Hello guys,
could you let me know the difference in term of buckets between :
| dbinspect *search* and *search* | eval bkt=_bkt | table bkt ?
It looks like dbinspect returns more results and with wider span. My aim is to remove buckets according to a specific search and timeframe.
Thanks.
↧
dbinspect VS _bkt
↧
SCOM to Splunk
What is the difference between https://splunkbase.splunk.com/app/327/ and https://splunkbase.splunk.com/app/2729/?
We are planning to get SCOM data into Splunk, what is the best way to do it?
↧
↧
Does Splunk DBConnect App supports Oracle DB 12.1.0.2.0 database
Does Splunk DBConnect App supports Oracle DB 12.1.0.2.0 database. The database matrix on the user documentation only lists that Oracle DB 11g works with JDBC driver ojdbc6
↧
Using average in maps+ instead of count
While using maps+ the clusters it makes show count of events in it. How can i use average of the values for a particular kpi?
↧
Splunk Python SDK - How to call my custom search command only once?
Hi there,
I'm developing a custom search command to call a custom rest endpoint using Splunk's Python SDK and the command protocol version 2. The SDK supports the command development pretty well, however my command is executed at least twice each time and I don't really know why.
I've created a simple test case which could be installed using the following files in a new app folder under etc/apps/:
./bin/testexecution.py:
import sys
from splunklib.searchcommands import dispatch, ReportingCommand, Configuration, Option, validators
@Configuration()
class testexecutionCommand(ReportingCommand):
@Configuration(local=True)
def map(self, records):
for record in records:
yield record
pass
@Configuration(requires_preop=False, run_in_preview=False, local=True, streaming=False)
def reduce(self, records):
self.logger.warn("This should only be seen once.")
for record in records:
yield record
pass
try:
dispatch(testexecutionCommand, sys.argv, sys.stdin, sys.stdout, __name__)
except Exception as e:
print(str(e))
./default/commands.conf:
[testexecution]
filename = testexecution.py
chunked = true
./default/authorize.conf:
[capability::run_script_print]
[role_admin]
run_script_print = enabled
./metadata/local.meta:
[commands/testexecution]
access = read : [ * ], write : [ * ]
export = system
The generated search.log contains this information, please note that the marker "This should only be seen once." is logged twice:
09-13-2018 11:33:08.356 INFO dispatchRunner - Search process mode: preforked (first search in process) (build a0c72a66db66).
09-13-2018 11:33:08.356 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0
09-13-2018 11:33:08.356 INFO LicenseMgr - Initing LicenseMgr
09-13-2018 11:33:08.356 INFO LMConfig - serverName=test-splunk-d guid=68A1ADDC-9631-4A57-83C5-77403FAD4514
09-13-2018 11:33:08.358 INFO LMConfig - connection_timeout=30
09-13-2018 11:33:08.358 INFO LMConfig - send_timeout=30
09-13-2018 11:33:08.358 INFO LMConfig - receive_timeout=30
09-13-2018 11:33:08.358 INFO LMConfig - squash_threshold=2000
09-13-2018 11:33:08.358 INFO LMConfig - strict_pool_quota=1
09-13-2018 11:33:08.358 INFO LMConfig - key=pool_suggestion not found in licenser stanza of server.conf, defaulting=''
09-13-2018 11:33:08.358 INFO LMConfig - key=test_aws_metering not found in licenser stanza of server.conf, defaulting=0
09-13-2018 11:33:08.358 INFO LMConfig - key=test_aws_product_code not found in licenser stanza of server.conf, defaulting=0
09-13-2018 11:33:08.359 INFO LicenseMgr - Initing LicenseMgr runContext_splunkd=false
09-13-2018 11:33:08.359 INFO LMStackMgr - closing stack mgr
09-13-2018 11:33:08.359 INFO LMSlaveInfo - all slaves cleared
09-13-2018 11:33:08.359 INFO LMStackMgr - Skipping trial license as alternative license type in use
09-13-2018 11:33:08.360 INFO LMStack - Added type=enterprise license, from file=splunk.license, to stack=enterprise of group=Enterprise
09-13-2018 11:33:08.360 INFO LMStackMgr - created stack='enterprise'
09-13-2018 11:33:08.360 INFO LMStackMgr - Skipping trial pool stanza as alternative license in use
09-13-2018 11:33:08.360 INFO LMStackMgr - added pool auto_generated_pool_enterprise to stack enterprise
09-13-2018 11:33:08.360 INFO LMStackMgr - added pool auto_generated_pool_forwarder to stack forwarder
09-13-2018 11:33:08.360 INFO LMStackMgr - added pool auto_generated_pool_free to stack free
09-13-2018 11:33:08.360 INFO LMStackMgr - Initialized hideQuotaWarning = "0"
09-13-2018 11:33:08.361 INFO LMStackMgr - init completed [68A1ADDC-9631-4A57-83C5-77403FAD4514,Enterprise,runContext_splunkd=false]
09-13-2018 11:33:08.361 INFO LicenseMgr - StackMgr init complete...
09-13-2018 11:33:08.361 INFO LMTracker - Setting default product type='enterprise'
09-13-2018 11:33:08.361 INFO LMTracker - this is not splunkd, will perform partial init
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=Acceleration state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=AdvancedSearchCommands state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=AdvancedXML state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=Alerting state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=ArchiveToHdfs state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=Auth state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=CustomRoles state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=DeployClient state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=DeployServer state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=DistSearch state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=FwdData state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=GuestPass state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=KVStore state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=LDAPAuth state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=LocalSearch state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=MultifactorAuth state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=MultisiteClustering state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=NontableLookups state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=RcvData state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=RcvSearch state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=RollingWindowAlerts state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SAMLAuth state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=ScheduledAlerts state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=ScheduledReports state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=ScheduledSearch state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=ScriptedAuth state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SearchheadPooling state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SigningProcessor state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SplunkWeb state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SubgroupId state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=SyslogOutputProcessor state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LMTracker - Setting feature=UnisiteClustering state=ENABLED (featureStatus=1)
09-13-2018 11:33:08.361 INFO LicenseMgr - Tracker init complete...
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'licenses'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'pools'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'stacks'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'groups'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'slaves'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'localslave'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'licensermessages'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'scriptedwarning'
09-13-2018 11:33:08.365 INFO AdminManagerDispatch - added factory for admin handler: 'licenseusage'
09-13-2018 11:33:08.365 INFO dispatchRunner - registering build time modules, count=1
09-13-2018 11:33:08.365 INFO dispatchRunner - registering search time components of build time module name=vix
09-13-2018 11:33:08.365 INFO dispatchRunner - Getting search configuration data from: /opt/splunk/etc/modules/parsing/config.xml
09-13-2018 11:33:08.367 INFO BundlesSetup - Setup stats for /opt/splunk/etc: wallclock_elapsed_msec=20, cpu_time_used=0.016, shared_services_generation=2, shared_services_population=1
09-13-2018 11:33:08.375 INFO UserManagerPro - Load authentication: forcing roles="admin, can_delete, power, user"
09-13-2018 11:33:08.376 INFO UserManager - Setting user context: splunk-system-user
09-13-2018 11:33:08.376 INFO UserManager - Done setting user context: NULL -> splunk-system-user
09-13-2018 11:33:08.376 INFO UserManager - Unwound user context: splunk-system-user -> NULL
09-13-2018 11:33:08.376 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.376 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.377 INFO dispatchRunner - search context: user="admin", app="search", bs-pathname="/opt/splunk/etc"
09-13-2018 11:33:08.380 INFO dispatchRunner - Executing the Search orchestrator and iterator model.
09-13-2018 11:33:08.381 INFO SearchOrchestrator - SearchOrchestrator getting constructed
09-13-2018 11:33:08.381 INFO SearchOrchestrator - Initialized the SRI
09-13-2018 11:33:08.381 INFO ISplunkDispatch - Not running in splunkd. Bundle replication not triggered.
09-13-2018 11:33:08.381 INFO SearchOrchestrator - Initialzing the run time settings for the orchestrator.
09-13-2018 11:33:08.381 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.381 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.381 INFO SearchOrchestrator - Creating the search DAG.
09-13-2018 11:33:08.381 INFO SearchPhaseGenerator - Disabling summaries in verbose mode
09-13-2018 11:33:08.381 INFO SearchParser - PARSING: | testexecution
09-13-2018 11:33:08.383 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/testCommand/bin/testexecution.py
09-13-2018 11:33:08.446 INFO AstOptimizer - SrchOptMetrics optimize_toJson=0.062923079
09-13-2018 11:33:08.447 INFO SearchParser - PARSING: | testexecution
09-13-2018 11:33:08.447 INFO ProjElim - Black listed processors=[addinfo]
09-13-2018 11:33:08.462 INFO AstOptimizer - SrchOptMetrics optimization=0.015610200
09-13-2018 11:33:08.462 INFO SearchPhaseGenerator - Optimized Search =| testexecution
09-13-2018 11:33:08.462 INFO ParallelReducePolicy - Current Search Head doesn't have any usable peers to use.
09-13-2018 11:33:08.462 INFO PhaseNodeGenerationVisitor - User lacking run_multi_phased_searches, rolling back to 2-phase mode.
09-13-2018 11:33:08.462 INFO PhaseToPipelineVisitor - Phase Search = | testexecution
09-13-2018 11:33:08.462 INFO SearchParser - PARSING: | testexecution
09-13-2018 11:33:08.462 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/testCommand/bin/testexecution.py
09-13-2018 11:33:08.520 INFO SearchPipeline - ReportSearch=1 AllowBatchMode=0
09-13-2018 11:33:08.520 INFO SearchParser - PARSING: testexecution phase="map"
09-13-2018 11:33:08.522 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/testCommand/bin/testexecution.py
09-13-2018 11:33:08.522 ERROR ChunkedExternProcessor - stderr: This should only be seen once.
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - Disabling timeliner since source is not an event index
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - Disabling timeliner since event search is empty
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - No need for RTWindowProcessor
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - Timeliner will not be executed
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - required fields list to add to different pipelines =
09-13-2018 11:33:08.582 INFO SearchPhaseGenerator - Search Phases created.
09-13-2018 11:33:08.583 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.583 INFO UserManager - Done setting user context: admin -> admin
09-13-2018 11:33:08.583 INFO UserManager - Unwound user context: admin -> admin
09-13-2018 11:33:08.583 INFO DistributedSearchResultCollectionManager - Stream search:
09-13-2018 11:33:08.583 INFO SearchPhaseGenerator - Result collation will occur at proc=testexecution
09-13-2018 11:33:08.583 INFO SearchParser - PARSING: | streamnoop
09-13-2018 11:33:08.583 INFO SearchParser - PARSING: streamnoop | testexecution phase="map" | testexecution
09-13-2018 11:33:08.583 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/testCommand/bin/testexecution.py
09-13-2018 11:33:08.584 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.584 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.584 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.584 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.585 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.585 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.585 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.585 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.585 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.585 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.652 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python /opt/splunk/etc/apps/testCommand/bin/testexecution.py
09-13-2018 11:33:08.767 INFO SearchOrchestrator - Starting the status control thread.
09-13-2018 11:33:08.767 INFO SearchOrchestrator - Starting phase=1
09-13-2018 11:33:08.767 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.767 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.767 INFO SearchStatusEnforcer - Enforcing disk quota = 10485760000
09-13-2018 11:33:08.767 INFO PreviewExecutor - Preview Enforcing initialization done
09-13-2018 11:33:08.767 INFO UserManager - Setting user context: admin
09-13-2018 11:33:08.767 INFO UserManager - Done setting user context: NULL -> admin
09-13-2018 11:33:08.767 INFO ReducePhaseExecutor - Stating phase_1
09-13-2018 11:33:08.767 INFO DispatchExecutor - BEGIN OPEN: Processor=testexecution
09-13-2018 11:33:08.771 INFO DispatchExecutor - END OPEN: Processor=testexecution
09-13-2018 11:33:08.776 ERROR ChunkedExternProcessor - stderr: This should only be seen once.
09-13-2018 11:33:08.779 INFO ReducePhaseExecutor - Ending phase_1
09-13-2018 11:33:08.779 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.779 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='1536831188.107', username='admin')
09-13-2018 11:33:08.786 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.786 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
09-13-2018 11:33:08.787 INFO UserManager - Unwound user context: admin -> NULL
I appreciate your help understanding Splunk better.
↧
↧
How do I monitor changes to config files?
Hi,
brand new user of Splunk here. I'm currently evaluating Splunk enterprise, and need a bit of help understanding why Splunk wont let me monitor a file from IIS called "web.config". I can see the contents of a file called xxxyyyzzz.log from the same server using a forwarder, so there is not a configuration issue on the client itself. My guess it has something to do with the source type, but what? One would think that a file such as web.config would be such a common file that source type "automatic" would be able to work? This file never changes of course, except when when upgrade the system that this file controls. Will save me lots of time if I could see what settings the update destroys for us.
The file I want to see doesn't even show up in "Sources" when trying to search, even though it is entered in the exact same way as the .log file that does show up. What am I doing wrong?
↧
lookup file with multiple fields
I used a lookup file which is configuring like this
field1, field2, field3, field4
value1, value2, value3, value4
value10, value2, value3, value4
value11, value2, value3, value4
I would like to obtain the result in a table where i count the quantity of first field
field2 field3 field4 field1
value2 value3 value4 3
I tried this search
my search | lookup mylookup field1 output field2, field3, field4 | chart count by field2 | table field2 field3 field4 nb
but columns field3 and field 4 are empty
where is my mistake ?
↧
Getting Errors in Splunk 7.1.1 while searching for something
6 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
↧
Unable to start splunkweb or Splunk Service
I have been trying to configure my Splunk instance (on Windows) to be run by an MSA.
I was never able to install Splunk and configure it to MSA execution in one single step. The closest I got to this goal was using the following command:
***msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=\Splunk LOGON_PASSWORD="" LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb***
which resulted in the following SplunkInstall.log error:
***SetupServiceConfig: Error: ChangeServiceConfig failed 0x421
SetupServiceConfig: Error: 0x80004005: Cannot setup splunkd
CustomAction SetupServiceConfig returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)***
Instead I tried to install Splunk to run as "Local System" user (since I know this works when I use the msi GUI) and then (prior to Splunk's frist launch) manually change Splunk to run as the MSA. I got further along the process this way, as I was able to successfully install Splunk using the following cmdline:
***msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes SPLUNKPASSWORD=MyNewPassword123 LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb***
SplunkInstall.log reported no errors, and so I executed the steps to change the user executing Splunk (described here: ○ http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/CorrectingtheuserselectedduringWindowsinstallation
).
The issue I am now facing is neither Splunkd Service service nor splunkweb (legacy) are starting. When I attempted to start Splunk via cmdline I found the following error in $SPLUNK_HOME\var\log\splunk\splunkd-utility.log:
***ERROR UserManagerPro - The password cannot be set to the default password
ERROR AdminHandler:AuthenticationHandler - The password cannot be set to the default password.***
Side Note: $SPLUNK_HOME\etc\passwd ends in the following test
... ***::Administrator:admin:changeme@example.com::***
When I attempted to start the service from the Windows' GUI "Services", I receive the following popup error:
***Windows could not start the Splunkd Service service on Local Computer
Error 1067: The process terminated unexpectedly.***
Side note: In an attempt to fix the "Windows could not start the Splunkd Service" issue I attempted the regedit command (regedit HKLM) detailed here: https://answers.splunk.com/answers/146016/windows-could-not-start-the-splunkd-or-splunkforwarder-service-on-local-computer-cannot-find-file-specified.html
This resulted in an error popup stating the following:
***Cannot import HKLM: Error opening the file. There may be a disk or file system error.***
↧
↧
Is there a way to pull the Sophos Audit Logs as well?
The only way i can view the audit logs is via the console, it would be nice to be able to ship them off with the rest of the event logs
↧
How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?
I've recently installed the Splunk Add-on for ServiceNow(SNOW) on my instance and have seen success across all the default settings. The integration with our SNOW instance went off without a hitch, and the Configuration Management Database (CMDB) information is flowing through the sourcetypes, eventtypes and saved searches as intended.
However, we now have use cases for the database tables in SNOW that were not included in the default inputs that came out of the box with the Add-on.
From what I understand of the documentation, if I wanted to pull the database table for "cmdb_ci_win_server" into Splunk, I should just define the data input under **Settings**>**Data Inputs**>**Splunk Addon for ServiceNow**.
However, all my attempts so far have failed. New input definitions I've created within the WebUI don't populate into the local/inputs.conf file at all. And even when I define the new data input within local/inputs.conf, new sourcetypes or eventtypes are not created so I can't tell if the data is being pulled down or not.
Does anyone have any experience with introducing new database table inputs into Splunk for the Splunk Add-on for ServiceNow?
↧
What is the best way to get System Center Operations Manager (SCOM) data into Splunk?
What is the difference between the System Center Operations Manager integration App: https://splunkbase.splunk.com/app/327/
and
the Splunk Add-on for Microsoft System Center Operations Manager: https://splunkbase.splunk.com/app/2729/
We are planning to get SCOM data into Splunk. What is the best way to do it?
↧
Why am I getting errors in Splunk 7.1.1 while searching for something?
6 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
↧
↧
Why am I unable to start Splunk Web or Splunkd Service?
I have been trying to configure my Splunk instance (on Windows) to be run by an MSA.
I was never able to install Splunk and configure it to MSA execution in one single step. The closest I got to this goal was using the following command:
msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=\Splunk LOGON_PASSWORD="" LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb
which resulted in the following SplunkInstall.log error:
SetupServiceConfig: Error: ChangeServiceConfig failed 0x421
SetupServiceConfig: Error: 0x80004005: Cannot setup splunkd
CustomAction SetupServiceConfig returned actual error code 1603
(note this may not be 100% accurate if translation happened inside sandbox)
Instead, I tried to install Splunk to run as a "Local System" user (since I know this works when I use the MSI GUI) and then (prior to Splunk's first launch) manually change Splunk to run as the MSA. I got further along the process this way, as I was able to successfully install Splunk using the following cmdline:
msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes SPLUNKPASSWORD=MyNewPassword123 LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb
SplunkInstall.log reported no errors, and so I executed the steps to change the user executing Splunk as described here: http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/CorrectingtheuserselectedduringWindowsinstallation
The issue I am now facing is neither Splunkd Service service nor Splunk Web (legacy) are starting. When I attempted to start Splunk via cmdline, I found the following error in $SPLUNK_HOME\var\log\splunk\splunkd-utility.log:
ERROR UserManagerPro - The password cannot be set to the default password
ERROR AdminHandler:AuthenticationHandler - The password cannot be set to the default password.
Side Note: $SPLUNK_HOME\etc\passwd ends in the following test
... ::Administrator:admin:changeme@example.com::
When I attempted to start the service from the Windows' GUI "Services", I received the following pop-up error:
Windows could not start the Splunkd Service service on Local Computer
Error 1067: The process terminated unexpectedly.
Side note: In an attempt to fix the "Windows could not start the Splunkd Service" issue, I attempted the regedit command (regedit HKLM) detailed here: https://answers.splunk.com/answers/146016/windows-could-not-start-the-splunkd-or-splunkforwarder-service-on-local-computer-cannot-find-file-specified.html
This resulted in an error popup stating the following:
Cannot import HKLM: Error opening the file. There may be a disk or file system error.
↧
How would use an internal signed cert with a SH cluster
I have a SH cluster and I would like to import an internal signed cert. Looking for procedures on doing this, I am guessing that I need to import on each SH?
I also have a separate ES device that will need to import a to cert as well.
Thanks!
↧
How would you use an internal signed certificate with a Search Head (SH) cluster?
I have a SH cluster and I would like to import an internal signed certificate to it. Looking for procedures on doing this, I am guessing that I need to import it onto each SH?
I also have a separate ES device that needs a certificate imported to it as well.
Thanks!
↧
How can I get state/city when I already have lon/lat in my event?
All,
So normally with iplocation and geostat I can lookup State, City etc for heatmaps. How ever with the log I have now I don't have the IP. How ever the log does have long/lat in it already. Anyway to do iplocation info backwards?
↧
↧
How to write a search that uses eval to show the difference between two assignment groups?
I am attempting to write a search which uses eval show the difference between two assignment groups. A number of assignment groups which all begin with ABC. I want to group all of these as 'IDS'.I then want to show the allocated tickets to IDS and stack against the OTHER assignment group (which does not start with ABC). I then want this to show as a timechart stacked week by week.
This is what I have:
index="myindex" sourcetype="csv" "Assignment group"="wildcard*" | eval IDS=if(like("Assignment group","ABC*"),"IDS","OTHER") |timechart span=1w count by "Assignment group".
Can anyone advise what I am doing wrong here? The timechart shows individual ABC-**** groups in the chart rather than grouped IDS results against OTHER.
Thanks in advance for any help.
Rob.
↧
Why do I see duplicate fields in sourcetype configuration?
Hello Splunkers,
I am trying to configure a sourcetype in Advanced section.
For example, I create a field alias by creating the key/value:
![alt text][1]
[1]: /storage/temp/254920-1.jpg
When I perform search on the data, I see both MD5 and md5 fields to be extracted and containing the same values.
However, I want to see only md5 in Interesting fields.
Why do I see both fields?
Thank you in advance!
Afroditi
↧
Is it possible to edit a sourcetype after its creation?
Hello Splunkers,
Is it possible to edit a sourcetype after its creation?
Thank you in advance!
Afroditi
↧