am running into a time out situation, summarized by these logs:
ERROR ModularInputs - Argument validation for scheme=duo_input: killing process, because executing it took too long (over 30000 msecs).
INFO ModularInputs - Argument validation for scheme=duo_input: script running failed (killed by signal 9: Killed).
Because this times out, the input.conf stanza the configuration step is supposed to create is not created, and so the app cannot do what it is supposed to do.
I'd like to extend how long Splunk waits for the remote host it is validating to be long enough for this step to complete, or to know where the Name being asked for in the configuration step is to be manually added to the configs. The other three fields are easily added, but I have no documentation on where the name goes.
↧
How can I make Splunk wait longer during an input validation by an app?
↧
Disk Space calculation for Data Model Acceleration
?How to calculate disk space by all indexers used by the data model acceleration?
↧
↧
Align elements horizontally inside the same panel
Hi all
I would like to have 3 different elements (in my case - status indicator) aligned horizontally inside the same panel - being side by side.
My XML structure is:
row
panel
viz type="status_indicator_app.status_indicator"
/viz
viz type="status_indicator_app.status_indicator"
/viz
viz type="status_indicator_app.status_indicator"
/viz
/panel
It is appearing in 3 different rows in the same column (aligned vertically), however i want to show the 3 elements in the same row in the same painel (aligned horizontally).
Important to say that before this panel, I have other panel - so I have tried the bellow JS but not working because not able to get the second ".panel-element-row"....
// Grab the first rows
" var row1 = $('.panel-element-row').first();"
" var row2 = row1.next();"
// Get the cells
" var cell1 = $('#element1');"
" var cell2 = $('#element2');"
// Move second cell to first row
" cell2.appendTo(row1);"
↧
Trying to route a subset of data to a local splunk indexer and all data to a 3rd party system
Scenario
- I am trying to send all Windows Forwarded events to the 3rd party appliance, and send only forwarded events with the words "Avecto Defendpoint Service" to the on premise Splunk Indexer.
I have been following - http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad
And have the following config files.
**Inputs.conf**
[default]
host = xxx-xxx-xxx
[WinEventLog://ForwardedEvents]
disabled = 0
**Props.conf**
[WinEventLog:ForwardedEvents]
TRANSFORMS-routing = routeAll, routeSubset
**Transforms.conf**
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=3rdpartyappliance
[routeSubset]
REGEX=(Avecto)
DEST_KEY=_TCP_ROUTING
FORMAT=indexers,3rdpartyappliance
Outputs.conf
[tcpout]
defaultGroup = nothing
[tcpout:3rdpartyappliance]
server = xxx.xxx.xxx.xxx
# sets the output to raw format.
sendCookedData = false
#### Outputs to Splunk Indexer ####
[tcpout:indexers]
server = xxx.xxx.xxx.xxx
**Results**
If I remove defaultGroup=nothing from outputs.conf. Any event is duplicated to the internal and external indexer, but I feel I don't have the right REGEX for only the events that I want to send internally.
↧
How do i extract month from "Last Observed" column following table using rex
I want to extract Only Month from "Last Observed" i.e Jan Feb Mar Apr using rex
![alt text][1]
[1]: /storage/temp/236579-capture.png
↧
↧
Retrieve password from storage/passwords endpoint
Hi Experts
I am trying to retrieve the password which is stored in passwords.conf but it is returning blank. Below is the code which is being triggered by an alert .The alert is setup using admin account. I have not set any realm while taking input from user in the setup page.
# Modify to fit your environment
CREDENTIAL_USER="user123"
# Set realm if entered with password
CREDENTIAL_REALM=""
# Update App Name
APP="app123"
# Search needs to be owned by someone with admin rights to access passwords
ALERT_OWNER="admin"
# Splunk Host
SPLUNK_HOST="localhost"
# Splunk Python
SPLUNK_PYTHON="$SPLUNK_HOME/bin/splunk cmd python"
# Read sessionKey from STDIN
read sessionKey
key=`echo $sessionKey | sed s/sessionKey=//g`
decoded_key=`$SPLUNK_PYTHON -c "import sys, urllib as ul; print ul.unquote_plus('$key')"`
clear_password=`curl -s -k -H "Authorization: Splunk $decoded_key" https://$SPLUNK_HOST:8089/servicesNS/$ALERT_OWNER/$APP/storage/passwords/$CREDENTIAL_REALM:$CREDENTIAL_USER: | grep clear_password | sed -re 's/^\s+(.*?)<.*?>$/\1/g'`
The passwords.conf is below
[credential::user123:]
password = $1$7EScd0o=
Any inputs on this are appreciated.
↧
stats, empty columns and fillnull
![alt text][1]
[1]: /storage/temp/235576-fillnull.png
I've problems not only with fillnull in this search which doesn't fill my columns with 12. If I add "| table *" after or instead of fillnull line I'll miss my columns at all. I want save my empty columns.
Is this bug or feature? Can be problem solved without "foreach" with "isnull"?
↧
License Overview tab is empty in Splunk 6.5.2
All panels are empty, it uses :
| rest "/services/licenser/licenses" which doesn't return anything, how to fix this dashboard?
Thanks!
P.S. : license usage tab works.
↧
how to install splunk forworder on windows 12 R2 Server
need complete instructions guide step by step
↧
↧
How to get the difference between first and last fields of each row
I have a table like below
Month Col1 Col2
--------- ------ ------
Jan 10 20
Feb 30 40
Mar 50 60
and I am looking for output like below
Month Col1 Col2
--------- ------ ------
Jan 10 20
Feb 30 40
Mar 50 60
Diff 40 40 <---- diff of Jan and Mar value
Thanks in advance
Some Splunk Guy
↧
Search head clustering is up and healthy, but Seach head status is flickering in the indexer clustering?`
Search heads are up and healthy, but there is a fluctuation in the Search head status in the indexer clustering.
Can anyone please let me know what the problem is?
Regards,
Abi
↧
Extract search window for all types searches run in splunk
I want to run a query to extract all the searches that have been run in splunk , to identity search date ranges provided on them by users, adhoc searches etc.
So if if search on 1st of month, then i am expecting to get following information.
300 searches run with search window of <=1 day
20 searches run with search window of > 1day &<=1 week.
4 searches run with search window > 1 week <= 1month
100 all time searches.
↧
What stored data with Analytics for Hadoop?
Simple question:
what kind of data can I analyse with Splunk Analytics for Hadoop?
Only data collected with Splunk, rolled from WARN/COLD/FROZEN, or even all the data already present not ingested from Splunk?
Thank you.
↧
↧
Group search results by result-values/-wildcards
Hello Splunk Community,
I have an selected field available called OBJECT_TYPE which could contain several values.
For example the values a_1, a_2, a_3, b_1, b_2, c_1, c_2, c_3, c_4
Now I want to get a grouped count result by a*, b*, c*. Which could be visualized in a pie chart.
How I can achieve this?
Means a result table like
Type | Count | %
----------------------------
a | 300 | 30
b | 200 | 20
c | 500 | 50
Thanks a lot for you support!
Sebastian
↧
Rest commands with search time reference
Hi Splunkers,
I need to search alerts triggered for my app in the given time range. The time range is selected from time range picker. Do anyone have any inputs?
I am struggling with:
| rest /servicesNS/-/-/saved/searches search="eai:acl.app=test AND disabled=0" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule
but this gives consistent result irrespective of time selected.
please help with some pointers
Best,
↧
appendcols to take values from my first search for each row
Hi
I need my appendcols to take values from my first search. Specifically two values of time produce in the first search Start_epoc and Stop_epoc. For each row as the first search will produce multiple rows, and i need the second search to produce the same amount.
Then i want to use them in the second search like below.
earliest=$Start_epoc$ latest=$Stop_epoc$.
| inputlookup Saved_Tests.csv
| where Host="UBS-RC_QCST_MASTER"
| where 1=1
| search Dev_Optimization="*"
| search Functional_Optimization="*"
| eval Start_epoc=Start
| eval Stop_epoc=Stop
| convert ctime(Start)
| convert ctime(Stop)
| table ID, host, Start_epoc , Stop_epoc
| head 1001
| sort 0 - by ID | appendcols [| tstats count where index="mlc_live" host=UBS-RC_QCST_MASTER sourcetype="MX_TIMING2" earliest=$Start_epoc$ latest=$Stop_epoc$ by _indextime host
| stats sum(count) as No_Of_MXTIMING_lines by host
| table No_Of_MXTIMING_lines ]
↧
ldap seach with a wildcard
I have a search below that works fine, but I would like to add a wildcard to it.
This search works
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name
I would like to do something like below, but it does not show any results with the wildcard.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name
↧
↧
Splunk Flow Collector Setup
Hi all!
I am trying to set up the flow collector to ingest netflow into my Splunk instance according to the docs (https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector)
I am running a single instance to implement a PoC, so nothing fancy here.
What I've got so far: I installed Splunk_TA_Stream and fixed the permissions.
I also set up a *$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf* with my ingest settings:
[streamfwd]
netflowReceiver.0.ip = 172.16.1.3
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow
But not matter how I try, the configured port never opens up, shows in netstat or is reachable via nc/telnet.
Any help on how to get this config running would be greatly appreciated!
↧
Alarm is not working
Hey,
I've set up an alarm for a search which is very easy:
index=radius radius_login_status="Login OK:"
This gives me quite many results.
Now I've set up the alarm with trigger alarm when the number of results is higher then 5.
The search is executed every 5 min. and the results are between 50 and 2000. But no alarm is fired!
I don't understand why :/
Thanx
Frank
↧
Splunk in AWS - AMI update process
I have a couple midsize splunk envs setup in aws (3 indexers/1search head/1 heavy forwarder/1 master) Does anyone have a guide on the best process to use for an AMI refresh. Our current process (Inherited) suffers from data loss using snapshots of the vols used to store the data... I need to resolve this before the next refresh
↧