In order to collect logs from F5-LTM, do we require to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP or either one will do ?
↧
What are the benefits of using the F5 Networks - LTM App Splunk Add-on for F5 BIG-IP to log F5 LTM data?
↧
About how to always display panel footer ("open in search" etc ...)
I know how to hide the panel footer in a way like the link below.
https://answers.splunk.com/answers/139253/is-there-a-way-to-remove-the-open-in-search-inspect-and-export-options-from-the-bottom-of- the-dashboard.html
But on the contrary I want to always display the panel footer without having to move the cursor on the panel.
Is there any way to realize it?
↧
↧
Splunk enterprise 6.6.1 - existing custom apps are not opening
We have few custom apps in our splunk enterprise instance which were opening to all user before. Suddenly custom apps are not opening for me and majority of users. When we click the app its displaying as "Loading...." only, but not loaded. We tried the same in IE (11) and Chrome. I am facing this issue in IE. The login page itself not loading in chrome which was working fine before. Could you please help here to fix this which is quite critical for us.
Thanks
Mohan A.C
↧
Add panel to row using Splunk WebFramework
Hi!
I would like to add multiple panels to my *form* dynamically. I found an example for dashboard
https://answers.splunk.com/answers/294177/when-i-am-adding-panels-and-chart-elements-using-j.html
var panel = mvc.Components.get('dashboard').createNewPanel();
, but it's not clearly for me how to use mvc.Components.get():
1) What is 'dashboard'? Is it [dashboard id='dashboard'] in SimpleXML?
2) How it can be used for forms?
I couldn't find any docs about dynamically creating web elements for Splunk using its own framework (
↧
SAP virtual forge integration with Splunk
Hi All,
I want to integrate SAP virtual forge(4.1 version) with Splunk 6.3, can you please suggest the method of integration incase of any documents or useful links will be helpful
Regards,
Nikhilesh
↧
↧
Can't find my last 6 month data
HI everyone,
I usually run report month by month from Januari untill now (and i still have the report), and now i want to get my March dan May data to review it but the no data at all. I tried run search from Januari too and no data, but i can get my June data.
Is there any limitation from splunk to get past data?
FYI, i don't run any archieving.
↧
Delayed log ingestion
Hi Splunk,
Having a problem with one of our ingestion in splunk. The logs are delayed and cant seem to find the cause of the ingestion issue. Could someone help us what would be the troubleshooting to be done? and what might be causing the issue as the logs are delayed for a day.
Thank you,
↧
How to configure/integrate cassandra logs in Splunk ?
What is the easy way to configure all cassandra logs to Splunk and create index on the cassandra logs? How do I integrate them?
Thank you,
↧
Is there a way to monitor all program that are in Auto Run on Startup?
I am trying to find all programs that are set to auto run upon startup but however I've tried the registry key under Local Machine > Software > Microsoft > Windows > Current Version > Run, there are far less than what I thought it would. But however Task Manager shows much more auto run programs as shown in the attached image, how do I have splunk to monitor this?![alt text][1]
[1]: /storage/temp/216706-startup.png
↧
↧
How do I stop old records being deleted?
I have a set of log records dating from 2009 to 2011. I upload them to Splunk and set MAX_DAYS_AGO=10,000 as well as setting the Tsidx Retention Policy to disabled.
However, whenever I restart splunk, the records are deleted.
Does anyone know how to stop the old records being deleted?
Thanks and regards,
Simon
↧
Calculating a sum with conditions
Hi all!
The case is that I want to calculate sum of purchase price of the applications where the application status is either c(contacted) or n(new). There's also multiple other application statuses. Each Splunk event has a unique ID for each event so I will first dedup the ID out so the latest application status with unique ID will be present only. The issue is that I want to calculate the sum, where the application status is either c or n. If application status search is used in query it won't include won(w) and lost(l) application to the search thus calculating sum of applications which status has already been changed to other status than c or n. I've tried to use *where* command but I don't get any results with that.
**Here's my query:**
index=aa sourcetype=bb
| dedup ID
| eval subtotal=0
| foreach summa [eval subtotal = subtotal + '<>']
| chart sum(subtotal) by userID
| where applicationStatus=c OR applicationStatus=n
| sort sum(subtotal)
**Here's another query:**
Issue with this one is that if the application status has been changed to w(won) it wont effect to result
index=aa sourcetype=bb applicationStatus=n OR c
| dedup ID
| eval subtotal=0
| foreach summa [eval subtotal = subtotal + '<>']
| chart sum(subtotal) by userID
| sort sum(subtotal)
↧
Data Summary is not showing all host.
When I am on the Search Head and I go to data summary under Search and Reporting, it only shows 2 host but they come up as .log files. When I do a search for index=*, I get all my host which is currently around 24. I know the .log files are coming from rsyslog on my Splunk syslog server, but why can't I see all my host under data summary. Also, it says that the earliest and latest events were 2 months ago, when Splunk was initial deployed. I do not have a cluster, I only have 1 of each server. Any assistance is greatly appreciated.
↧
Encountered the following error while trying to update: Unknown error while validating database connection
Hello
Just updated to Splunk to 6.6.3.
I now get a error:
*Encountered the following error while trying to update: Unknown error while validating database connection*
when trying to connect to our external MsSql, this worked fine in our previous version.
This is from the jbridge log
*Java process returned error code 1! Error: Initializing Splunk context...
Environment: SplunkEnvironment{SPLUNK_HOME=C:\Program Files\Splunk,SPLUNK_DB=C:\Program Files\Splunk\var\lib\splunk}*
Kind regard
↧
↧
Help ! add manual data to a sourcetype
Hi,
I am creating an dashboard and want to know, if we have any possibility to add data manually to sourcetype.
Example :
Requirement : A input field where I can manually add data and click submit.
Required Result : Data get stored in Splunk with time.
Adding screenshot to understand the requirement.
![alt text][1]
[1]: /storage/temp/217765-splunk.png
Thanks
↧
After upgrading Splunk to 6.6.3, Splunk Netflow add-on stopped working
Recently I upgraded from Splunk 6.5.3 to 6.6.3. I have a CentOS 6.x virtual server on x64 Intel architecture acting as a heavy forwarder and it's main mission is to receive netflow and send it to the indexers. I am using the Splunk Add-On for Netflow and it's been working well for several years.
However, when I upgraded I stopped getting netflow. I looked at the splunk/etc/apps/Splunk_TA_flowfix_slim folder and the nfdump-binary and nfdump-ascii folders were gone, as was the bin/flowfix.sh run file.
So I re-ran the Splunk_TA_flowfix_slim/configure.sh script, restarted splunk, and those folders came back. But no data was being sent to the netflow index.
I checked nfdump-ascii and no files were being created in that folder.
I checked nfdump-binary and only one file was in that folder, it was 276 bytes and it wasn't growing.
restarted splunk, nothing.
I checked splunkd.log and I couldn't find any errors.
I checked netstat and nfcapd was listening on the port I had designated.
I checked tcpdump and netflow is being received on that port.
I check the iptables and that port is allowed.
I turned off selinux (setenforce 0)
Still nothing.
So that left a couple of things. When I first ran the configure.sh, it started nfcapd as user splunk. So I stopped that process and ran flowfix.sh as root. Nothing.
I re-ran configure.sh as root. Nothing.
repeated several of the steps above, nothing.
No logs, no errors.
I looked at the following two questions out of all my searches that seemed the most relevant, but no help.
https://answers.splunk.com/answers/172341/installation-of-splunk-add-on-for-netflow-didnt-wo.html
https://answers.splunk.com/answers/36265/netflow-app-not-retrieving-any-data.html
I finally tried running the actual nfcapd command that flowfix.sh runs (found when I did a ps-ef | grep nfcapd) found the following:
Socket error: could not open the requested socket
Terminated due to errors.
Searching on THAT, I found the following:
https://answers.splunk.com/answers/59124/configuring-netflow-app-for-splunk.html
https://sourceforge.net/p/nfsen/mailman/message/4400104/
But what was weird was that doing a netstat -np | grep as root, I found NOTHING listening on that port. Doing the netstat as splunk finds nothing either. The nfdump-binary folder occasionally has a large file, but then has nothing. The nfdump-ascii STILL has no files. And nfcapd is running as splunk.
But I am now getting bursts of netflow data in Splunk. So it appears things are working. But the whole thing is weird and the lack of obvious errors has made figuring this out frustrating.
Anyway, if this helps others troubleshoot, then great.
I just hope I don't go through this again when I upgrade to 7.0
↧
SAML no splunkd sessionKey variable set
Attempting to configure Splunk 6.5.2 to use SAML/SSO with PingIdentity. Don't have access or visibility to PingIdentity environment in that it is managed on the other side of the world, so am left to troubleshooting via email :/
The current problem is that after login to PingIdentity, the Splunk server gets stuck in a loop and the browser bounces between the IDP and Splunk. Any ideas from somebody that has already successfully configured this?
2017-10-05 17:17:38,364 INFO [59d64d125c7f2b31dd6110] decorators:371 - require_login - redirecting to login
2017-10-05 17:17:39,110 INFO [59d64d131b7f2b31dd6110] decorators:363 - require_login - no splunkd sessionKey variable set; cherrypy_session=6cf6ce2834868a5121b69402c5f42cfd999e4140 request_path=/en-US/
2017-10-05 17:17:39,110 INFO [59d64d131b7f2b31dd6110] decorators:371 - require_login - redirecting to login
2017-10-05 17:17:39,903 INFO [59d64d13e67f2b31dd6110] decorators:363 - require_login - no splunkd sessionKey variable set; cherrypy_session=ecd986b7d7c9d8bdd4d892a739b4cb13e501b22a request_path=/en-US/
2017-10-05 17:17:39,903 INFO [59d64d13e67f2b31dd6110] decorators:371 - require_login - redirecting to login
2017-10-05 17:17:40,675 INFO [59d64d14ab7f2b31dd6110] decorators:363 - require_login - no splunkd sessionKey variable set; cherrypy_session=1facdd4594df3c97ed5c7e072f5b8373b982eb2b request_path=/en-US/
2017-10-05 17:17:40,675 INFO [59d64d14ab7f2b31dd6110] decorators:371 - require_login - redirecting to login
2017-10-05 17:17:41,445 INFO [59d64d15717f2b31dd6110] decorators:363 - require_login - no splunkd sessionKey variable set; cherrypy_session=7528585feeb6b72b2c798d454153a9263261f91a request_path=/en-US/
2017-10-05 17:17:41,446 INFO [59d64d15717f2b31dd6110] decorators:371 - require_login - redirecting to login
↧
Splunk Email createSSLContextSettings error
I am trying to test Splunk Email with configuration integrated with AWS SES however keeps getting createSSLContextFromSettings error. Can anyone has a workaround or suggestions?
***Query***: | savedsearch "Logs" | stats count | sendemail to=test@user.com
***ERROR***: command="sendemail", createSSLContextFromSettings() got an unexpected keyword argument 'confJSON' while sending mail to: test@user.com
↧
↧
Generating Reports
I'd like to create a splunk report that generates only when a specific word is seen in the logs file. Right now I've created the report but it comes regardless of whether the word is seen or not. If its not seen I receive a blank report. I'd like to not receive the blank report if the word is not there.
↧
splunk and VNX access audit Logs integration
Dears,
i am looking for splunk and VNX access audit Logs integration i have searched answers and it's seems be tool called cee that get his logs from VNX and there was app from splunk but i couldn't find it now and certified vnx app from splunk can't retrieve this info
↧
splunk kaspersky integration
Dears,
i have configured Kaspersky to send CEF log to Splunk destination from Kaspersky console but when I have used CEF add on to parse this data into Splunk it's not parsed correctly , so may I know how to get his data parsed and CIM compatabile for Splunk ES
↧