Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ii_splunk
ii_splunk
Path Finder
Member since:
09-15-2011
01-19-2022
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 26 |
| Member Since | 09-15-2011 |
Activity Feed
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 02-28-2022 03:08 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 08-18-2020 09:13 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk web access auto redirect from http to https. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
- Got Karma for Re: Unable to run any search query : WARN: Search filters specified using splunk_server/splunk_server_group do not match any search peer.. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
Based on current configurations, you can't do this in Splunkweb alone and would need to put something like an Apache http server or F5 load balancer with iRules in front of Splunk. Something to issue a redirect to the browser.
... View more
02-17-2015
11:34 AM
I can't reproduce at will but when the cluster get's in this "odd" state; I happened onto this work around. Has reoccured a few times on our cluster.
... View more
02-17-2015
07:53 AM
21 Karma
I think this is a bug that Splunk needs to fix.... here is the work around in case anyone gets this:
On your search head do the following:
Settings->Distributed Management Console
(NOTE: Indexers will have N/A shown)
Setup->Apply Changes->Refresh
(NOTE: No changes were actually made)
Verify fix by clicking "Overview" in Distributed Management Console; Indexers will now show correct indexing rate.
Search as normal; workaround complete.
... View more
02-12-2015
02:11 PM
1 Karma
The regex below did the trick for us. We modded the props.conf file on the indexer. The SED scripts contain verbose trunking variables as well..its in the first line. The others simply give us the final format. (The following was the standalone stanza for WinEventLog*)
[source::WinEventLog*]
SEDCMD-win=s/(?mis)(Token Elevation Type indicates|This event is generated|Application Id=|Advanced help for this problem).*$//g
SEDCMD-rmlines=s/[\n\r]/ /g
SEDCMD-symtc1=s/([a-zA-Z]+ [a-zA-Z]+ [a-zA-Z]+|[a-zA-Z]+ [a-zA-Z]+|[a-zA-Z]+)=/;\1=/g
SEDCMD-symtc2=s/([a-zA-Z]+ [a-zA-Z]+ [a-zA-Z]+|[a-zA-Z]+ [a-zA-Z]+|[a-zA-Z]+):\s/;\1=/g
SEDCMD-symtc3=s/\s+;/;/g
SEDCMD-symtc4=s/=\s+/=/g
--
Now the events show up like this.
Jan 29 11:51:02 172.25.32.44 HOSTNAME: 01/29/2015 11:50:42 AM;LogName=Security;SourceName=Microsoft Windows security auditing.;EventCode=4689;EventType=0;Type=Information;ComputerName=HOSTNAME;TaskCategory=Process Termination;OpCode=Info;RecordNumber=17576732;Keywords=Audit Success;Message=A process has exited.;Subject=;Security ID=NT AUTHORITY\SYSTEM;Account Name=HOSTNAME$;Account Domain=DEV;Logon ID=0x3e7;Process Information=;Process ID=0x14c8;Process Name=C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe;Exit Status=0x1
--
Thank you Chris P
R
... View more
01-26-2015
09:15 AM
it turns out that the universal forwarder is not configurable in this way.
all we want to do is remove the date time stamp from the line breaks
... View more
01-22-2015
02:05 PM
our 3rd party appliance only accepts syslog format (RFC3164)
We were told it's possible to tweak the UF's themselves by modding the props.conf WinEventlog stanza
This stanza and attributes are responsible for sending to the index in a multiline format - from what we hear.
this is default stanza.
[source::WinEventLog...]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = (\r\n)
REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv
KV_MODE=none
TRANSFORMS-FIELDS = strip-winevt-linebreaker
I changed the should_linemerge attribute to "true" and not much changed on the indexer. Yet logs from our linux servers show up as the following which is what we need:
2015-01-22 14:52:48,747 DEBUG fr.test.servlet.filter.XForwardedFilter Incoming request /web/my/home/releaseNotes with originalRemoteAddr '172.22.102.70', originalRemoteHost='172.25.80.70', originalSecure='false', originalScheme='http', original[X-Forwarded-For]='172.25.244.67, original[x-forwarded-proto]='null' will be seen as newRemoteAddr='172.25.246.67', newRemoteHost='172.25.246.200', newScheme='http', newSecure='false', new[X-Forwarded-For]='null, new[X-Forwarded-By]='null'
... View more
01-12-2015
02:36 PM
Is it possible to do pre-processing on the forwarders ?
... View more
01-09-2015
03:02 PM
Hello,
We have about 900 Windows servers which are being indexed by our single splunk enterprise instance. We are then forwarding these server logs in a standard syslog format to a 3rd party system. The 3rd party system perceives the logs in a multiline format. We need to convert them to single line because they do not support multiline.
Here is an event example from the 3rd party system:
Dec 29 07:47:18 172.25.32.44 12/29/2014 02:47:17 AM
Dec 29 07:47:18 172.25.32.44 LogName=Security
Dec 29 07:47:18 172.25.32.44 SourceName=Microsoft Windows security auditing.
Dec 29 07:47:18 172.25.32.44 EventCode=4689
Dec 29 07:47:18 172.25.32.44 EventType=0
Dec 29 07:47:18 172.25.32.44 Type=Information
Dec 29 07:47:18 172.25.32.44 ComputerName=MYSERVER.dev.ad
Dec 29 07:47:18 172.25.32.44 TaskCategory=Process Termination
Dec 29 07:47:18 172.25.32.44 OpCode=Info
Dec 29 07:47:18 172.25.32.44 RecordNumber=9663387
Dec 29 07:47:18 172.25.32.44 Keywords=Audit Success
Dec 29 07:47:18 172.25.32.44 Message=A process has exited.
Dec 29 07:47:18 172.25.32.44 Subject:
Dec 29 07:47:18 172.25.32.44 Security ID: NT AUTHORITY\LOCAL SERVICE
Dec 29 07:47:18 172.25.32.44 Account Name: LOCAL SERVICE
Dec 29 07:47:18 172.25.32.44 Account Domain: NT AUTHORITY
Dec 29 07:47:18 172.25.32.44 Logon ID: 0x3e5
Dec 29 07:47:18 172.25.32.44 Process Information:
Dec 29 07:47:18 172.25.32.44 Process ID: 0xa84
Dec 29 07:47:18 172.25.32.44 Process Name: D:\Program Files (x86)\Citrix\HealthMon\Tests\Citrix\RequestTicket.exe
Dec 29 07:47:18 172.25.32.44 Exit Status: 0x0
How can we go about modifying the feed/events from a standard multiline format to a single line format?
I was told perhaps using regex to change the line breaks to some other delimiter could work.
Please advise as to how we can mod the multiline format to single line format?
... View more
12-29-2014
09:48 AM
I have a Splunk enterprise indexer with about 900 windows servers on a particular index. I created a new index which I need to point 300 of the 900 servers.
I’ve seen some threads in the splunk community on how to push the change out the outputs.conf using linux clients. However, in my case I am using Windows.
Can you please advise as to how we can push out this mod to the windows UF’s to point to a different index?
... View more
10-31-2014
08:46 AM
I have a search taking more than 48 hours to complete. I am searching within 2 indexes over the span of a single week. Can anyone provide optimization recommendations?
eventtype=SDW_BPM_EVENTS TYPE=Address: OR TYPE=Payload: | transaction startswith=Address: endswith=Payload: | search soa_user_id!=NULL AND ( soa_operation_name=createCreditCards OR soa_operation_name=updateCreditCards OR soa_operation_name=completeMembershipCheckout OR soa_operation_name=createBatch OR soa_operation_name=exchangePaymentRefund OR soa_operation_request=processVacationRequestTransaction OR soa_operation_name=processExchangeTransaction OR soa_operation_name=processShortStayTransaction OR soa_operation_name=purchaseRetradeProgram OR soa_operation_name=updateGuestCertificate OR soa_operation_name=processTransaction OR soa_operation_name=extendDeposit OR soa_operation_name=accommodationCertificateExtensionUpdate OR ( ( soa_operation_name=signalRecapState OR soa_operation_response=signalRecapStateResponse ) AND index=sdw ) ) | LOOKUP IIActiveDirectoryAll UserName as soa_user_id OUTPUT Groups as soa_user_groups | search ( (soa_user_groups="* IT*" OR soa_user_groups="*IT *" OR soa_user_groups="*-IT*" OR soa_user_groups="*IT-*" OR soa_user_groups="*I-Series*" OR soa_user_groups="*ITCM*") AND NOT (soa_user_groups="*italy*" OR soa_user_groups="*credit*" OR soa_user_groups="*audit*" OR soa_user_groups="*autit*") ) | rex "(?i)\-M:(?P[^\-]+)" | rex "(?i)\-C:(?P[^\]]+)" | rex "SubscriptionSelection.*TransactionCd\>(?P[^<]+).*TransTypeDesc\>(?P[^<]+).*NetAmount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)" | rex ":Amount CurrencyCode=\"(?P[^\"]+)\"\>(?P[^<]+)"
... View more
I had the same problem; I assume someone in my AD team changed something but I had to change the following to get it working again:
Manager » Access controls » Authentication method » LDAP strategies » ActiveDirectory Help | About
Uncheck: Enable referrals with anonymous bind only
... View more
08-02-2012
10:51 AM
I have just recently started getting this message and it seems to be correlated to these messages in the splunkd.log:
08-02-2012 13:47:07.449 WARN metadata - Could not retrieve totalCount value for a row of type 'sourcetype'. Skipping.
08-02-2012 13:47:09.847 WARN metadata - Could not retrieve totalCount value for a row of type 'sourcetype'. Skipping.
08-02-2012 13:47:13.756 WARN metadata - Could not retrieve totalCount value for a row of type 'source'. Skipping.
08-02-2012 13:47:16.086 WARN metadata - Could not retrieve totalCount value for a row of type 'source'. Skipping.
I only get this on the Summary page. Could my metadata be corrupt? If so how can I fix this?
... View more
