MSCloud App was working until 9-11 - now receive " AF50005","message":"An internal error occurred. Retry the request."

September 18, 2017, 9:38 am

≫ Next: Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin__admin_...\prereport_84cf67ffc992ebfa_0.csv.gz'.

≪ Previous: CSV Fields Imported

MSCloud App was working until 9-11 - now receive " AF50005","message":"An internal error occurred. Retry the request." Nothing was changed that we're aware of on our end. Anyone else recently experiencing that issue? around that date? ode_line_no=244 | [input_name="O365 Mgt_Audit.Exchange" account="Splunk" data="Audit.Exchange" proxy_rdns="0" proxy_enabled="0" proxy_type="http" ]Fail to get evts for $audit_exchange$Audit_Exchange, reason Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/o365_content.py", line 240, in get_events self.do_get_events(content_dict) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/o365_content.py", line 256, in do_get_events events = self.get_one_content(content_dict) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/o365_content.py", line 154, in get_one_content return self._content_request(url=content_info[c.content_uri]) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/o365_content.py", line 124, in _content_request raise ome.O365GetContentError(msg + http_resp.msg) O365GetContentError: Account Splunk [proxy_rdns="0" proxy_enabled="0" proxy_type="http" ] GET request to https://manage.office.com/api/v1.0/#here/activity/feed/audit/#here$audit_exchange$Audit_Exchange failed, reason: 500, {"error":{"code":"AF50005","message":"An internal error occurred. Retry the request."}} 2017-09-18 16:14:02,161 +0000 log_level=INFO, pid=24969, tid=Thread-28, file=o365_helper.py, func_name=request, code_line_no=123 | [proxy_rdns="0" proxy_enabled="0" proxy_type="http" ] Finished sending GET request to https://manage.office.com/api/v1.0/#here/activity/feed/audit/#here$audit_exchange$Audit_Exchange 2017-09-18 16:14:02,164 +0000 log_level=ERROR, pid=24969, tid=T

↧

Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin__admin_...\prereport_84cf67ffc992ebfa_0.csv.gz'.

September 18, 2017, 10:32 am

≫ Next: Fields are missing from some of my records after importing a CSV file

≪ Previous: MSCloud App was working until 9-11 - now receive " AF50005","message":"An internal error occurred. Retry the request."

My Splunk Version is 6.5.1 and I get this error while I try to run my saved search. When I try to copy the search into a new search window and try running it, it works fine. I am stuck on this issue from the last couple of days . Any help would be great. My Saved search : index="entitydata_1_2_*" ( kpr=RKT_Call_Finished OR kpr=LKT_Call_Setup OR kpr=MRDF_CallSetup) |foreach * [rex field=<> mode=sed "s/{|}//g"] |eval SetupFinishTime = if (kpr="RKT_Call_Finished",creationDate , null) |eval EntitiesAttempted =EntitiesCount |transaction GlobalID maxspan=10000m |eval InitialDirection=if (kpr="LKT_Call_Setup" ,InitialDirection,null) |eval LKTCallSetupExists = if (kpr="LKT_Call_Setup" ,"YES","NO") |fields kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection, LKTCallSetupExists, |rename EntityNum as InitialEntityNum |eval entNum = InitialEntityNum |join type=Left entNum [| search index=entity_sum_1_2_* key=tcds_1_2_entity_feed | search [|inputlookup customer.csv | search [| search index="entitydata_1_2_*" kpr=RKT_Call_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID] | table kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection,LKTCallSetupExists,entNum , name,tfdid,entityID

↧

Fields are missing from some of my records after importing a CSV file

September 18, 2017, 9:10 am

≫ Next: How can we clean messages about unconfigured/disabled/deleted indexes?

≪ Previous: Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin__admin_...\prereport_84cf67ffc992ebfa_0.csv.gz'.

Hi! I imported a CSV file with 97 fields and after doing some searches, some fields are missing for some records. I have this so-called 'close_notes' field and it's present to some of the records while there are a few records where it does not exist. Thank you.

↧

How can we clean messages about unconfigured/disabled/deleted indexes?

September 18, 2017, 9:27 am

≫ Next: Splunk Add-on for Microsoft Cloud Services -- ERROR -- 'AF50005 : An internal error occurred. Retry the request.'

≪ Previous: Fields are missing from some of my records after importing a CSV file

We have some messages saying - Search peer has the following message: Received event for unconfigured/disabled/deleted index= with source="" host="" sourcetype="". So far received events from 6 missing index(es). Since this index - `` doesn't exist, I wonder if I should delete these events at parse time based on the index name. Is it possible?

↧

Splunk Add-on for Microsoft Cloud Services -- ERROR -- 'AF50005 : An internal error occurred. Retry the request.'

September 18, 2017, 9:38 am

≫ Next: Encountering an error while I try to run my saved search

≪ Previous: How can we clean messages about unconfigured/disabled/deleted indexes?

↧

Encountering an error while I try to run my saved search

September 18, 2017, 10:32 am

≫ Next: How to open a search using drilldown when clicked/zoomed on parent rectangle in treemaps?

≪ Previous: Splunk Add-on for Microsoft Cloud Services -- ERROR -- 'AF50005 : An internal error occurred. Retry the request.'

My Splunk Version is 6.5.1 and I get this error while I try to run my saved search. Encountered an error while reading file 'C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch_subsearch_subsearch_admin__admin_...\prereport_84cf67ffc992ebfa_0.csv.gz'. When I try to copy the search into a new search window and try running it, it works fine. I am stuck on this issue from the last couple of days . Any help would be great. My Saved search : index="entitydata_1_2_*" ( kpr=RKT_Call_Finished OR kpr=LKT_Call_Setup OR kpr=MRDF_CallSetup) |foreach * [rex field=<> mode=sed "s/{|}//g"] |eval SetupFinishTime = if (kpr="RKT_Call_Finished",creationDate , null) |eval EntitiesAttempted =EntitiesCount |transaction GlobalID maxspan=10000m |eval InitialDirection=if (kpr="LKT_Call_Setup" ,InitialDirection,null) |eval LKTCallSetupExists = if (kpr="LKT_Call_Setup" ,"YES","NO") |fields kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection, LKTCallSetupExists, |rename EntityNum as InitialEntityNum |eval entNum = InitialEntityNum |join type=Left entNum [| search index=entity_sum_1_2_* key=tcds_1_2_entity_feed | search [|inputlookup customer.csv | search [| search index="entitydata_1_2_*" kpr=RKT_Call_Finished | rename source as Source | return Source] | rename Customer as customer | return customer]| rename entityName as name |fields entNum , name,tfdid,entityID] | table kpr,GlobalID, SetupFinishTime ,EntityURI,EntityNum,FinalEntityUri,FinalResult,EntitiesAttempted ,InitialDirection,LKTCallSetupExists,entNum , name,tfdid,entityID

↧

How to open a search using drilldown when clicked/zoomed on parent rectangle in treemaps?

September 18, 2017, 11:28 am

≫ Next: I would like to understand if it is possible to work with multiple CPUs in the Heavy Forwarder.

≪ Previous: Encountering an error while I try to run my saved search

I was able to open a search using drilldown when clicked on child rectangle of tree maps as mentioned in official documentation [here][1] http://docs.splunk.com/Documentation/Treemap/1.1.1/TreemapViz/TreeMapComponents But I need to open a search when parent category is Zoomed/Clicked, so far I work when I click am have tried below code but it doesn't pass the token until clicked on children rectangle. Is it possible to use drilldown when clicked on parent rectangle in treemaps? [1]: http://docs.splunk.com/Documentation/Treemap/1.1.1/TreemapViz/TreeMapComponents

↧

I would like to understand if it is possible to work with multiple CPUs in the Heavy Forwarder.

September 18, 2017, 6:11 am

≫ Next: Can I use multiple CSS files in one dashboard?

≪ Previous: How to open a search using drilldown when clicked/zoomed on parent rectangle in treemaps?

I would like to understand if it is possible to work with multiple CPUs in the Heavy Forwarder. In my current architecture, I have two Heavy Forwarders and both using only one CPU for processing events. Thanks, Nardi

↧

Can I use multiple CSS files in one dashboard?

September 18, 2017, 6:53 am

≫ Next: What steps must I complete to renew my developer license?

≪ Previous: I would like to understand if it is possible to work with multiple CPUs in the Heavy Forwarder.

Hi Splunkers, I am using 3 CSS files in multiple dashboards, and now my use case is I need to consolidate all 3 into one CSS, which means adding panel Id, which will take many hours of effort. All said, Is it possible to define the precedence of CSS files and use them all?

↧

What steps must I complete to renew my developer license?

September 18, 2017, 7:00 am

≫ Next: How do I go about sending multi-lined string variables to Splunk?

≪ Previous: Can I use multiple CSS files in one dashboard?

I have a splunk developer license that I have renewed a total of 3 times now. It is set to expire on the 23rd (in 5 days), and I just wanted to get it renewed before it ran out, because I am bringing in data. I fear I might not be able to search once the license expires and I violate the 500mb a day limit. I applied over a week ago, and I have gotten no response. Anyone know why the delay might be happening? Is there anything else I need to do to renew my develop license?

↧

How do I go about sending multi-lined string variables to Splunk?

September 18, 2017, 7:31 am

≫ Next: Any tool to encrypt passwords based on a splunk.secret?

≪ Previous: What steps must I complete to renew my developer license?

splunk.intersplunk.outputResults output multiline strings in a field I have multi-line results which I would like to output as a multi-lined text in a field. Splunk is doing some cleaning in fields like stripping leading spaces and ignoring linefeed. How would I go about sending multi-lined string variable to Splunk?

↧

Any tool to encrypt passwords based on a splunk.secret?

September 18, 2017, 8:22 am

≫ Next: How are concurrent searches counted and how can we simulate 100 concurrent searches?

≪ Previous: How do I go about sending multi-lined string variables to Splunk?

We have multiple secrets for the different tiers (forwarders/search heads etc.). Some of the apps like IPS needs to have UI to encrypt password :( which is not possible on all tiers. Is there a tool/API which can encrypt the password based on splunk.secret ? eg. what I'm looking for is => supply passwords.conf and splunk.secret as inputs to the tool => run the api/tool so that it takes passwords.conf and splunk.secret of the relevant tier/server and hash the password with it Thanks in advance

↧

How are concurrent searches counted and how can we simulate 100 concurrent searches?

September 18, 2017, 8:37 am

≫ Next: Treemap: How to open a search using drilldown when clicked/zoomed on parent rectangle?

≪ Previous: Any tool to encrypt passwords based on a splunk.secret?

I would like to check if there is any possibility to simulate 100 concurrent search. Also if I were to login 5 different account on a single PC and perform searches on every login does that equate to 5 concurrent searches? Please advise.

↧

Treemap: How to open a search using drilldown when clicked/zoomed on parent rectangle?

September 18, 2017, 11:28 am

≫ Next: Aggregate/subtotal the output by locations (not currently an index field) so I can produce a graph by location

≪ Previous: How are concurrent searches counted and how can we simulate 100 concurrent searches?

↧

Aggregate/subtotal the output by locations (not currently an index field) so I can produce a graph by location

September 18, 2017, 5:52 am

≫ Next: How can I search to show when consecutive events occur/ specific patterns apply?

≪ Previous: Treemap: How to open a search using drilldown when clicked/zoomed on parent rectangle?

I have a query below that produces the sum of bandwidth used by remote intermediate forwarders. The output give me a simple linear output with sum by host. index=_internal metrics thruput site-hub 11001 host=server0* | stats sum(kb) by host What I am trying to get without success is to aggregate/subtotal the output by locations (not currently an index field) so that I can produce a graph by location rather than a graph by host.

↧

How can I search to show when consecutive events occur/ specific patterns apply?

September 18, 2017, 6:03 am

≫ Next: How can I create a "null" or "blank" response in a field while converting strings into a new string value?

≪ Previous: Aggregate/subtotal the output by locations (not currently an index field) so I can produce a graph by location

Hi All, I need the command for consecutive events which is triggered one after another out of multiple events( 3 consecutive events from 100 events) for example if we receive any hits from external IP towards our web-server as accept,accept, deny or deny, deny accept or in windows if we receive the account successfully login, account created, change password attempt etc The goal to get three or more consecutive events generated one after another out of 100 logs to identify specific pattern Can anyone please help with Splunk command to achieve the same

↧

How can I create a "null" or "blank" response in a field while converting strings into a new string value?

September 18, 2017, 12:18 pm

≫ Next: VPC Flow Logs No data

≪ Previous: How can I search to show when consecutive events occur/ specific patterns apply?

I am not sure how to approach what I am attempting to do. In short, I have a field that contains some specific strings that I intend to convert into a new string value inside a new field. For all the other strings in the first field that **do not match**, I want to provide a null or "blank" response in the new field. For example: original field values // New field value planetrainsautomobiles // modes of transportation applesPeachesblueberries // types of fruit random garbage I don't want // [blank] I know if I use the eval command in conjunction with replace I can change any string of text to what I want. What I can't figure out is how to "null" all the garbage I don't want to show in the new field when I display it in the table. Any help would be greatly appreciated.

↧

VPC Flow Logs No data

September 18, 2017, 12:57 pm

≫ Next: splunk visualization into slack

≪ Previous: How can I create a "null" or "blank" response in a field while converting strings into a new string value?

I have configured VPC FLOW LOGS correctly in AWS cloudwatch. Within AWS cloudwatch I am able to see all the VPC Flow Logs. I checked the user/permissions/policy and Role and they all seem to be good. However in Splunk AWS Application - I was able to configure it all - but the data is blank. There is no data. Not sure what am I missing. Also I have access only to the front end of splunk - so not sure where I can check internal splunk logs to see what's causing this. Other services I am getting data - but not VPC Flow Logs Can someone please help ?

↧

splunk visualization into slack

September 18, 2017, 1:15 pm

≫ Next: Splunk App for AWS: The data is blank in VPC Flow Logs

≪ Previous: VPC Flow Logs No data

Hi there, Is there anyway to send splunk visualization to slack channel besides the slack notification alert in splunkbase.

↧

Splunk App for AWS: The data is blank in VPC Flow Logs

September 18, 2017, 12:57 pm

≫ Next: How can I send Splunk visualization to Slack?

≪ Previous: splunk visualization into slack

↧