Hello,
Could you perhaps help me to change the color of the single value?
I would like to have a static blue color without ranges or any dependencies.
I try to implement it as follows, but it does not work:
The font size gets changed correctly by the above, but the font color not.
Kind Regards,
Kamil
↧
How do I change the panel single value color using XML?
↧
What is the knowledge bundle deafult behavour?
Hi
I have one search head and 2 search nodes(non clustered).
I have an app installed on the search head, but i had to manually install the app to the 2 search nodes, but i get the feeling this should have happened by default with "knowledge bundle".
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Limittheknowledgebundlesize
Or do i have to specify my app specifically, if so how and where?
When i check my "search peers" i can see "Replication Status" = Successfull
Thanks in advance
Robert Lynch
↧
↧
Splunk DB Connect Roles
I was wondering if it is possible to have a dashboard with queries that use DB Connect but do not allow certain user roles to access db connect directly to make their own custom queries. Essentially there's information that I want to provide normal users without them being able to touch the DB. Any insight on this would be much appreciated. Thanks!
↧
The Splunk Add-on for Kafka vs. Splunk Connect for Kafka
What is the difference between the two? when i go to the first one "Splunk Add-on for Kafka" it says no longer supported and direct me to the other one which is "Splunk Connect for Kafka"
If it is not supported, why is it still out there?
Also, i'm trying to download the jar file from https://github.com/splunk/kafka-connect-splunk/releases/tag/v1.1.0, but i'm blocked due to the fire-wall of my work computer. is there any alternative way to get this jar in?
Warm regards,
↧
Temenos T24 Monitoring whit Splunk
Hi team
i have been working a new project with banking sector where they are using the Core Banking T24.
Does anyone know if there is an addon for splunk? or how can i capture data from T24 like transactions, performance, system, audit?
Regards
↧
↧
I have two fields that is extracted in splunk i.e.. start time and end time which is in 12 hours formats. I want to convert them to 24 hours format. Can someone help on this ?
here is the data below,
start time : 11/21/2018 11:04:54 AM, End time : 11/21/2018 11:04:56 AM
start time : 2010-04-01,,11/20/2018 6:59:59 PM, End time :11/20/2018 7:03:20 PM
↧
Forwarders not forwarding data at real time
We have a process that runs on a specific machine every day for 60 iteration for 5 mins between each iteration per day. This process logs the time it took for each iteration to complete in a text file. But the forwarder is not forwarding data at real time.
For example:
The below 3 iteration were logged into splunk at the same time where as there is a 5 mins interval between each run.
11/21/18 3:43:08.000 AM TestIteration35=48.63477
11/21/18 3:43:08.000 AM TestIteration34=48.14551
11/21/18 3:43:08.000 AM TestIteration33=48.31934
Anyway to fix this?
↧
Is it possible to filter the based on metrics value on metric index?
I'm trying to run mstats query for metric index to filter based on the metrics value. i.e, _value. I'm aware that splunk not allow directly using the _value field to filter either by where or group by options. Just want to understand is there any other way we can filter based on the _value.
One work around I have in mind to use the same metric value field as one of the dimension and use it on the filter. Any other option without using this work around will be more helpful.
↧
Why can't Kinesis Firehose reach my heavy forwarder?
Hi,
we're trying to get cloudwatchlogs via Kinesis Firehose to a heavy forwarder in a VPC. It's not working currently, we're getting the error:
*"Destination: https://XX.XX.XX.XX:8088 - Failed to deliver data to Splunk or to receive acknowledgment. Make sure HEC endpoint is reachable from Firehose and it is healthy."*
- We confirmed that the HEC-Endpoint is working via curl. (ACK enabled)
- We opened to the CIDR-Blocks as described here: https://docs.aws.amazon.com/de_de/firehose/latest/dev/controlling-access.html#using-iam-splunk-vpc
- Our HF is on Splunk 7.1.1. It's SSL secured with the shipped cert. from splunk.
Maybe that's the problem? (as described here: http://docs.splunk.com/Documentation/AddOns/released/Firehose/Troubleshoot#SSL-related_data_delivery_errors)
- Required ports are open (8088, 8089).
- We aren't getting any info regarding the HEC-Endpoint in the internal logs.
- Other HEC-Endpoints on the HF are working fine.
Does anyone has some ideas?
Regards and thanks in advance,
Eric
↧
↧
How can I merge two columns in a timechart?
I'm using the timechart command and have a chart that looks something like this:
_time Column-v01 Column-v02
2018-11-21 09:15:00 12 13
2018-11-21 09:20:00 23 11
2018-11-21 09:25:00 34 2
2018-11-21 09:30:00 32 3
Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:
_time Column
2018-11-21 09:15:00 25
2018-11-21 09:20:00 34
2018-11-21 09:25:00 36
2018-11-21 09:30:00 35
I have already tried using an rex statement:
`| rex field=svc mode=sed "s/Column-v0*/Column/g"`
and an eval statement:
`| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)`
Neither of these worked.
Any help is appreciated!
↧
[Sideview] Pulldown chain with interactive dynamic lookups
I tried to build a multiple filter and each selected value should filter the other 3 filter's value lists, no matter in which order the filters are used. This worked with a simple XML dashboard and a bunch of post-processing searches.
Being a beginner with Sideview, I used a pulldown chain and it works only downstream, as expected :-)
What should I change to have the desired functionality?
Thank you.
The pulldown chain:
field1Select field1field1="$value$"left|search $field2$ $field3$ $field4$ | dedup $name$ | sort $name$$name$field2Select field2field2="$value$"left|search $field1$ $field3$ $field4$ | dedup $name$ | sort $name$$name$field3Select field3field3="$value$"left| search $field1$ $field2$ $field4$ | dedup $name$ | sort $name$$name$field4Select field4field4="$value$"left| search $field1$ $field2$ $field4$ | dedup $name$ | sort $name$$name$
↧
Windows log file ingesting as weird characters
We are trying to ingest Peregrine logs for Asset Manager and we can open the log file up on the windows server and it is all ascii text, however when Splunk ingests it, it comes in as \x00[\x00p\x00r\x00a\x00t\x00i and so on. I modified the input from doing a monitor on the log file to powershell:
[powershell://MonitorConnSlots]
script = . "%SPLUNK_HOME%\etc\apps\FWF_scac_logs\bin\MonitorConnSlots.ps1"
interval = 5,35 * * * *
recursive = false
sourcetype - assetmanagerexport
The powershell script has:
cat c:\Program Files\Peregrine\ACFtp\ACExport\MonitorConnectionSlots.log
The first 2 times it ingested, it did it correctly, but then reverted back to the weird x00 stuff afterwards. We have verified with the Peregrine vendor that the logs written out as ASCII text.
Anyone have any ideas?
↧
How to get ASCII log file to ingest as plain text from windows 2016 server
We are trying to ingest Peregrine logs for Asset Manager and we can open the log file up on the windows server and it is all ascii text, however when Splunk ingests it, it comes in as \x00[\x00p\x00r\x00a\x00t\x00i and so on. I modified the input from doing a monitor on the log file to powershell:
[powershell://MonitorConnSlots]
script = . "%SPLUNK_HOME%\etc\apps\FWF_scac_logs\bin\MonitorConnSlots.ps1"
interval = 5,35 * * * *
recursive = false
sourcetype - assetmanagerexport
The powershell script has:
cat c:\Program Files\Peregrine\ACFtp\ACExport\MonitorConnectionSlots.log
The first 2 times it ingested, it did it correctly, but then reverted back to the weird x00 stuff afterwards. We have verified with the Peregrine vendor that the logs written out as ASCII text.
Anyone have any ideas?
↧
↧
Configure 10Gbps network capture - Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf,
Hey Splunkers,
Why am I getting the following error message when running dedicated capture mode for Splunk stream? Followed the instructions outlined here.
I'm currently testing dedicated capture mode on Ubuntu instead of RHEL/CentOS. I don't think thats the problem though.
Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf, line 4: dedicatedCaptureMode (value: 1).
Did you mean 'duplicatePacketWindow'?
Here are my current config files for directory /opt/splunk/etc/apps/Splunk_TA_stream/local#
inputs.conf
[streamfwd://streamfwd]
splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
streamfwd.conf
[streamfwd]
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:86:00.1
streamfwd.xml.bak
enp134s0f1 false
Here is the output from the debug using btool:
sudo ./splunk btool check --debug
Checking: /opt/splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /opt/splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /opt/splunk/etc/users/admin/splunk_app_stream/local/ui-prefs.conf
Checking: /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf
Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf, line 2: dedicatedCaptureMode (value: 1).
Did you mean 'duplicatePacketWindow'?
Checking: /opt/splunk/etc/apps/learned/local/props.conf
Checking: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/default-mode.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/server.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/default-mode.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/indexes.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/limits.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/outputs.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/server.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/web.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/commands.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_bro/default/eventgen.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/indexes.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/inputs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/props.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/tags.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_bro/default/transforms.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/distsearch.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_stream/default/eventgen.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/inputs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/outputs.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/props.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/server.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/streamfwd.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_stream/default/streamfwdlog.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/tags.conf
Checking: /opt/splunk/etc/apps/Splunk_TA_stream/default/transforms.conf
Checking: /opt/splunk/etc/apps/alert_logevent/default/alert_actions.conf
Checking: /opt/splunk/etc/apps/alert_logevent/default/app.conf
Checking: /opt/splunk/etc/apps/alert_logevent/default/restmap.conf
Checking: /opt/splunk/etc/apps/alert_webhook/default/alert_actions.conf
Checking: /opt/splunk/etc/apps/alert_webhook/default/app.conf
Checking: /opt/splunk/etc/apps/alert_webhook/default/restmap.conf
Checking: /opt/splunk/etc/apps/appsbrowser/default/app.conf
Checking: /opt/splunk/etc/apps/gettingstarted/default/app.conf
Checking: /opt/splunk/etc/apps/introspection_generator_addon/default/app.conf
Checking: /opt/splunk/etc/apps/introspection_generator_addon/default/inputs.conf
Checking: /opt/splunk/etc/apps/introspection_generator_addon/default/server.conf
Checking: /opt/splunk/etc/apps/launcher/default/app.conf
Checking: /opt/splunk/etc/apps/launcher/default/launcher.conf
Checking: /opt/splunk/etc/apps/legacy/default/app.conf
Checking: /opt/splunk/etc/apps/legacy/default/props.conf
Checking: /opt/splunk/etc/apps/sample_app/default/app.conf
Checking: /opt/splunk/etc/apps/sample_app/default/indexes.conf
Checking: /opt/splunk/etc/apps/sample_app/default/inputs.conf
Checking: /opt/splunk/etc/apps/sample_app/default/props.conf
Checking: /opt/splunk/etc/apps/search/default/app.conf
Checking: /opt/splunk/etc/apps/search/default/commands.conf
Checking: /opt/splunk/etc/apps/search/default/event_renderers.conf
Checking: /opt/splunk/etc/apps/search/default/macros.conf
Checking: /opt/splunk/etc/apps/search/default/props.conf
Checking: /opt/splunk/etc/apps/search/default/restmap.conf
Checking: /opt/splunk/etc/apps/search/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/search/default/transforms.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/app.conf
No spec file for: /opt/splunk/etc/apps/splunk_app_stream/default/cloud.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/collections.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/restmap.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/times.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/ui-tour.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/web.conf
Checking: /opt/splunk/etc/apps/splunk_app_stream/default/workflow_actions.conf
Checking: /opt/splunk/etc/apps/splunk_archiver/default/app.conf
Checking: /opt/splunk/etc/apps/splunk_archiver/default/commands.conf
Checking: /opt/splunk/etc/apps/splunk_archiver/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunk_archiver/default/props.conf
Checking: /opt/splunk/etc/apps/splunk_archiver/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/alert_actions.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/app.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/collections.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/commands.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/props.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/restmap.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/telemetry.conf
Checking: /opt/splunk/etc/apps/splunk_instrumentation/default/web.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/app.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/checklist.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/dmc_alerts.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/props.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/splunk_monitoring_console_assets.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/transforms.conf
Checking: /opt/splunk/etc/apps/splunk_monitoring_console/default/visualizations.conf
Checking: /opt/splunk/etc/apps/user-prefs/default/app.conf
Checking: /opt/splunk/etc/apps/user-prefs/default/user-prefs.conf
Checking: /opt/splunk/etc/master-apps/_cluster/default/indexes.conf
Checking: /opt/splunk/etc/system/default/alert_actions.conf
Checking: /opt/splunk/etc/system/default/app.conf
Checking: /opt/splunk/etc/system/default/audit.conf
Checking: /opt/splunk/etc/system/default/authentication.conf
Checking: /opt/splunk/etc/system/default/authorize.conf
Checking: /opt/splunk/etc/system/default/collections.conf
Checking: /opt/splunk/etc/system/default/commands.conf
No spec file for: /opt/splunk/etc/system/default/conf.conf
Checking: /opt/splunk/etc/system/default/datamodels.conf
Checking: /opt/splunk/etc/system/default/datatypesbnf.conf
Checking: /opt/splunk/etc/system/default/default-mode.conf
Checking: /opt/splunk/etc/system/default/distsearch.conf
Checking: /opt/splunk/etc/system/default/event_renderers.conf
Checking: /opt/splunk/etc/system/default/eventdiscoverer.conf
Checking: /opt/splunk/etc/system/default/eventtypes.conf
Checking: /opt/splunk/etc/system/default/fields.conf
Checking: /opt/splunk/etc/system/default/health.conf
Checking: /opt/splunk/etc/system/default/indexes.conf
Checking: /opt/splunk/etc/system/default/inputs.conf
Checking: /opt/splunk/etc/system/default/limits.conf
Checking: /opt/splunk/etc/system/default/livetail.conf
Checking: /opt/splunk/etc/system/default/messages.conf
Checking: /opt/splunk/etc/system/default/multikv.conf
Checking: /opt/splunk/etc/system/default/outputs.conf
Checking: /opt/splunk/etc/system/default/procmon-filters.conf
Checking: /opt/splunk/etc/system/default/props.conf
Checking: /opt/splunk/etc/system/default/restmap.conf
Checking: /opt/splunk/etc/system/default/savedsearches.conf
Checking: /opt/splunk/etc/system/default/segmenters.conf
Checking: /opt/splunk/etc/system/default/server.conf
Checking: /opt/splunk/etc/system/default/serverclass.conf
Checking: /opt/splunk/etc/system/default/source-classifier.conf
Checking: /opt/splunk/etc/system/default/telemetry.conf
Checking: /opt/splunk/etc/system/default/times.conf
Checking: /opt/splunk/etc/system/default/transactiontypes.conf
Checking: /opt/splunk/etc/system/default/transforms.conf
Checking: /opt/splunk/etc/system/default/ui-prefs.conf
Checking: /opt/splunk/etc/system/default/ui-tour.conf
Checking: /opt/splunk/etc/system/default/viewstates.conf
Checking: /opt/splunk/etc/system/default/visualizations.conf
Checking: /opt/splunk/etc/system/default/web.conf
Checking: /opt/splunk/etc/system/default/workflow_actions.conf
Checking: /opt/splunk/etc/system/local/inputs.conf
No spec file for: /opt/splunk/etc/system/local/migration.conf
Checking: /opt/splunk/etc/system/local/server.conf
↧
Renames in Splunk Add-on for Microsoft IIS not working
We are using the Splunk Add-on for Microsoft IIS, and I am running into an odd issue where the renames are not working. We are running the add on with splunk enterprise 7.2. The original fields are coming in fine, but the renames to the CIM compliant names are not taking place. Particularly having this issue with cs_Referer and cs_User_Agent. Here is my transforms and props entries:
**TRANSFORMS.CONF:**
[auto_kv_for_iis_default_IFS1]
DELIMS = " "
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs_User_Agent cs_Referer sc-status sc-substatus sc-win32-status time-taken
[iis_action_lookup]
filename = iis_action_lookup.csv
**PROPS.CONF:**
[IFS:http_server]
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = false
REPORT-auto_kv_for_iis_default_IFS1 = auto_kv_for_iis_default_IFS1
LOOKUP-iis_action_lookup = iis_action_lookup status OUTPUT action
FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent, cs_User_Agent_ as http_user_agent, 'cs(User-Agent)' as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer, 'cs(Referer)' as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in
EVAL-http_user_agent_length = len(http_user_agent)
EVAL-bytes = bytes_in + bytes_out
EVAL-web_server = host . ":" . site
EVAL-vendor = "Microsoft"
EVAL-product = "Internet Information Services (IIS)"
EVAL-vendor_product = "Microsoft Internet Information Services (IIS)"
EVAL-app = "Microsoft Internet Information Services (IIS)"
EVAL-url = if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), "")
EVAL-url_length = len(if((isnotnull(case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) AND isnotnull(s_ip) AND isnotnull(s_port) AND isnotnull(cs_uri_stem) ), (case(match(cs_version, "^HTTPS\/\S*"), "https", match(cs_version, "^HTTP\/\S*"), "http")) . "://" . s_ip . ":" . s_port . cs_uri_stem . if(isnull(cs_uri_query) OR (cs_uri_query =="-"), "", "?" + cs_uri_query), ""))
EVAL-role = "web_server"
pulldown_type = true
description = Log files produced by Microsoft IIS W3C log files (search-time field extraction)
category = Web
DATETIME_CONFIG =
NO_BINARY_CHECK = true
disabled = false
Thank you for your help.
Andrew
↧
Indexer CPU
Hello,
We have a non-clustered indexer environment. We have one indexer (blue line) that is always well above the CPU utilization of the rest. It doesn't appear that there are any more searches on the one in question compared to the others. This indexer was the first indexer we stood up but I don't see how that could affect anything. The distributed jobs to all indexers is pretty equal across the board. Not sure what is causing the CPU to stay higher than the rest.
Any suggestions?
Thanks!![alt text][1]
[1]: /storage/temp/257673-screen-shot-2018-11-21-at-123359-pm.png
↧
how to use where clause in cluster map
I'm trying to make a cluster map in splunk by their ip address.
I grouped the ip by id number, and I want to only show the cluster which each id has more than 3 ip adressess.
I have the following code:
index="xxx" id != "-" | iplocation ip | geostats dc(ip) by id
And I tried to make a variable name for dc(ip) (like dc(ip) as ipCount) so that I can use it in the where clause (where ipCount > 3) but unfortunately geostats doesn't allow me to rename.
Is anybody know how or where or add a where clause or is there another way of making the map?
Thank you
↧
↧
Disambiguation of the meaning of "nobody" as an owner of an objects in the manager
I saw several questions about the user "nobody", and would like to get a clear explanation of the meaning and implication.
- In the UI in the search manager, I see sometimes saved searches with the owner "nobody"
- In the disk on $SPLUNK_HOME/etc/users I do not see a "nobody" profile folder
- In the apps, under local.meta or defaut.meta, for those shared searches (from the UI), I do not see an ownership like "owner = nobody"
- If I have an user that left, and was deleted, should I change the ownership of the objects to "nobody" ?
- I tried to create an user "nobody" in my local splunk users, but the manager refused, as it's a reserved name.
- I am using LDAP/SAML, I saw errors in the splunkd.log authentication about the user "nobody" not being found.
Here are some of the answers I saw, but they are too specific:
https://answers.splunk.com/answers/200590/what-are-splunk-system-user-and-nobody.html
https://answers.splunk.com/answers/678324/issue-with-usernobody-with-ldap-authentication.html
https://answers.splunk.com/answers/425941/what-does-nobody-under-owner-column-signify-in-spl.html
↧
Unable to find the issue on splunk. user has the access to the reporting but, while trying to access it, they experience broken link and sometimes login issues on the splunk
11-19-2018 08:36:28.373 +0000 WARN AuthenticationManagerScripted - Function 'userLogin' failed. Could not find '--status=success' in output
11-19-2018 08:36:28.373 +0000 ERROR AuthenticationManagerScripted - Script function userLogin failed for user: "username "
11-19-2018 08:36:28.373 +0000 ERROR UiAuth - user="username " action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTM
L, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
↧
Can I add a new index using web console on linux cluster master?
Can I add a new index using web console on linux cluster master? I prefer this to cli methods.
Will it automatically validate bundle, apply to peers and do a rolling restart of peers?
3 splunk indexers V7.1.2 on redhat Linux
1 splunk cluster master v7.1.2 on redhat Linux
Rich
↧