Getting Data In

Splunk Documents 404 & CSV Issues

behen
New Member

Hi-

For some reason every time I try to go to the documentation from within Splunk or from other links, I get a 404 page not found and a loop occurs where I don't really ever see the 404 page. So as I can't get to the documentation, I'd like to ask for some help...

I have a directory that includes several .csv files each with a specific format
"Username","Log On/Off","Hostname","IP Address","YYYMMDDHHMM","Domain"
Each csv file is named for the user and tracks the computer that they are logged into currently - tracks log on and log off. How can I easily map these fields to appropriate fields for Splunk to understand? Splunk can't figure out the timestamp here, or the hostname (as all files sit on the same network share...

I'm sure this is simple, but without being able to access any documentation, i'm kind of flying in the dark. Has happened on several computers today at our location so I gave up. Thanks in advance for any help!

0 Karma

behen
New Member

Okay, so I will answer my own question!

Here is my props.conf:

[csv-2]
TIME_PREFIX=^([^,]*,){4}
pulldown_type=1
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d%H%M
TZ=America/New_York
CHECK_FOR_HEADER = false
KV_MODE = none
PRIORITY = 101
TRANSFORMS-extract_host = extract_host
TRANSFORMS-AutoHeader-1 = AutoHeader-1

And here is my transforms.conf:

[AutoHeader-1]
DELIMS = ","
REGEX = (.*?):s+([0-9,]+)
MV_ADD = true
REPEAT_MATCH = TRUE
CLEAN_KEYS = true
FIELDS = "Username", "Log[On]/Log[Off]", "host", "IP Address", "Timestamp" "Domain"

[extract_host]
REGEX = ^([^,]*,){3}
FORMAT = host::$1
DEST_KEY = MetaData:Host

Remember that after making any changes, you need to:
1. Restart the services
2. Gather more data - the previously indexed data won't change. You need new events.

I'd like to know more about the MetaData: keys that I can map to.... Are there more known constructs in Splunk? This was the only one I found in the documentation...

0 Karma

cervelli
Splunk Employee
Splunk Employee

The documentation issue is caused by being unable to reach, or DNS resolve, quickdraw.splunk.com and www.splunk.com.

behen
New Member

Wow, okay... I added splunk.com to some of the ad blocking whitelists and it works now.... Not sure why. Web filter and firewall weren't impeding the data at all.

0 Karma

behen
New Member

Thanks....

Okay, this is weird. DNS resolves for both of those domains you listed. Using Google Chrome, I go to docs.splunk.com and get forwarded to splunk-base.splunk.com. However if I try to go to docs.splunk.com in IE 10, it actually sends me to http://docs.splunk.com/Documentation

Beginning to think this may be because of an extension I have installed. Thanks.

0 Karma

cervelli
Splunk Employee
Splunk Employee

docs.splunk.com = www.splunk.com
quickdraw.splunk.com does the translation to the right doc page.

If you can reach both, something in between is blocking you. The docs are and remain generally available.

0 Karma

behen
New Member

Thanks for the thought, but no, this is not my issue.

H:>nslookup quickdraw.splunk.com
Server: gracedca.grace.adn
Address: 192.168.1.251

Non-authoritative answer:
Name: quickdraw.splunk.com
Address: 216.221.226.40

0 Karma

ChrisG
Splunk Employee
Splunk Employee

On the docs side...just to confirm: you can't see docs.splunk.com from any browser in your location? The site is up and working.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...