Hi all,
Does anyone know if or when splunk URL Toolbox will be compatible to python 3.x ?
In addition will it be compatible with the new versions of splunk ?
Thanks !
↧
URL Toolbox
↧
Streaming AWS data to Splunk using Firehose
Hi,
I'm trying to stream AWS logs using the Kinesis firehose method. I followed a tutorial and verified each step a few times.
I have generated a certificate for my Splunk Enterprise server using Let's Encrypt. My HEC is using that certificate and I know for sure that it is healthy and secure (used the following URL: https://host.domain.net:8088/services/collector/health)
I keep getting the following error on the monitoring of the Kinesis Firehose:
> Could not connect to the HEC endpoint. Make sure that the certificate and the host are valid.> Splunk.SSLHandshake
Any ideas about what could go wrong?
Splunk Version ............ 8.0.0
↧
↧
Encountered the following error while trying to update: Importing the following role(s) creates a cycle in role inheritance: can_delete, phantom, power, splunk-system-role, user
i got following Error Message While adding Capabilities in Splunk
**"Encountered the following error while trying to update: Importing the following role(s) creates a cycle in role inheritance: can_delete, phantom, power, splunk-system-role, user"**
plz help me in this regard.
↧
pull search terms from a single column csv file (for scheduled reports / dashboard)
I have several search queries that i then save as reports (and schedule them), they ultimately are displayed on a dashboard (some are displayed on wall monitors).
Once seeing these dashboards Quite often, i have to come back and modify the query to remove some data.
**So i was hoping i could add these terms into a single column CSV file (with 1 single header), and just add new terms, and re-upload the CSV file when i need to update the query. (but i cant figure out how to do this)** Example:
original query:
index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=Bob asn!=frank asn!=joe
What im hoping for/asking:
index=fwonly ATkc NOT src_ip="10.0.0.0/8" | search asn!=LIST.csv
Im hoping, as needed i can just reupload a new LIST.csv file that contains:
asn
frank
joe
Bob
new_term1
new_term2
and since its the LIST.csv being referenced, all my scheduled reports using LIST.csv will be updated.
I think what i want is to add/upload a lookup table file, create a CSV lookup definition (set permissions on both) and then cite/use that defined lookup table in my search query. But i havent been able to make much headway on this. These are the threads / docs ive been following or tried so far-
https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents
https://answers.splunk.com/answers/50649/searching-each-line-of-a-file-against-a-splunk-index.html
(any help is appreciated, or please do tell if this usecase is not something i should be hoping to do easily with splunk) thanks!
↧
how to configure new string for Linux servers CPU check,how to configure string to get logs of CPU usages of Linux hosts
I have index=os-icon-rhel and there are many sourcetypes are confirmed except CPU check. how to add sourcetype=CPU for the existing index=os-icon-rhel?
↧
↧
*Nix add-on with official universal forwarder docker: cannot run cpu.sh nor install sar/mpstat in splunk's official container
We're able to partially get the official Splunk universal forwarder docker container to run the official *Nix add-on so an endpoint can collect & send its basic host metrics, but some of the add-on's host metrics collector scripts fail, such as `cpu.sh`:
```
[ansible@alpha bin]$ cat debug--cpu.sh--Wed_Jan__1_12-35-08_UTC_2020
Not found any of commands [sar mpstat] on this host, quitting
```
Most scripts run fine like `netstat`/`top`/`ps` as we do `docker run --pid=host`. However, it looks like the official container is stripped down, so `cpu.sh` has missing dependencies as above.
We were just going to `apt-get install sar`... except we see no apt-get/apt/apk/yum:
-- Is there an alternate universal forwarder container we can put on these endpoints? This feels like the usual "alpine vs slim" issue, and other enterprise projects do stuff like dual releases here, but I couldn't find any.
-- Is there some other way to install those packages while keeping the forwarder in a slim container?
↧
Change value of field at index time based on condition
Hi,
I am wondering if its possible t change value of field based on condition at **index time**.
For example:
If the log contains field X with value XX, then in case field Y exists, change Y value to YY.
Thanks
↧
"No results found "when I run a search on the dashboard
I create a dashboard to monitor the device
Using the network toolkit application
Set in Data inputs> ping
Run every 30 seconds
search field with Visualization
Below is my dashboard code192.168.x.x index = main "dest=192.168.x.x" | chart avg(packet_loss) -30s now 1 15s delay |
...
↧
How to compare 2 values from Same field?
I am having one field and it has 2 values. Comparing them with each other I want to generate a message whether "Success" or "Failure".
Below are details:
// Search
| table _time, ErrorCount | sort 2 _time
It gives me result like
_time ErrorCount
2-Jan-20 16:35:00 10
2-Jan-20 16:34:00 14
I want to show "Success" if ErrorCount at latestTime < ErrorCount at earliestTime and failure if its otherwise.
↧
↧
Please help me : These followings event type which may dump from Splunk TA.
These event type which I search the definition for quite a while, I do not find any comments about its.
So listing the Event type below, hope someone can help me to explain its meanings.
By the way,my customers say these logs are related to WAF, but I am not sure if this information is helpful.
1. NIXTime_Error
2. NIXTime_Error nix_errors
3. NIXTime_Error nix_account
4. NIXTime_Error nix_usb
5. NIXTime_Error nix_account nix_errors
At the last, show a partial log content for you, hope you can better understand the situation.
![alt text][1]
[1]: /storage/temp/279576-cut.png
↧
can Splunk HF run multiple Python scripts and forward it to multiple indexer
I am having 2 scheduled python scripts running in HF.
First script is scheduled for 2 mins and get SNMP data and forwards to Indexer1 (IP:xx.xx.xx.123)
second script is scheduled for 2 mins and collects the JMX data and forwards to Indexer2.( IP:yy.yy.yy.123)
My problem is I am able to get data in only one indexer at a time. either indexer1 or Indexer2 not both. Is there any system limitations from splunk that only one script runs at a time and forwards to 1 indexer.
↧
How to pattern match with the extracted field
I have a report generated with following fields,
Field 1 , Field 2, Field 3.
I have to create an alert based on the Field 1(it's a phone number field which consists 0-9 , - , +, *) value satisfying below condition.
• Number starts with 101 and is greater than 5 digits
• Number starts with *xy101 and is greater than 8 digits
• Number starts with *xy011 and is greater than 8 digits
↧
Problem with "Show more lines" in a event
Hello plp,
I am having this problem , when i am trying to show more lines of this event, google chrome crashes.
It could be a problem of the limits.conf /props.conf , i update to version 7.3.3 and this problem appear.
↧
↧
Unspecified upload error. Refresh and try again
Unspecified upload error. Refresh and try again. Frustration!!!
I have tried all of the recommendations posted and so far nothing. I tried Chrome/ Explorer/ Firefox and so far i still get the message.
all i am trying to do is upload the training files from Class one. since i can't upload the files i am stuck from moving beyond module 4
Any other thoughts?
↧
Sending logs to splunk using python script
Hi,
Is there a way to send logs to splunk using python script? Can you please send me the sample script?
↧
On Splunk Search UI, The column and "edit mark" to edit the column are overlapped
When I run my custom search command, the results in Splunk's Statistics tab are appearing in a weird UI. The column and the "edit mark" icon are overlapped. Ideally, the column title shouldn't be overlapped with edit option. Is this due to the data of the command or that's an issue with Splunk? See attached screenshot for reference:
![alt text][1]
[1]: /storage/temp/280588-splunk-ui-issue.png
↧
LDAP Query: Pull the Description and Office fields within AD
Hi,
I need to pull the description and office fields in active directory in my SPL query. What would be the best syntax to use. What I am doing is simply a basic string search for "TOR" and would like the results to list also the user's description and office field values within AD.
Current Search:
index=* sourcetype=* "TOR"
|stats count by user
|ldapfilter search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=$samAccountName$))" attrs="description, physicalDeliveryOfficeName"
|sort -count
↧
↧
Trouble for reading logs on Solaris 5.11
Hello everyone,
Does anyone face with any issue while monitoring files on SolarisOs 5.11 ? i can read the desired file with splunk user on ssh session but when i check agent logs, there is a permission error log for this path.
If anyone has resolved that issue could you please help me.
Regards.
↧
How to search records sequentially?
I have a search: `index=lab-testresults sourcetype=lab-testresults type=testCase`
and inside of the testCase I have a field called success, that tells me if the test passed or failed.
What I want to do is count the number of failures backwards from the most recent record until a record states that the testcase passed. (this is to get how many days in a row the test has failed).
Note: The test can be run multiple times a day, if it has failed all the times in a day that is 1 day failed. But if it has passed at least once, then it returns the number of days failed. If that makes sense.
How can I count the results in order to give me a number of days failed since the last time the test passed
↧
How do I find the average time (by day) of an event?
I have a search that returns the time of the first instance of a specific event (field "firstaction") by date (field "ldate").
search yadda yadda yadda | stats earliest(time) as firstaction by ldate
results:
ldate firstaction
2019-12-30 09:00:00.000
2019-12-31 07:00:00.000
What I want is the average time (value) of all the results.... or in this case 08:00:00.000
"|stats avg(firstaction) " doesn't return anything.
Also, only days that have a value should be averaged.
I thought about breaking out the value of the hours, minutes and seconds and converting them to a sum of seconds... then averaging the sum of seconds by day and then converting them back to a time value... but that seems overly complex and I can't be the only person that needs to know the average time of the first occurrence of something by day and alert if it falls outside a standard deviation.
Any thoughts (besides purchasing behavioral analytics)?
↧