C:\WINDOWS\system32>cd C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples
C:\Users\payal.s\Downloads\splunk-sdk-java-1.6.4\dist\examples>java -jar explorer.jar
Exception in thread "AWT-EventQueue-0" java.lang.RuntimeException: Received fatal alert: handshake_failure
at com.splunk.HttpService.send(HttpService.java:451)
at com.splunk.Service.send(Service.java:1295)
at com.splunk.HttpService.post(HttpService.java:348)
at com.splunk.Service.login(Service.java:1124)
at com.splunk.Service.login(Service.java:1103)
at com.splunk.Service.connect(Service.java:189)
at com.splunk.examples.explorer.Program$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$300(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.splunk.HttpService.send(HttpService.java:445)
... 20 more
↧
Why am I getting the below Error while trying to run .jar file of SPLUNK JAVA SDK?
↧
How do I create an alarm if a value stored in a CSV changes?
Hi, I have a CSV file with the following structure:
NAME DiskSerial ProcSerial MachineSerial
PC-ID-0007 null BFEBFBFF000306F2 MJ044SGB
PC-ID-0088 WD-WX11DC7JHUV0 BFEBFBFF000306F2 MJ044SH9
PC-ID-5177 NA8GAPCF BFEBFBFF000306F2 58Y0KB2
I need to create a search to identify if any of the series that have been stored change.
taking into account the last event that enters the indexer.
↧
↧
How to enable SSL certificate validation using Splunk logging for .net
Splunk logging for .NET can't connect to my Splunk enterprise using Http Event Collector. Other than disable SSL, How to enable SSL certificate validation using Splunk logging for .net.
↧
_TCPRouting and _Syslog Routing to 3rd Party using a HF
Hello,
I need to send sourcetypes to my index's as per normal. But I also got to send those same sourcetypes to a 3rd party in Syslog format.
I can't seem to get the transforms to send to TCP and to Syslog. As anyone got any experience with doing this?
I can do both as TCP works fine but if I mix and match it has issues
↧
Is there a way to have Splunk take in data and come up with points based on the data by itself(without us having to tell Splunk what is required)?
Is there any module or solution within Splunk that can take in any form of data and come up with points based on the data trend all by itself without us trying to tell Splunk what is required?
i understood that Splunk was supposed to do exactly that, but in our environment, its set up in a way where that we need to tell Splunk what to do with data. just trying to understand if it's a feature within Splunk to do what i mentioned above ...
and what kind of training do I need to do to understand on how this can be achieved...
↧
↧
Using an HTTP Event Collector, How do I enable SSL certificate validation using Splunk logging for .net?
Splunk logging for .NET can't connect to my Splunk enterprise using Http Event Collector. Other than disable SSL, How do I enable SSL certificate validation using Splunk logging for .net?
↧
_TCPRouting and _Syslog Routing to 3rd Party using a Heavy Forwarder
Hello,
I need to send source types to my indexes as per normal. But I also got to send those same source types to a 3rd party in Syslog format.
I can't seem to get the transforms to send to TCP and to Syslog. Has anyone got any experience with doing this?
I can do both as TCP which works fine, but if I mix and match it has issues.
↧
Why am I getting a high Skipped search ratio on f5 networks analytics (new) Data Models
I am getting about a 99% skip ratio for f5 data models that do not complete. The searches take quite some time to summarize the datamodels and I need to adjust the settings most likely. What I am concerned about is that this is a prebuilt datamodel for the f5 application and I do not want to modify any of the settings that will conflict with the application.
What can I do to fix this without messing up the application?
The maximum number of concurrent auto-summarization searches on this instance has been reached 624828 97.33 %
The maximum number of concurrent historical scheduled searches on this instance has been reached 17113 2.67 %
I increased the number of searches per core to 4 and I don't have any performance problems with that regard. What settings do I need to change now to help fix this issue?
↧
How do I match two fields from the same join command?
Splunkers,
Search String:
`admon-user-lookup-update`
| eval src_user = (cn)
| fields src_nt_domain, displayName, cn
| rename cn as user
| join user
[ search index=winevents (EventCode=630 OR EventCode=4726 OR Eventcode=4720 OR EventCode=4725) dest_nt_domain="xxxx"
| fields user, action, ComputerName, EventCode, EventCodeDescription, src_user, status]
I am able to match "cn" with user to produce a display name correlation between userid and full name.. How can I match src_user to use display name as well?
↧
↧
Why is sslRootCAPath required to use CA signed certificates?
I would like help understanding why sslRootCAPath is needed in server.conf. From what I understand, this is just a typical CA bundle that contains all the root CAs that you trust/want to allow Splunk to interact with. This in place of one built into a operating system/browser/whatever.
On to the topic of CA signed certs. Why is it that this option is recommend for setting up certificates signed by a third party? I get that it could be helpful if you need to act as a client, but what does the server stand to gain? Here is the real question though: Why would it be the case that after commenting out sslRootCAPath and restarting, that some data comes through fine, and some data does not?
Thanks!
↧
TA-mailclient ERROR ExecProcessor ... ERROR'NoneType'
I am getting an error message when the TA-mailclient runs, The message is:
10/1/18
11:28:21.682 AM
10-01-2018 11:28:21.682 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-mailclient/bin/mail.py" ERROR'NoneType' object has no attribute 'nodeValue'
host = xxxxxxxxxxxx
source = /opt/splunk/var/log/splunk/splunkd.log
sourcetype = splunkd
This error message comes after the messages:
IMAP - Connecting to mailbox as xxxxxx@xxxxx.com
Listing folders in mailbox=xxxxxxx@xxxxx.com
Accessing mailbox with readonly attribute
Has anyone seen this issue before?
↧
How do I count the number of the occurrences / buckets when the given event happened?
Hello,
I am trying to count the time buckets when the specific search returns values and alert on it. My current search looks as follows:
index=mlbso sourcetype=BWP_hanatraces "Out of memory for Pool/JoinEvaluator" | timechart count span=1m as OOM_Pool | eval Occurence = if (OOM_Pool > 0,1,0)
For alerting, I am only interested in the occurrence being 1 or 0, not in the number of events (count) per time bucket. Then, I want to alert when the Occurrences increase with time, which I set in the alert trigger options (> 5 in the last 30 minutes).
The problem is that this is not working and the alert takes not only the Occurrence but also a Count and adds both up. So if I have the 25 events (OOM_Pool) in one minute, then the Occurrence is 1, Count 25 and the alert gets triggered. I tried to overcome this by setting the Custom triggering condition condition:
search Occurence > 5"
but this does not seem to work.
How would I do it properly?
Kind regards,
Kamil
↧
Can you help me create a service account log-in alert?
Hello all, I have a service account (Account_AB) that should only log into a particular server (Server_A). We are getting AD logs into our Splunk instance. How would I go about setting an alert to notify if Account_AB logs into any other device other than Server_A? Thanks in advance.
↧
↧
How do we make a report with the volume of all the logs that are currently being logged in Splunk?
Hi Team,
We need a report with the volume of all the logs in Splunk.
for example : how much is log1 consuming every day for the last 30 days?
time log1 log2 log3 log4
aug 1 36gb 32gb 39gb 40gb
aug 2 36gb 32gb 39gb 40gb
aug 3 36gb 32gb 39gb 40gb
↧
How do I combine multiple sources and source types?
I am trying to get the Instance_ID source IP,source port ,security group ,destintion IP,destination port and its security group of the AWS data, but all of the fields are from different source types and sources like below
Search A
index=main sourcetype="aws:cloudwatchlogs:vpcflow" ---- src_ip,src_port,dest_ip,dest_port
Search B
index=main sourcetype ="aws:description" source="us-east-1:ec2_security_groups"---- instances{}.id,description(security group)
Search C
index=main sourcetype ="aws:description" source="us-east-1:ec2_instances"- private_ip_address(this is common with search A with src_ip pr dest_ip), id (this field is same as instances{}.id in search B)
Is there a way to combine all these to do a table command to get the folllowing or is there any other sourcetype which has all these logs from aws point of view
|table Instance_ID src_ip src_port sg_group dest_ip dest_port dest_sg_id
Thanks in Advance
↧
Can anyone help me with the following TA-mailclient "ExecProcessor" ERROR ?
I am getting an error message when the TA-mailclient runs, The message is:
10/1/18
11:28:21.682 AM
10-01-2018 11:28:21.682 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-mailclient/bin/mail.py" ERROR'NoneType' object has no attribute 'nodeValue'
host = xxxxxxxxxxxx
source = /opt/splunk/var/log/splunk/splunkd.log
sourcetype = splunkd
This error message comes after the messages:
IMAP - Connecting to mailbox as xxxxxx@xxxxx.com
Listing folders in mailbox=xxxxxxx@xxxxx.com
Accessing mailbox with readonly attribute
Has anyone seen this issue before?
↧
How to find raw events coming to HEC?
I am trying to find the raw data hitting HEC that results in parser issues. These events are supposedly dropped need to know what exactly in the message is causing it. I have tried enabling debug log for HttpClientRequest, HttpInputEventParser, HttpInputDataHandler, HttpEventCollector, HunkRawdataParser, but none of them are showing the raw data input. Any suggestion on how to find the raw http data hitting HEC?
↧
↧
transforms.conf regex extract strange fields with value $2
my `transforms.conf` has such lines
[api-param]
REGEX=^(\w+)=(.+?)\n
FORMAT=$1::$2
`props.conf`
[api]
TZ = Europe/Moscow
MAX_TIMESTAMP_LOOKAHEAD = 25
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
BREAK_ONLY_BEFORE_DATE = true
TIME_PREFIX = ^
MAX_EVENTS = 5000
CHARSET = AUTO
KV_MODE = none
NO_BINARY_CHECK = true
REPORT-st = api-param
why I've got strange fields with values `$2`
like `index=* OK="$2"` on event
2018-10-01 22:21:55,812 INFO [ 891] [AsopApi]
----------------------------
requestID=Server@1538421715802-1570361
messageID=MetroRequest@1538421715802-865639
actor=Asop->
api=AsopApi
method=asop_wr_start
type=response
elapsed=0.010
cardUID=048E48820F5D80
cardNumber=0021642560
trxID=181000000365323654
trxPCID=2EF20F6318CBEA4774DFAE6E1D18B52D
session=230873148
trxPaymentPCID=EE21AF76139B982D2CFA642BB05DC09F
trxPaymentTime=2018-10-01T22:19:11.332
result=OK1.1 230873148 90.0 1.0 14402F29670CE347D6724DC5631825D9 0 675.00 0 RdsQAwsezhlqYqQAAAAAAA==1 NSgsM4wAFABB6xQAHKURbw==2 NSgsM4wAFABB6xQAHKURbw==
00↧
Why are we seeing an issue with an EXTREMELY busy forwarder bogging down our indexers?
Recently, indexing from that particular forwarder has gotten to be even slower, sometimes falling hours behind. I'm curious as to what the recommendation from the community may be:
1. Configure improved load balancing with props.conf with EVENT_BREAKER_ENABLE setting to true.
2. Changing existing forceTimebasedAutoLB settings to a shorter interval
3. Something else
Our version is 7.0.2
↧
how do I combine " |stats count by host " and "| stats distinct_count(host)" in one table?
I can search for events and run stats count by host.
And I can run a search of distinct number of hosts.
I want to combine both in one table. I want count of events by host and a count of hosts.
I actually want to create an alert based on the number of hosts returned.
↧