I am trying to either (or maybe I need both) get the locale setting of the client in Javascript to replace some tokens in my search string, as well as trying to find if the gettext function is available in Javascript for localization.
Any ideas?
↧
Getting locale in Javascript and gettext()
↧
Sendemail script execution failed and no python.log entry
I am unable to get the sendemail command to send an email via either a saved search, or an on demand search. In the case of an on demand search (sample:)
index=dnsf "*error*"| stats count by host | sendemail to=firstlast@xxx.com server=xxx-smtp.xxx maxtime=2m
The job times out with message "Script execution failed for external search command 'sendemail'". In the case of saved searches, I can see in the jobs log that the job completed, but there is no evidence that an email was fired or even attempted.
From reading other postings here, I have attempted to examine the python.log for evidence of email behavior but a wildcard search of the python.log returns no results... thank you for any help that you can afford
↧
↧
Getting Duplicate message when doing search for User ID (title)
This is the search I used:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
|table user | sort user | dedup user
I wanted to get the user Id and then use that in another search that is my panel in a dashboard:
| rest /services/authentication/users splunk_server=local
| fields roles title realname
| rename title as username
When I create the drop down and then key in the first search above, it keeps giving me duplicate values and no listing comes in. Yet when I run it by itself in a search, it brings back what I need and doesn't give me the duplicate entries message. I wanted to use the results of this search to plug into the 2nd search.
↧
Need to get rid of columns with no values?
I want to look at values in savedsearch.conf using the REST API, however a lot of blank columns show up! When I type in this search:
| rest splunk_server=local /servicesNS/-/-/saved/searches/
The attached table happens, and I don't know how to get rid of the unnecessary columns.
Note: There are more blank columns than these, and they do not all start with action.
↧
Query Window Size is required and should be at least 1 minute
[ms_o365_message_trace://Ouro365data]
delay_throttle = 1440
index = o365
input_mode = continuously_monitor
interval = 3600
office_365_password = THE_PASSWORD
office_365_username = Our_account@email.thing.stuff
query_window_size = 60
sourcetype = ms:o365:reporting:messagetrace
^That is our inputs.conf in local for the app. Was created via the GUI. However, after upgrade and having to switch to user/password, the app is now complaining about query window size.
HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\". See splunkd.log for more details."}]}
That is from the var/log/splunk/ta_ms_o365_reporting_ms_o365_message_trace.log
06-26-2018 18:01:36.514 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n
^Splunkd.log line
Has anyone else had this issue or have a fix. I've completely deleted the local folder (after backup) and then even re-installed the app fresh and created an input from scratch. Still not recognizing that query_window_size is set.
Please help
↧
↧
What does -# mean at the end of my frozen buckets?
I am working on a script to thaw frozen buckets. Part of my script is to validate that the selected buckets are valid. We have an index cluster that currently just freeze to a shared path.
I run
/opt/splunk/bin/splunk check-integrity -bucketPath /some/path/to/bucket to validate the buckets.
I noticed that some of my buckets have a trailing digit at the end. They look like rb_12345678_12345678_1234_GUID-0. There are others that run up to -3
When the check-integrity command runs it reports:
Constraints given leave no buckets to operate on
If I rename that bucket (in a different path) to remove the -0 I get a valid bucket response:
Total buckets checked=1, succeeded=1, failed=0
I do not see -0 directories in my warm or cold directories.
I'm guessing that since we are freezing to a shared path that Splunk is appending a -digit to the end of the frozen bucket name as not to overwrite something that is already there. This would make me believe that I could ignore the -# buckets IF I have a corresponding bucket that does not have the extra -#. I would also want to eventually purge the extra buckets. If I'm missing a normally named bucket should I move to rename one -# bucket to make it a "real" bucket?
↧
VDI dynamic VMs and Splunk forwarders
How do you go about ensuring splunk forwarders forward all data from a gold image created VM that then gets blown away when a user logs off? How are people managing VM creation/destruction and in relation to the monitoring console "missing forwarder" report growing as VMs come and then go?
↧
Why do I have blocked queue messages but my DMC doesn't show queues as full?
Hi,
I'm noticing a fair amount of blocked queues in my internal logs, especially for the exec queue. However, when I look at the DMC, and the indexer in question, those queues are not anywhere near 100%, even when showing maximum values. Am I misunderstanding something?
↧
Can I force forwarders to use TLS 1.2 by disabling SSL3?
I need to disable SSL3 and enable TLS 1.2 across all of Splunk Enterprise. SSL3 is being disabled entirely in my organization.
If I just add "sslVersions = -tls1.1, tls1.2, -sslv2, -sslv3" to the inputs.conf, server.conf (under [sslConfig] ) and web.conf on the Indexer, would this not **force** all forwarders to use TLS 1.2 (or not connect at all if TLS 1.2 is not enabled on the forwarder)?
I have read a number of questions on this, and I'm not entirely clear how I can be certain that I am using TLS 1.2 exclusively across all Splunk servers.
↧
↧
Regex not working
I have a regex that should remove everything after a second underscore. When I try to search with the regex, it doesn't work. Any ideas? I must be doing something wrong, just can't figure out what.
Data looks like this:
AB200_Cdef_233
Abcde_FG400_34
And should end up looking like this:
AB200_Cdef
Abcde_FG400
index=cms_vm
| eval DatastoreName=replace(DatastoreName,"^[^_]*_[^_]*\K.*$")
| table DatastoreName
| dedup DatastoreName
| sort DatastoreName
↧
Using radio button choices in case statements
Hi,
I have a simple checkbox as shown below -
All Event1 Event2 Event3 Event4 $$payload.type$$ == " " OR *
I have a query which basically checks if Type is "A" or "B" and based on that selects x and y axis of a column chart. When Type is "B" I want to further filter using radio button as shown in query(AND $eventtype$) which would evaluate to $$payload.type$$ == "Event?". But as this is a case statement "*"(for All case) regex matching does not work. What can I use such that for the case "All" anything can match? Also, if I am over-complicating this, is there an easier way to do this?
index="app_event"
| eval myFan=mvrange(0,3)
| mvexpand myFan
| eval _time = case(myFan=0 AND Type == "A", $$payload.beginVal$$,
myFan=1 AND Type == "A", $$payload.endVal$$,
myFan=2 AND Type == "B" AND $eventtype$, $$payload.beginVal$$)
| eval phase = case(myFan=0 AND Type == "A", "BeginVal",
myFan=1 AND Type == "A", "EndVal",
myFan=2 AND Type == "B" AND $eventtype$, $$payload.name$$)
| eval Time = strftime (_time/pow(10,9), "%F %T.%9Q")
| chart count by Time phase
↧
Getting hold of an eval from subsearch
Hello,
How do I do something like this in splunk?
eval base_starttime = [search index="app_event"| eval starttime = strftime(sometime, someformat) | return starttime] | (then use base_startime ....)
Basically I want to get hold of an eval in subsearch to use in my base search.
Thanks.
↧
How to get rid of columns with no values?
I want to look at values in savedsearch.conf using the REST API, however a lot of blank columns show up! When I type in this search:
| rest splunk_server=local /servicesNS/-/-/saved/searches/
The attached table happens, and I don't know how to get rid of the unnecessary columns.
Note: There are more blank columns than these, and they do not all start with action.
↧
↧
Search losing events as number of events increase
I have a search that compares an expanded multi value field against a lookup table and returns those events where at least one of the field values was not found. My thinking is: If a `singleColumns` value is not found, I'll have at least two events with a shared `_cd`value in my results, which I then `dedup` to ensure my counts are correct.
base search | eval UID = _cd | eval singleColumns=split(column_name, " ") | mvexpand
singleColumns | search NOT [|inputlookup Known_Bad_Columns | rename bad_columns as
singleColumns ] | dedup UID | stats count by field1, field2 | sort by count desc
I ran this against some known events (roughly 7 million prior to the expand) and some (not all) of my event counts were lower than expected. I then reran this search filtering to those specific event values (500 thousand prior to expand) and my counts came back correct. Can someone explain my loss of precision and possibly suggest a correction?
↧
Does Splunk enterprise support Apache Ambari? Is so, in what way can I configure it?
I am trying to find out relation of ambari with various log management frameworks.
↧
Order of Search terms - Does it matter?
Recently I was working on a lab module 12 - question 22: Search the web application data for all events where a user purchased a product successfully. Use the stats sum function to sum the Price field by ProductName. Name the resulting field Revenue.
Originally I typed the following query but did not get any results:
index=main sourcetype=access_combined_wcookie status=200 file=success.do | stats sum(Price) as Revenue by ProductName (I tried it both with quotes and without quotes around "access_combined_wcookie)
I tried a few things before I scrolled down to see if the answer was any different and I discovered that it was. The only difference that I saw in my opinion do not seem to me like they should affect the results that are returned. Can anyone provide some insight into why the order of the search terms would matter or is this a weird fluke?
↧
Using the results of one search to perform another
I want to list ALL customers who bought a watch and then use their userId to list out all of their purchases(not limited to watches).
I'm trying to solve this using subsearches. But, its not helping. Can anyone suggest a solution?
source="foobar"
[search xxx OR yyy OR zzz source="foobar" mdn
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup MDN
| rename MDN as search]
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup orderid
| stats list(orderId) by MDN
↧
↧
How to add custom color to blank cell
How to add custom color to blank cell
I tried doing {"": #112233} and it doesn't work.
if the value in the cell is lets say 12 doing {"12" : #112233} gives #112233 to the cell, but how to add the color if it is blank.
↧
Timechart;How to display hrs and minutes on Y axis and Date on x axis?
Hi Folks,
How to display hrs & minutes on Y axis and Date on axis by field values?
The challenge here is am unable to display hrs & minutes on y axis.
↧
what is splunk bootstrap ? is there any documentation to explain commands like splunk bootstrap shcluster-captain -servers_list
I am new to splunk , need this to setup my cluster . I want to understand search head and what required in search head
↧